Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package nghttp2 for openSUSE:Factory checked in at 2023-07-24 18:12:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nghttp2 (Old) and /work/SRC/openSUSE:Factory/.nghttp2.new.1467 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nghttp2" Mon Jul 24 18:12:02 2023 rev:74 rq:1099190 version:1.55.1 Changes: -------- --- /work/SRC/openSUSE:Factory/nghttp2/nghttp2.changes 2023-06-22 23:24:53.277675851 +0200 +++ /work/SRC/openSUSE:Factory/.nghttp2.new.1467/nghttp2.changes 2023-07-24 18:12:19.337337032 +0200 @@ -1,0 +2,41 @@ +Sat Jul 15 15:11:52 UTC 2023 - Dirk Müller <dmuel...@suse.com> + +- update to 1.55.1: + * Fix memory leak + This commit fixes memory leak that happens when + PUSH_PROMISE or HEADERS frame cannot be sent, and + nghttp2_on_stream_close_callback fails with a fatal error. + For example, if GOAWAY frame has been received, a + HEADERS frame that opens new stream cannot be sent. + This issue has already been made public via CVE-2023-35945 + by envoyproxy/envoy project. During embargo period, the + patch to fix this bug was accidentally submitted to + nghttp2/nghttp2 repository [2]. And they decided to + disclose CVE early. I was notified just 1.5 hours + before disclosure. I had no time to respond. + PoC described in [1] is quite simple, but I think it is + not enough to trigger this bug. While it is true that + receiving GOAWAY prevents a client from opening new stream, + and nghttp2 enters error handling branch, in order to cause + the memory leak, nghttp2_session_close_stream function + must return a fatal error. + NGHTTP2_ERR_NOMEM, as its name suggests, indicates out of + memory. It is unlikely that a process gets short of + memory with this simple PoC scenario unless application + does something memory heavy processing. + * NGHTTP2_ERR_CALLBACK_FAILURE is returned from application + defined callback function (nghttp2_on_stream_close_callback, in + this case), which indicates something fatal happened inside a + callback, and a connection must be closed immediately without + any further action. As nghttp2_on_stream_close_error_callback + documentation says, any error code other than 0 or + NGHTTP2_ERR_CALLBACK_FAILURE is treated as fatal + error code. More specifically, it is treated as if + NGHTTP2_ERR_CALLBACK_FAILURE is returned. I guess that + envoy returns + NGHTTP2_ERR_CALLBACK_FAILURE or other error code which is + translated into NGHTTP2_ERR_CALLBACK_FAILURE. + https://github.com/envoyproxy/envoy/security/advisories/GHSA- + jfxv-29pc-x22r + +------------------------------------------------------------------- Old: ---- nghttp2-1.54.0.tar.xz New: ---- nghttp2-1.55.1.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nghttp2.spec ++++++ --- /var/tmp/diff_new_pack.7VIC3f/_old 2023-07-24 18:12:20.921346354 +0200 +++ /var/tmp/diff_new_pack.7VIC3f/_new 2023-07-24 18:12:20.925346378 +0200 @@ -22,7 +22,7 @@ %global sover_asio 1 %global flavor @BUILD_FLAVOR@%{nil} Name: nghttp2 -Version: 1.54.0 +Version: 1.55.1 Release: 0 Summary: Implementation of Hypertext Transfer Protocol version 2 in C License: MIT ++++++ nghttp2-1.54.0.tar.xz -> nghttp2-1.55.1.tar.xz ++++++ ++++ 5891 lines of diff (skipped)
