TEMP-1138794-BADE22

NameTEMP-1138794-BADE22
DescriptionHTTP/2 Bomb denial of service
SourceAutomatically generated temporary name. Not for external reference.
Debian Bugs1138794

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nginx (PTS)bullseye1.18.0-6.1+deb11u3vulnerable
bullseye (security)1.18.0-6.1+deb11u8vulnerable
bookworm, bookworm (security)1.22.1-9+deb12u9fixed
trixie (security), trixie1.26.3-3+deb13u7fixed
forky, sid1.30.1-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nginxsourcebookworm1.22.1-9+deb12u8
nginxsourcetrixie1.26.3-3+deb13u6
nginxsource(unstable)1.30.0-21138794

Notes

https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
https://github.com/nginx/nginx/commit/365694160a85229a7cb006738de9260d49ff5fa2 (release-1.29.8)

Search for package or bug name: Reporting problems