Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2019-9515

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

See the

CVE page on Mitre.org for more details.

References

CERT-VN: VU#605641
MISC: https://github.com/Net...
MLIST: [trafficserver-announc...
MLIST: [trafficserver-dev] 20...
MLIST: [trafficserver-users] ...
BUGTRAQ: 20190814 APPLE-SA-2019...
FULLDISC: 20190816 APPLE-SA-2019...
CONFIRM: https://www.synology.c...
CONFIRM: https://support.f5.com...
CONFIRM: https://security.netap...
FEDORA: FEDORA-2019-5a6a7bc12c
FEDORA: FEDORA-2019-6a2980de56
BUGTRAQ: 20190825 [SECURITY] [D...
DEBIAN: DSA-4508
BUGTRAQ: 20190910 [SECURITY] [D...
CONFIRM: https://kc.mcafee.com/...
DEBIAN: DSA-4520
SUSE: openSUSE-SU-2019:2114
SUSE: openSUSE-SU-2019:2115
REDHAT: RHSA-2019:2766
REDHAT: RHSA-2019:2796
REDHAT: RHSA-2019:2861
REDHAT: RHSA-2019:2925
REDHAT: RHSA-2019:2939
REDHAT: RHSA-2019:2955
CONFIRM: https://support.f5.com...
REDHAT: RHSA-2019:3892
REDHAT: RHSA-2019:4018
REDHAT: RHSA-2019:4019
REDHAT: RHSA-2019:4020
REDHAT: RHSA-2019:4021
REDHAT: RHSA-2019:4040
REDHAT: RHSA-2019:4041
REDHAT: RHSA-2019:4042
REDHAT: RHSA-2019:4045
REDHAT: RHSA-2019:4352
REDHAT: RHSA-2020:0727
UBUNTU: USN-4308-1

Launchpad.net

CVE 2019-9515

Related bugs

References