Source: h2o Version: 2.2.5+dfsg2-8 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for h2o. CVE-2023-41337[0]: | h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. | In version 2.3.0-beta2 and prior, when h2o is configured to listen | to multiple addresses or ports with each of them using different | backend servers managed by multiple entities, a malicious backend | entity that also has the opportunity to observe or inject packets | exchanged between the client and h2o may misdirect HTTPS requests | going to other backends and observe the contents of that HTTPS | request being sent. The attack involves a victim client trying to | resume a TLS connection and an attacker redirecting the packets to a | different address or port than that intended by the client. The | attacker must already have been configured by the administrator of | h2o to act as a backend to one of the addresses or ports that the | h2o instance listens to. Session IDs and tickets generated by h2o | are not bound to information specific to the server address, port, | or the X.509 certificate, and therefore it is possible for an | attacker to force the victim connection to wrongfully resume against | a different server address or port on which the same h2o instance is | listening. Once a TLS session is misdirected to resume to a server | address / port that is configured to use an attacker-controlled | server as the backend, depending on the configuration, HTTPS | requests from the victim client may be forwarded to the attacker's | server. An H2O instance is vulnerable to this attack only if the | instance is configured to listen to different addresses or ports | using the listen directive at the host level and the instance is | configured to connect to backend servers managed by multiple | entities. A patch is available at commit | 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may | stop using using host-level listen directives in favor of global- | level ones. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-41337 https://www.cve.org/CVERecord?id=CVE-2023-41337 [1] https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q [2] https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab Please adjust the affected versions in the BTS as needed. If I followed the code correctly then this one is as well present in the older versions ad present in unstable and older, but please double check. Regards, Salvatore
