[manjaro-security] [arch-security] [ASA-201602-13] nghttp2: denial of service

Remi Gacogne rgacogne at archlinux.org
Sat Feb 13 22:13:08 CET 2016

Arch Linux Security Advisory ASA-201602-13

Severity: Low
Date    : 2016-02-13
CVE-ID  : CVE-2016-1544
Package : nghttp2
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE


The package nghttp2 before version 1.7.1-1 is vulnerable to denial of


Upgrade to 1.7.1-1.

# pacman -Syu "nghttp2>=1.7.1-1"

The problem has been fixed upstream in version 1.7.1.




HTTP/2 uses HPACK to compress header fields. The basic idea is that HTTP
header field is stored in the receiver with the numeric index number.
The memory used by this storage is tightly constrained, and it is 4KiB
by default. When sender sends the same header field, it just sends the
corresponding numeric index number, which is usually 1 or 2 bytes. This
means that after sender makes the receiver store the relatively large
header field (e.g., 4KiB), and it can send specially crafted
HEADERS/CONTINUATION frames which contain a lot of references to the
stored header field, sender easily effectively send lots of big header
fields to the receiver quite easily. nghttpd, nghttp, and
libnghttp2_asio applications do not limit the memory usage for received
header fields, so if the peer performs the procedure described above,
they will crash due to out of memory.


A remote attacker can cause an application using nghttp2 to allocate a
lot of memory by sending specially crafted HTTP/2 frames, causing a
denial of service.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20160213/e8329c09/attachment.pgp>

More information about the manjaro-security mailing list