Files
poky/meta/recipes-support
Yogita Urade 1cae56f216 nghttp2: fix CVE-2023-35945
Envoy is a cloud-native high-performance edge/middle/service
proxy. Envoy’s HTTP/2 codec may leak a header map and
bookkeeping structures upon receiving `RST_STREAM` immediately
followed by the `GOAWAY` frames from an upstream server. In
nghttp2, cleanup of pending requests due to receipt of the
`GOAWAY` frame skips de-allocation of the bookkeeping structure
and pending compressed header. The error return [code path] is
taken if connection is already marked for not sending more
requests due to `GOAWAY` frame. The clean-up code is right after
the return statement, causing memory leak. Denial of service
through memory exhaustion. This vulnerability was patched in
versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-35945
https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r

(From OE-Core rev: 0e6eb0f417079eaf76b003973c9d93338e6363b5)

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2023-08-30 04:46:36 -10:00
..
2023-02-24 16:41:46 +00:00
2022-03-29 15:59:28 +01:00
2023-08-19 05:56:58 -10:00
2022-03-29 15:59:28 +01:00
2023-07-01 08:37:24 -10:00
2022-04-14 09:47:00 +01:00
2022-03-10 13:07:37 +00:00
2022-01-26 06:27:00 +00:00
2022-04-14 09:47:00 +01:00
2022-12-01 19:35:04 +00:00
2023-02-24 16:41:46 +00:00
2022-12-01 19:35:04 +00:00
2023-08-02 04:47:13 -10:00
2021-10-23 17:42:26 +01:00
2023-08-07 04:40:43 -10:00
2022-07-16 06:52:45 +01:00
2022-09-12 08:41:47 +01:00
2021-08-02 15:44:10 +01:00
2022-09-12 08:41:47 +01:00
2022-12-23 23:05:50 +00:00
2023-08-30 04:46:36 -10:00
2022-02-05 17:46:05 +00:00
2023-07-21 06:27:34 -10:00
2023-07-21 06:27:34 -10:00
2022-06-22 23:46:29 +01:00