2023-11-15
ALT-BU-2023-7239-1
Branch p10 update bulletin.
Package firefox-esr updated to version 115.4.0-alt1 for branch p10 in task 333444.
Closed vulnerabilities
Published: 2023-10-24
BDU:2023-07278
Уязвимость реализации прикладного программного интерфейса для 3D-графики WebGL браузеров Firefox и Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.4)
Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
References:
Published: 2023-10-24
BDU:2023-07279
Уязвимость браузеров Firefox и Firefox ESR и почтового клиента Thunderbird, связанная с недостатками разграничения доступа, позволяющая нарушителю перенаправить пользователя на произвольный URL-адрес
Severity: MEDIUM (6.1)
Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2023-10-24
BDU:2023-07280
Уязвимость браузеров Firefox и Firefox ESR и почтового клиента Thunderbird, связанная с ошибками представления информации пользовательским интерфейсом, позволяющая нарушителю провести атаку типа clickjacking («захват клика»)
Severity: HIGH (7.5)
Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2023-10-24
BDU:2023-07281
Уязвимость браузеров Firefox и Firefox ESR и почтового клиента Thunderbird, связанная с выходом операции за границы буфера в памяти, позволяющая нарушителю выполнить произвольный код
Severity: HIGH (7.5)
Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2023-10-24
BDU:2023-07282
Уязвимость браузеров Firefox и Firefox ESR и почтового клиента Thunderbird, связанная с недостаточным предупреждением об опасных действиях, позволяющая нарушителю выполнить произвольный код
Severity: MEDIUM (6.1)
Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2023-10-24
BDU:2023-07283
Уязвимость компонента Garbage Collector («Сборщик мусора») браузеров Firefox и Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (6.1)
Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2023-10-24
BDU:2023-07284
Уязвимость полноэкранного режима браузеров Firefox и Firefox ESR и почтового клиента Thunderbird, позволяющая нарушителю проводить спуфинг-атаки
Severity: MEDIUM (6.1)
Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2023-10-24
BDU:2023-07285
Уязвимость браузера Firefox ESR и почтового клиента Thunderbird, связанная с ошибками представления информации пользовательским интерфейсом, позволяющая нарушителю проводить спуфинг-атаки
Severity: MEDIUM (6.1)
Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
Published: 2023-10-25
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2023-5721
It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an insufficient activation-delay. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.
Severity: MEDIUM (4.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1830820
- https://bugzilla.mozilla.org/show_bug.cgi?id=1830820
- https://lists.debian.org/debian-lts-announce/2023/10/msg00037.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00037.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00042.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00042.html
- https://www.debian.org/security/2023/dsa-5535
- https://www.debian.org/security/2023/dsa-5535
- https://www.debian.org/security/2023/dsa-5538
- https://www.debian.org/security/2023/dsa-5538
- https://www.mozilla.org/security/advisories/mfsa2023-45/
- https://www.mozilla.org/security/advisories/mfsa2023-45/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
Published: 2023-10-25
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2023-5724
Drivers are not always robust to extremely large draw calls and in some cases this scenario could have led to a crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1836705
- https://bugzilla.mozilla.org/show_bug.cgi?id=1836705
- https://lists.debian.org/debian-lts-announce/2023/10/msg00037.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00037.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00042.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00042.html
- https://www.debian.org/security/2023/dsa-5535
- https://www.debian.org/security/2023/dsa-5535
- https://www.debian.org/security/2023/dsa-5538
- https://www.debian.org/security/2023/dsa-5538
- https://www.mozilla.org/security/advisories/mfsa2023-45/
- https://www.mozilla.org/security/advisories/mfsa2023-45/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
Published: 2023-10-25
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2023-5725
A malicious installed WebExtension could open arbitrary URLs, which under the right circumstance could be leveraged to collect sensitive user data. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.
