Bug#1131369: marked as done (nghttp2: CVE-2026-27135)

Debian Bug Tracking System Sun, 29 Mar 2026 07:53:36 -0700

Your message dated Sun, 29 Mar 2026 16:50:36 +0200
with message-id <[email protected]>
and subject line Re: Accepted nghttp2 1.68.1-1 (source) into unstable
has caused the Debian Bug report #1131369,
regarding nghttp2: CVE-2026-27135
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1131369: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131369
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: nghttp2
Version: 1.68.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for nghttp2.

CVE-2026-27135[0]:
| nghttp2 is an implementation of the Hypertext Transfer Protocol
| version 2 in C. Prior to version 1.68.1, the nghttp2 library stops
| reading the incoming data when user facing public API
| `nghttp2_session_terminate_session` or
| `nghttp2_session_terminate_session2` is called by the application.
| They might be called internally by the library when it detects the
| situation that is subject to connection error. Due to the missing
| internal state validation, the library keeps reading the rest of the
| data after one of those APIs is called. Then receiving a malformed
| frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2
| v1.68.1 adds missing state validation to avoid assertion failure. No
| known workarounds are available.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-27135
    https://www.cve.org/CVERecord?id=CVE-2026-27135
[1] https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6
[2] 
https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: nghttp2
Source-Version: 1.68.1-1

On Sun, Mar 29, 2026 at 11:19:10AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Sun, 29 Mar 2026 12:59:35 +0200
> Source: nghttp2
> Architecture: source
> Version: 1.68.1-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Tomasz Buchert <[email protected]>
> Changed-By: Tomasz Buchert <[email protected]>
> Changes:
>  nghttp2 (1.68.1-1) unstable; urgency=medium
>  .
>    * Addresses #1131369 for unstable (CVE-2026-27135)
> Checksums-Sha1:
>  98dbb86bbddb94982f6fa8e810f352851dd63a93 2753 nghttp2_1.68.1-1.dsc
>  d8fe152b372437a4a2dd904b95b008a865453c2f 2636656 nghttp2_1.68.1.orig.tar.gz
>  a93c65bf55e171b41ffdd891a82cfc59737df2da 833 nghttp2_1.68.1.orig.tar.gz.asc
>  250c29cf5cda318cf871165dc2a58e9578a9a100 15024 nghttp2_1.68.1-1.debian.tar.xz
>  59c96f19f969dd0a14863b0d620f70e559bdc146 7094 
> nghttp2_1.68.1-1_source.buildinfo
> Checksums-Sha256:
>  19ae17fb4314a94a59d93cdc9d799568038bb1d940ba264e1907fa0ec2b5600b 2753 
> nghttp2_1.68.1-1.dsc
>  ceb434c1f9dfe2a9d305b6b797786fb9227484dfa88508d14ca1c50263db55d3 2636656 
> nghttp2_1.68.1.orig.tar.gz
>  d932b6bc29c0e77a59018e03837c637463876cb88e71830b3e782d6e105f5f46 833 
> nghttp2_1.68.1.orig.tar.gz.asc
>  75e46ff1033daf82b92ad48c2f503c396264822c193e69b3677a6c70841e338e 15024 
> nghttp2_1.68.1-1.debian.tar.xz
>  4b5a019980d5ccedae04bb43d504438f7c9fb902d16ce8753c178020c07fb304 7094 
> nghttp2_1.68.1-1_source.buildinfo
> Files:
>  11d7ac3e754e9429017e3dc06deb6126 2753 httpd optional nghttp2_1.68.1-1.dsc
>  0772326c5d2b32e04be42b6ee9c19d7c 2636656 httpd optional 
> nghttp2_1.68.1.orig.tar.gz
>  7abe9878f63a7bb6ad8a74a7797eb8a1 833 httpd optional 
> nghttp2_1.68.1.orig.tar.gz.asc
>  79f9be15ce6f47e0bba1cdb3ec5cb30d 15024 httpd optional 
> nghttp2_1.68.1-1.debian.tar.xz
>  363e7a752787d13e978ae90e141190c7 7094 httpd optional 
> nghttp2_1.68.1-1_source.buildinfo
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIzBAEBCgAdFiEEw4a8QcDI3JdLyqg9Y4wJ8uTJG1IFAmnJB6oACgkQY4wJ8uTJ
> G1LFig/+MAZUnoZ82PqihH0u/0z4Q2K41UVQNkGb3egw0Vdwtq8dPLhdK4A/1sEr
> vyWAEcyAUzS5iLzTxWQsNGmsBLX5FTJYYkk/qolfuKlvUYAhMxEhTxoRDr5eBZ1D
> tgh3FBcLSuj4IoeSQsqOMWY/lW207Bu6Hl05sKKvHry8RKGeOAE9dnk0jbLGiihj
> cPjWKFMK2f8DNLCys1rY05CBbgUKl8nAX4C9tvUmhHakfAKbIGGH1o+RepKSj3cG
> RDqqngfCMfXkTVyFzanOYzrgmLxLJaQ437KSTU/8eU1jzG+4ImSsgyygghGNbhcQ
> rb8u+JNnaATmE23IDp2blG68xQDAKrU3fr27F7D4nUvsHkVUntxidnbjbIareVf4
> KBwHlTZVcZn4bw3V9j77FomqV3L8HISx1rTQHxTJ/jYMBFl9rzGSdB9x8p9jkO9g
> xu/lJGQE4Sh5Liv+4EtB7Ie5KScru2+QF217jeLddmCo/APHUc0/Rd8xe03DP8KN
> w7ZluGN5bO7VyHuyDJp2rP8iCWBswqcWvH6RzRWMNm1NOtyVLVC+SrHdLsXW9H0w
> M0QaZ5Y64x3YrmVwIC82Y0s/LAB1o5rHMs2j+l2Uj7PZN79tAIoALE8zjlkN4QFJ
> D3gF3KZOcWxz3rY+hdltoygekdpeUAlzY4uHxDkx6Jeh5Fajiuc=
> =ltyB
> -----END PGP SIGNATURE-----

--- End Message ---

Bug#1131369: marked as done (nghttp2: CVE-2026-27135)

Reply via email to