Date: Wed, 23 Dec 2015 17:59:17 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Use after free in nghttp2 https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/ Quote from release announcement: "This release fixes heap-use-after-free bug in idle stream handling code. We strongly recommend to upgrade the older installation to this latest version as soon as possible." Given nghttp2 is used for many (most?) http2 deployments and these become more and more common I think this is rather serious. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