Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 23 Dec 2015 17:59:17 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Use after free in nghttp2

https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/

Quote from release announcement:
"This release fixes heap-use-after-free bug in idle stream handling
code. We strongly recommend to upgrade the older installation to this
latest version as soon as possible."

Given nghttp2 is used for many (most?) http2 deployments and these
become more and more common I think this is rather serious.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