Severity: MEDIUM (4.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1845739
- https://bugzilla.mozilla.org/show_bug.cgi?id=1845739
- https://lists.debian.org/debian-lts-announce/2023/10/msg00037.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00037.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00042.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00042.html
- https://www.debian.org/security/2023/dsa-5535
- https://www.debian.org/security/2023/dsa-5535
- https://www.debian.org/security/2023/dsa-5538
- https://www.debian.org/security/2023/dsa-5538
- https://www.mozilla.org/security/advisories/mfsa2023-45/
- https://www.mozilla.org/security/advisories/mfsa2023-45/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
Published: 2023-10-25
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2023-5726
A website could have obscured the full screen notification by using the file open dialog. This could have led to user confusion and possible spoofing attacks. *Note: This issue only affected macOS operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.
Severity: MEDIUM (4.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1846205
- https://bugzilla.mozilla.org/show_bug.cgi?id=1846205
- https://www.mozilla.org/security/advisories/mfsa2023-45/
- https://www.mozilla.org/security/advisories/mfsa2023-45/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
Published: 2023-10-25
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2023-5727
The executable file warning was not presented when downloading .msix, .msixbundle, .appx, and .appxbundle files, which can run commands on a user's computer. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.
Severity: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1847180
- https://bugzilla.mozilla.org/show_bug.cgi?id=1847180
- https://www.mozilla.org/security/advisories/mfsa2023-45/
- https://www.mozilla.org/security/advisories/mfsa2023-45/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
Published: 2023-10-25
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2023-5728
During garbage collection extra operations were performed on a object that should not be. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1852729
- https://bugzilla.mozilla.org/show_bug.cgi?id=1852729
- https://lists.debian.org/debian-lts-announce/2023/10/msg00037.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00037.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00042.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00042.html
- https://www.debian.org/security/2023/dsa-5535
- https://www.debian.org/security/2023/dsa-5535
- https://www.debian.org/security/2023/dsa-5538
- https://www.debian.org/security/2023/dsa-5538
- https://www.mozilla.org/security/advisories/mfsa2023-45/
- https://www.mozilla.org/security/advisories/mfsa2023-45/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
Published: 2023-10-25
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2023-5730
Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1.
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4.1
- Memory safety bugs fixed in Firefox 119, Firefox ESR 115.4, and Thunderbird 115.4.1
- https://lists.debian.org/debian-lts-announce/2023/10/msg00037.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00037.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00042.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00042.html
- https://www.debian.org/security/2023/dsa-5535
- https://www.debian.org/security/2023/dsa-5535
- https://www.debian.org/security/2023/dsa-5538
- https://www.debian.org/security/2023/dsa-5538
- https://www.mozilla.org/security/advisories/mfsa2023-45/
- https://www.mozilla.org/security/advisories/mfsa2023-45/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
Published: 2023-10-25
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2023-5732
An attacker could have created a malicious link using bidirectional characters to spoof the location in the address bar when visited. This vulnerability affects Firefox < 117, Firefox ESR < 115.4, and Thunderbird < 115.4.1.
