Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Oct 2023 16:10:50 -0700
From: Alan Coopersmith <>
Subject: Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against
 many implementations

On 10/10/23 11:40, Alan Coopersmith wrote:
> Information I've found so far on open source implementations (most via the
> current listings in the CVE) include:

Some more updates since last week:

> - Apache httpd:

The discussion in makes the
situation a little murkier.

- contour:

- grpc-go:

> - haproxy:

- http2 [Haskell]:


- kubernetes:

- linkerd:

> - netty:

- varnish

Also, points out that the
Rust h2 crate seems to have announced a very similar issue under a
different CVE id back in April:

and a followup post notes further similarities to Netflix's CVE-2019-9514
“Reset Flood” from
except in that case the RST_STREAM seem to have been sent from the server,
not the client side.

         -Alan Coopersmith-       
          Oracle Solaris Engineering -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.