CVE-2019-9515

NameCVE-2019-9515
DescriptionSome HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4508-1, DSA-4520-1
Debian Bugs934886, 934887

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
h2o (PTS)buster (security), buster, buster (lts)2.2.5+dfsg2-2+deb10u2fixed
bullseye2.2.5+dfsg2-6fixed
bookworm2.2.5+dfsg2-7fixed
sid, trixie2.2.5+dfsg2-9fixed
trafficserver (PTS)buster (security), buster, buster (lts)8.1.7-0+deb10u4fixed
bullseye8.1.10+ds-1~deb11u1fixed
bullseye (security)8.1.11+ds-0+deb11u1fixed
bookworm (security), bookworm9.2.5+ds-0+deb12u1fixed
sid9.2.5+ds-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
h2osourcebuster2.2.5+dfsg2-2+deb10u1DSA-4508-1
h2osource(unstable)2.2.5+dfsg2-3934886
trafficserversourcewheezy(unfixed)end-of-life
trafficserversourcebuster8.0.2+ds-1+deb10u1DSA-4520-1
trafficserversource(unstable)8.0.5+ds-1934887

Notes

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/
https://raw.githubusercontent.com/apache/trafficserver/8.0.x/CHANGELOG-8.0.4
https://github.com/h2o/h2o/issues/2090
https://github.com/h2o/h2o/commit/743d6b6118c29b75d0b84ef7950a2721c32dfe3f

Search for package or bug name: Reporting problems