Source: httpcomponents-core5 Version: 5.4.2-1.1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for httpcomponents-core5. CVE-2026-54428[0]: | Allocation of resources without limits or throttling in the HTTP/2 | HPACK decoder in Apache HttpComponents Core (5.4.2 and earlier, | 5.5-beta1 and earlier) allows an remote attacker to cause a denial | of service through memory exhaustion by sending oversized compressed | header blocks before the HTTP/2 SETTINGS acknowledgement causes the | configured header list size limit to be applied. CVE-2026-54399[1]: | Uncontrolled Resource Consumption vulnerability in the HTTP/1.1 | message parser in Apache HttpComponents Core (5.4.2 and earlier, | 5.5-beta1 and earlier) allows an remote attacker to cause a denial | of service through memory exhaustion by sending messages with | excessive number of headers / excessive header length If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-54428 https://www.cve.org/CVERecord?id=CVE-2026-54428 [1] https://security-tracker.debian.org/tracker/CVE-2026-54399 https://www.cve.org/CVERecord?id=CVE-2026-54399 Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
