CVE-2019-9517

Name
CVE-2019-9517
Description
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Third Party Advisory https://kb.cert.org/vuls/id/605641/
Third Party Advisory https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
Issue Tracking https://lists.apache.org/thread.html/4610762456644181b267c846423b3a990bd4aaea1886ecc7d51febdb@%3Cannounce.httpd.apache.org%3E
Issue Tracking https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E
Mailing List http://www.openwall.com/lists/oss-security/2019/08/15/7
Issue Tracking https://lists.apache.org/thread.html/d89f999e26dfb1d50f247ead1fe8538014eb412b2dbe5be4b1a9ef50@%3Cdev.httpd.apache.org%3E
Issue Tracking https://lists.apache.org/thread.html/ec97fdfc1a859266e56fef084353a34e0a0b08901b3c1aa317a43c8c@%3Cdev.httpd.apache.org%3E
Third Party Advisory https://www.synology.com/security/advisory/Synology_SA_19_33
Third Party Advisory https://support.f5.com/csp/article/K02591030
Third Party Advisory https://security.netapp.com/advisory/ntap-20190823-0005/
Third Party Advisory https://security.netapp.com/advisory/ntap-20190823-0003/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/
Third Party Advisory https://www.debian.org/security/2019/dsa-4509
Mailing List https://seclists.org/bugtraq/2019/Aug/47
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/
Third Party Advisory https://usn.ubuntu.com/4113-1/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20190905-0003/
Third Party Advisory https://security.gentoo.org/glsa/201909-04
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html
Third Party Advisory https://kc.mcafee.com/corporate/index?page=content&id=SB10296
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2893
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2925
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2939
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2946
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2950
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2949
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2955
Third Party Advisory https://support.f5.com/csp/article/K02591030?utm_source=f5support&utm_medium=RSS
Patch https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3935
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3933
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3932
Mailing List https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E
Mailing List https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E
Third Party Advisory https://www.oracle.com/security-alerts/cpuapr2020.html
MLIST https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E
MLIST https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36@%3Ccvs.httpd.apache.org%3E

Match rules

CPE URI Source package Min version Max version

Vulnerable and fixed packages

Source package Branch Version Maintainer Status