CVE-2023-44487 impact

From Yocto Project
Revision as of 13:16, 11 October 2023 by Marta Rybczynska (talk | contribs) (Add nodejs)
Jump to navigationJump to search

(WIP) CVE-2023-44487 (HTTP2 RapidReset issue)

This is a synchronization wiki page to coordinate work on CVE-2023-44487 (known as HTTP/2 Rapid Reset issue) impact in the Yocto Project. When you have new information, do not hesitate to update/add to this page.

OE-core

  • go

Status: Affected, confirmed

Master version: 1.20.7 (affected), update needed to 1.20.10 by Jose Quaresma

Nanbield version: Under analysis

Kirkstone version: Under analysis

Dunfell version: Under analysis

Sources: https://go.dev/doc/devel/release#go1.20

  • nghttpd2

Status: Affected

Master version: 1.56.0 (affected), upgrade needed to 1.57.0 or backport

Nanbield version: Under analysis

Kirkstone version: Under analysis

Dunfell version: Under analysis

Sources: https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0

meta-openembedded

  • nodejs

Status: Affected, via a dependency on nghttpd2

Master version: 20.5.1, pull request pending but not release with a fix

Nanbield version: Under analysis

Kirkstone version: Under analysis

Dunfell version: Under analysis

Sources: https://github.com/nodejs/node/pull/50121

Retrieved from "https://wiki.yoctoproject.org/wiki/index.php?title=CVE-2023-44487_impact&oldid=85966"