CVE-2023-44487 impact: Difference between revisions

From Yocto Project
Jump to navigationJump to search
m (Formatting fix)
m (Upate backpiort state)
 
(9 intermediate revisions by the same user not shown)
Line 7: Line 7:
* go
* go


Status: Affected, confirmed
Status: Fixed (master)


Master version: 1.20.10 (fixed, commit 262d5386c6293dbd6b9c677fbb7ed7431651db5)
Master version: 1.20.10 (fixed, commit 262d5386c6293dbd6b9c677fbb7ed7431651db5)
Line 13: Line 13:
Nanbield version: Under analysis
Nanbield version: Under analysis


Kirkstone version: Under analysis
Kirkstone version: 1.17.x, need backport


Dunfell version: Under analysis
Dunfell version: Under analysis


Sources: https://go.dev/doc/devel/release#go1.20
Sources: https://go.dev/doc/devel/release#go1.20
* lighthttpd
Status: not affected
Sources: https://redmine.lighttpd.net/boards/2/topics/11188


* nghttpd2
* nghttpd2


Status: Affected
Status: Fixed (master)


Master version: 1.57.0 (fixed commit c24b75f027f2609dac935e8981f2eb58394b1cc6)
Master version: 1.57.0 (fixed commit c24b75f027f2609dac935e8981f2eb58394b1cc6)
Line 27: Line 33:
Nanbield version: Under analysis
Nanbield version: Under analysis


Kirkstone version: Under analysis
Kirkstone version: 1.47, need backport


Dunfell version: Under analysis
Dunfell version: Under analysis
Line 59: Line 65:
Status: Affected, via a dependency on nghttpd2
Status: Affected, via a dependency on nghttpd2


Master version: 20.5.1, pull request pending but not release with a fix
Master version: 20.5.1, need update to 20.8.1, patch pending https://lists.openembedded.org/g/openembedded-devel/message/105567


Nanbield version: Under analysis
Nanbield version: 20.5.1, need update to 20.8.1


Kirkstone version: Under analysis
Kirkstone version: Under analysis
Line 67: Line 73:
Dunfell version: Under analysis
Dunfell version: Under analysis


Sources: https://github.com/nodejs/node/pull/50121
Sources: https://github.com/nodejs/node/pull/50121 and https://github.com/nodejs/node/releases
 
== meta-java ==
 
* tomcat
 
- Includes tomcat 5.5.26 which is outdated. No more analysis

Latest revision as of 12:31, 20 October 2023

(WIP) CVE-2023-44487 (HTTP2 RapidReset issue)

This is a synchronization wiki page to coordinate work on CVE-2023-44487 (known as HTTP/2 Rapid Reset issue) impact in the Yocto Project. When you have new information, do not hesitate to update/add to this page.

OE-core

  • go

Status: Fixed (master)

Master version: 1.20.10 (fixed, commit 262d5386c6293dbd6b9c677fbb7ed7431651db5)

Nanbield version: Under analysis

Kirkstone version: 1.17.x, need backport

Dunfell version: Under analysis

Sources: https://go.dev/doc/devel/release#go1.20

  • lighthttpd

Status: not affected

Sources: https://redmine.lighttpd.net/boards/2/topics/11188

  • nghttpd2

Status: Fixed (master)

Master version: 1.57.0 (fixed commit c24b75f027f2609dac935e8981f2eb58394b1cc6)

Nanbield version: Under analysis

Kirkstone version: 1.47, need backport

Dunfell version: Under analysis

Sources: https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0

meta-openembedded

  • apache2

Status: Not affected

Sources: https://chaos.social/@icing/111210915918780532

  • ngnix

Status: Likely not affected, configuration check needed. We MIGHT want to include the hardening patch

Master version: Under analysis

Nanbield version: Under analysis

Kirkstone version: Under analysis

Dunfell version: Under analysis

Sources: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ and https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html

  • nodejs

Status: Affected, via a dependency on nghttpd2

Master version: 20.5.1, need update to 20.8.1, patch pending https://lists.openembedded.org/g/openembedded-devel/message/105567

Nanbield version: 20.5.1, need update to 20.8.1

Kirkstone version: Under analysis

Dunfell version: Under analysis

Sources: https://github.com/nodejs/node/pull/50121 and https://github.com/nodejs/node/releases

meta-java

  • tomcat

- Includes tomcat 5.5.26 which is outdated. No more analysis