Search CVE reports
1 – 10 of 22 results
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 9265bdd, there is an HTTP/2 state amplification issue that combines HPACK decompression amplification with Slowloris-style stream stalling....
2 affected packages
h2o, dnsdist
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| h2o | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| dnsdist | Not affected | Needs evaluation | Not affected | Not affected | Not affected |
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 6b5370d, h2o is vulnerable to a Denial of Service attack when calling alloca under certain conditions. When serving static files, h2o builds the...
2 affected packages
h2o, dnsdist
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| h2o | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| dnsdist | Not affected | Needs evaluation | Not affected | Not affected | Not affected |
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 8dc37cb, when h2o receives a ClientHello message over TLS or QUIC and it contains a zero-length SNI extension, the h2o server runs over...
2 affected packages
h2o, dnsdist
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| h2o | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| dnsdist | Not affected | Needs evaluation | Not affected | Not affected | Not affected |
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1, when h2o processes a QPACK instruction sent from the peer over HTTP/3, lib/http3/qpack.c might allocate...
2 affected packages
h2o, dnsdist
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| h2o | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| dnsdist | Not affected | Needs evaluation | Not affected | Not affected | Not affected |
Some fixes available 2 of 24
A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to...
5 affected packages
lighttpd, varnish, dnsdist, h2o, haproxy
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| lighttpd | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| varnish | Not affected | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| dnsdist | Not affected | Fixed | Not affected | Not affected | Not affected |
| h2o | Not in release | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| haproxy | Not affected | Not affected | Not affected | Not affected | Not affected |
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h2o might crash due to an assertion failure. The crash can be exploited...
1 affected package
h2o
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| h2o | Not in release | Needs evaluation | Needs evaluation | Ignored | Needs evaluation |
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used,...
1 affected package
h2o
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| h2o | Not in release | Needs evaluation | Needs evaluation | Ignored | Needs evaluation |
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler allows users to modify the response headers being sent by h2o. The configuration file of h2o has...
1 affected package
h2o
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| h2o | Not in release | Needs evaluation | Needs evaluation | Ignored | Needs evaluation |
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by...
1 affected package
h2o
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| h2o | Not in release | Needs evaluation | Needs evaluation | Ignored | Ignored |
Some fixes available 33 of 46
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
14 affected packages
dnsdist, dotnet6, dotnet7, dotnet8, h2o...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| dnsdist | Not affected | Not affected | Fixed | Not affected | Not affected |
| dotnet6 | Not in release | Not in release | Fixed | Not in release | Not in release |
| dotnet7 | Not in release | Not in release | Fixed | Not in release | Not in release |
| dotnet8 | Not in release | Fixed | Not affected | Not in release | Not in release |
| h2o | Not in release | Not affected | Fixed | Fixed | Fixed |
| haproxy | Not affected | Not affected | Not affected | Not affected | Fixed |
| netty | Not affected | Not affected | Fixed | Fixed | Not affected |
| nghttp2 | Not affected | Not affected | Fixed | Fixed | Fixed |
| nginx | Not affected | Not affected | Not affected | Not affected | Not affected |
| nodejs | Not affected | Not affected | Fixed | Fixed | Fixed |
| tomcat10 | Not affected | Not affected | Not in release | Not in release | Ignored |
| tomcat8 | Not in release | Not in release | Not in release | Not in release | Fixed |
| tomcat9 | Not affected | Not affected | Fixed | Fixed | Fixed |
| trafficserver | Not in release | Not affected | Fixed | Fixed | Not affected |