Severity: MEDIUM (6.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1690979
- https://bugzilla.mozilla.org/show_bug.cgi?id=1690979
- https://bugzilla.mozilla.org/show_bug.cgi?id=1836962
- https://bugzilla.mozilla.org/show_bug.cgi?id=1836962
- https://lists.debian.org/debian-lts-announce/2023/10/msg00037.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00037.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00042.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00042.html
- https://www.debian.org/security/2023/dsa-5535
- https://www.debian.org/security/2023/dsa-5535
- https://www.debian.org/security/2023/dsa-5538
- https://www.debian.org/security/2023/dsa-5538
- https://www.mozilla.org/security/advisories/mfsa2023-34/
- https://www.mozilla.org/security/advisories/mfsa2023-34/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-46/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
- https://www.mozilla.org/security/advisories/mfsa2023-47/
Closed vulnerabilities
Published: 2023-10-10
BDU:2023-06559
Уязвимость реализации протокола HTTP/2, связанная с возможностью формирования потока запросов в рамках уже установленного сетевого соединения, без открытия новых сетевых соединений и без подтверждения получения пакетов, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
Published: 2023-10-10
Modified: 2025-04-03
Modified: 2025-04-03
CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- [oss-security] 20231010 CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231010 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231018 Vulnerability in Jenkins
- [oss-security] 20231018 Vulnerability in Jenkins
- [oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST
- [oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST
- [oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- https://access.redhat.com/security/cve/cve-2023-44487
- https://access.redhat.com/security/cve/cve-2023-44487
- https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
- https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
- https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
- https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
- https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
- https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
- https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
- https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
- https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
- https://blog.vespa.ai/cve-2023-44487/
- https://blog.vespa.ai/cve-2023-44487/
- https://bugzilla.proxmox.com/show_bug.cgi?id=4988
- https://bugzilla.proxmox.com/show_bug.cgi?id=4988
- https://bugzilla.redhat.com/show_bug.cgi?id=2242803
- https://bugzilla.redhat.com/show_bug.cgi?id=2242803
- https://bugzilla.suse.com/show_bug.cgi?id=1216123
- https://bugzilla.suse.com/show_bug.cgi?id=1216123
- https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
- https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
- https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
- https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
- https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
- https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
- https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
- https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
- https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
- https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
- https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
- https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
- https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
- https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
- https://github.com/advisories/GHSA-qppj-fm5r-hxr3
- https://github.com/advisories/GHSA-qppj-fm5r-hxr3
- https://github.com/advisories/GHSA-vx74-f528-fxqg
- https://github.com/advisories/GHSA-vx74-f528-fxqg
- https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
- https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
- https://github.com/akka/akka-http/issues/4323
- https://github.com/akka/akka-http/issues/4323
- https://github.com/alibaba/tengine/issues/1872
- https://github.com/alibaba/tengine/issues/1872
- https://github.com/apache/apisix/issues/10320
- https://github.com/apache/apisix/issues/10320
- https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
- https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
- https://github.com/apache/httpd-site/pull/10
- https://github.com/apache/httpd-site/pull/10
- https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
- https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
- https://github.com/apache/trafficserver/pull/10564
- https://github.com/apache/trafficserver/pull/10564
- https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
- https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
- https://github.com/Azure/AKS/issues/3947
- https://github.com/Azure/AKS/issues/3947
- https://github.com/bcdannyboy/CVE-2023-44487
- https://github.com/bcdannyboy/CVE-2023-44487
- https://github.com/caddyserver/caddy/issues/5877
- https://github.com/caddyserver/caddy/issues/5877
- https://github.com/caddyserver/caddy/releases/tag/v2.7.5
- https://github.com/caddyserver/caddy/releases/tag/v2.7.5
- https://github.com/dotnet/announcements/issues/277
- https://github.com/dotnet/announcements/issues/277
- https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
