Search for packages
| purl | pkg:deb/debian/h2o@2.2.5%2Bdfsg2-2%2Bdeb10u1 |
| Next non-vulnerable version | 2.2.5+dfsg2-6 |
| Latest non-vulnerable version | 2.2.5+dfsg2-6 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-aqt5-2ffy-9bgs
Aliases: CVE-2019-9515 |
HTTP/2: flood using SETTINGS frames results in unbounded memory growth |
Affected by 0 other vulnerabilities. |
|
VCID-hbte-dsw2-y7ad
Aliases: CVE-2019-9512 GHSA-hgr8-6h9x-f7q9 |
golang.org/x/net/http vulnerable to ping floods Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. ### Specific Go Packages Affected golang.org/x/net/http2 |
Affected by 0 other vulnerabilities. |
|
VCID-n66u-b73u-zucb
Aliases: CVE-2019-9514 GHSA-39qc-96h7-956f |
golang.org/x/net/http vulnerable to a reset flood Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. ### Specific Go Packages Affected golang.org/x/net/http2 |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||