Source: httpcomponents-core5
Version: 5.4.2-1.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for httpcomponents-core5.

CVE-2026-54428[0]:
| Allocation of resources without limits or throttling in the HTTP/2
| HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier,
| 5.5-beta1 and earlier) allows an remote attacker to cause a denial
| of service through memory exhaustion by sending oversized compressed
| header blocks before the HTTP/2 SETTINGS acknowledgement causes the
| configured header list size limit to be applied.


CVE-2026-54399[1]:
| Uncontrolled Resource Consumption vulnerability in the HTTP/1.1
| message parser in Apache HttpComponents Core (5.4.2 and earlier,
| 5.5-beta1 and earlier) allows an remote attacker to cause a denial
| of service through memory exhaustion by sending messages with
| excessive number of headers / excessive header length


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-54428
    https://www.cve.org/CVERecord?id=CVE-2026-54428
[1] https://security-tracker.debian.org/tracker/CVE-2026-54399
    https://www.cve.org/CVERecord?id=CVE-2026-54399

Regards,
Salvatore
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
[email protected] for discussions and questions.

Reply via email to