oss-sec mailing list archives
Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 20 Oct 2023 10:39:01 -0700
On 10/18/23 16:10, Alan Coopersmith wrote:
On 10/10/23 11:40, Alan Coopersmith wrote:Information I've found so far on open source implementations (most via the current listings in the CVE) include:Some more updates since last week:- Apache httpd: https://chaos.social/@icing/111210915918780532The discussion in https://github.com/apache/httpd-site/pull/10 makes the situation a little murkier.
https://github.com/icing/blog/blob/main/h2-rapid-reset.md clears that up and explains why Apache issued a fix under a different CVE id for the problem identified in that discussion, as we saw on this list yesterday. -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith (Oct 10)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Moritz Muehlenhoff (Oct 10)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Jonathan Wright (Oct 13)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Steffen Nurpmeso (Oct 13)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Jonathan Wright (Oct 13)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith (Oct 18)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith (Oct 20)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Moritz Muehlenhoff (Oct 10)