FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

h2o -- multiple HTTP/2 vulnerabilities

Affected packages
h2o-devel < 2.3.0.b2

Details

VuXML ID 72a5579e-c765-11e9-8052-0028f8d09152
Discovery 2019-08-13
Entry 2019-08-25

Jonathon Loomey of Netflix reports:

HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion

Recently, a series of DoS attack vulnerabilities have been reported on a broad range of HTTP/2 stacks. Among the vulnerabilities, H2O is exposed to the following:

References

CVE Name CVE-2019-9512
CVE Name CVE-2019-9514
CVE Name CVE-2019-9515
URL https://github.com/h2o/h2o/issues/2090
URL https://www.kb.cert.org/vuls/id/605641/