CVE-2023-44487 impact: Difference between revisions
m (Update status of go) |
(Update status for nghttpd2) |
||
Line 23: | Line 23: | ||
Status: Affected | Status: Affected | ||
Master version: 1.56.0 (affected), upgrade needed to 1.57.0 | Master version: 1.56.0 (affected), upgrade needed to 1.57.0 by Alexandre K. Proposal on the ML https://lists.openembedded.org/g/openembedded-core/message/188968 | ||
Nanbield version: Under analysis | Nanbield version: Under analysis |
Revision as of 17:55, 12 October 2023
(WIP) CVE-2023-44487 (HTTP2 RapidReset issue)
This is a synchronization wiki page to coordinate work on CVE-2023-44487 (known as HTTP/2 Rapid Reset issue) impact in the Yocto Project. When you have new information, do not hesitate to update/add to this page.
OE-core
- go
Status: Affected, confirmed
Master version: 1.20.7 (affected), update needed to 1.20.10 by Jose Quaresma. Proposal on the ML https://lists.openembedded.org/g/openembedded-core/message/188955
Nanbield version: Under analysis
Kirkstone version: Under analysis
Dunfell version: Under analysis
Sources: https://go.dev/doc/devel/release#go1.20
- nghttpd2
Status: Affected
Master version: 1.56.0 (affected), upgrade needed to 1.57.0 by Alexandre K. Proposal on the ML https://lists.openembedded.org/g/openembedded-core/message/188968
Nanbield version: Under analysis
Kirkstone version: Under analysis
Dunfell version: Under analysis
Sources: https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
meta-openembedded
- apache2
Status: Not affected
Sources: https://chaos.social/@icing/111210915918780532
- ngnix
Status: Likely not affected, configuration check needed. We MIGHT want to include the hardening patch
Master version: Under analysis
Nanbield version: Under analysis
Kirkstone version: Under analysis
Dunfell version: Under analysis
Sources: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ and https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
- nodejs
Status: Affected, via a dependency on nghttpd2
Master version: 20.5.1, pull request pending but not release with a fix
Nanbield version: Under analysis
Kirkstone version: Under analysis
Dunfell version: Under analysis