CVE-2018-1000168

Name	CVE-2018-1000168
Description	nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2786-1
Debian Bugs	895566

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
nghttp2 (PTS)	jessie, jessie (lts)	0.6.4-2+deb8u1	fixed
	stretch (security)	1.18.1-1+deb9u2	fixed
	stretch (lts), stretch	1.18.1-1+deb9u4	fixed
	buster (security), buster, buster (lts)	1.36.0-2+deb10u3	fixed
	bullseye	1.43.0-1+deb11u1	fixed
	bullseye (security)	1.43.0-1+deb11u2	fixed
	bookworm (security), bookworm	1.52.0-1+deb12u1	fixed
	sid, trixie	1.64.0-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
nghttp2	source	jessie	(not affected)
nghttp2	source	stretch	1.18.1-1+deb9u2		DLA-2786-1
nghttp2	source	(unstable)	1.31.1-1	low		895566

Notes

[jessie] - nghttp2 <not-affected> (Issue introduced in 1.10.0)
Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0
Fixed by: https://github.com/nghttp2/nghttp2/commit/b1bd6035e884b3d83748914a3b5f2a8e52a78a2f
https://www.openwall.com/lists/oss-security/2018/04/12/4