USN-6754-2: nghttp2 Vulnerability Updates for Ubuntu 24.04 LTS

In a continuous effort to secure systems against potential threats, LinuxPatch presents an important update regarding the nghttp2 vulnerabilities under USN-6754-2. This update comes subsequent to the earlier fixes in USN-6754-1, providing tailored solutions for Ubuntu 24.04 LTS.

Initially, it was discovered that the nghttp2 library, which implements the HTTP/2 protocol, incorrectly handled certain operations leading to potential denial of service (DoS). Specifically, affected versions in Ubuntu 16.04 LTS and Ubuntu 18.04 LTS presented several critical issues:

  • CVE-2019-9511: Vulnerable to window size manipulation, allowing an attacker to request high volumes of data that consume server resources excessively, leading to DoS.
  • CVE-2019-9513: Vulnerable to resource loops wherein attackers manipulate stream priorities causing server malfunctions.
  • CVE-2023-44487: Request cancellation flaw where attackers reset multiple streams quickly, consuming server resources.
  • CVE-2024-28182: Vulnerable due to handling an unbounded number of HTTP/2 CONTINUATION frames, causing excessive CPU usage.

The recent update for Ubuntu 24.04 LTS addresses these vulnerabilities by implementing hardened security measures and optimized handling techniques in nghttp2. The update ensures that such security inefficiencies are rectified, significantly enhancing server resilience against potential DoS attacks.

For users and administrators, it is crucial to apply these updates to prevent exploitation that could lead to service disruptions. Keeping systems updated is a key step in maintaining a secure and efficient digital infrastructure.

To further understand these updates or to implement them, please visit LinuxPatch where detailed guides and additional support are available.