Уязвимость CVE-2024-27983: Информация
Описание
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Опубликовано: 9 апреля 2024 г.
Изменено: 20 апреля 2024 г.
Исправленные пакеты
Имя пакета | Ветка | Исправлено в версии | Версия в репозитории | Errata ID | № Задания | Состояние |
---|---|---|---|---|---|---|
node | sisyphus | 20.12.1-alt1 | 20.12.2-alt1 | ALT-PU-2024-5094-2 | 344324 | Исправлено |
node | sisyphus_riscv64 | 20.12.1-alt1 | 20.12.1-alt1 | ALT-PU-2024-6089-1 | - | Исправлено |
node | sisyphus_loongarch64 | 20.12.1-alt1 | 20.12.1-alt1 | ALT-PU-2024-5941-1 | - | Исправлено |