- https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
- https://github.com/eclipse/jetty.project/issues/10679
- https://github.com/eclipse/jetty.project/issues/10679
- https://github.com/envoyproxy/envoy/pull/30055
- https://github.com/envoyproxy/envoy/pull/30055
- https://github.com/etcd-io/etcd/issues/16740
- https://github.com/etcd-io/etcd/issues/16740
- https://github.com/facebook/proxygen/pull/466
- https://github.com/facebook/proxygen/pull/466
- https://github.com/golang/go/issues/63417
- https://github.com/golang/go/issues/63417
- https://github.com/grpc/grpc/releases/tag/v1.59.2
- https://github.com/grpc/grpc-go/pull/6703
- https://github.com/grpc/grpc-go/pull/6703
- https://github.com/h2o/h2o/pull/3291
- https://github.com/h2o/h2o/pull/3291
- https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
- https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
- https://github.com/haproxy/haproxy/issues/2312
- https://github.com/haproxy/haproxy/issues/2312
- https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
- https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
- https://github.com/junkurihara/rust-rpxy/issues/97
- https://github.com/junkurihara/rust-rpxy/issues/97
- https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
- https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
- https://github.com/kazu-yamamoto/http2/issues/93
- https://github.com/kazu-yamamoto/http2/issues/93
- https://github.com/Kong/kong/discussions/11741
- https://github.com/Kong/kong/discussions/11741
- https://github.com/kubernetes/kubernetes/pull/121120
- https://github.com/kubernetes/kubernetes/pull/121120
- https://github.com/line/armeria/pull/5232
- https://github.com/line/armeria/pull/5232
- https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
- https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
- https://github.com/micrictor/http2-rst-stream
- https://github.com/micrictor/http2-rst-stream
- https://github.com/microsoft/CBL-Mariner/pull/6381
- https://github.com/microsoft/CBL-Mariner/pull/6381
- https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
- https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
- https://github.com/nghttp2/nghttp2/pull/1961
- https://github.com/nghttp2/nghttp2/pull/1961
- https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
- https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
- https://github.com/ninenines/cowboy/issues/1615
- https://github.com/ninenines/cowboy/issues/1615
- https://github.com/nodejs/node/pull/50121
- https://github.com/nodejs/node/pull/50121
- https://github.com/openresty/openresty/issues/930
- https://github.com/openresty/openresty/issues/930
- https://github.com/opensearch-project/data-prepper/issues/3474
- https://github.com/opensearch-project/data-prepper/issues/3474
- https://github.com/oqtane/oqtane.framework/discussions/3367
- https://github.com/oqtane/oqtane.framework/discussions/3367
- https://github.com/projectcontour/contour/pull/5826
- https://github.com/projectcontour/contour/pull/5826
- https://github.com/tempesta-tech/tempesta/issues/1986
- https://github.com/tempesta-tech/tempesta/issues/1986
- https://github.com/varnishcache/varnish-cache/issues/3996
- https://github.com/varnishcache/varnish-cache/issues/3996
- https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
- https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
- https://istio.io/latest/news/security/istio-security-2023-004/
- https://istio.io/latest/news/security/istio-security-2023-004/
- https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
- https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
- https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
- https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
- [debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update
- [debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update
- [debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update
- [debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update
- [debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update
- [debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update
- [debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update
- [debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update
- [debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update
- [debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update
- [debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update
- [debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update
- [debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update
- [debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update
- FEDORA-2023-c0c6a91330
- FEDORA-2023-7b52921cae
- FEDORA-2023-0259c3f26f
- FEDORA-2023-4bf641255e
- FEDORA-2023-d5030c983c
- FEDORA-2023-4d2fd884ea
- FEDORA-2023-dbe64661af
- FEDORA-2023-5ff7bf1dd8
- FEDORA-2023-ed2642fd58
- FEDORA-2023-fe53e13b5b
- FEDORA-2023-f66fc0f62a
- FEDORA-2023-b2c50535cb
- FEDORA-2023-1caffb88af
- FEDORA-2023-3f70b8d406
- FEDORA-2023-492b7be466
- FEDORA-2023-17efd3f2cd
- FEDORA-2023-e9c04d81c1
- FEDORA-2023-822aab0a5a
- FEDORA-2023-7934802344
- FEDORA-2023-54fadada12
- FEDORA-2023-2a9214af5f
- FEDORA-2023-c0c6a91330
- FEDORA-2023-7b52921cae
- FEDORA-2023-0259c3f26f
- FEDORA-2023-4bf641255e
- FEDORA-2023-d5030c983c
- FEDORA-2023-4d2fd884ea
- FEDORA-2023-dbe64661af
- FEDORA-2023-5ff7bf1dd8
- FEDORA-2023-ed2642fd58
- FEDORA-2023-fe53e13b5b
- FEDORA-2023-f66fc0f62a
- FEDORA-2023-b2c50535cb
- FEDORA-2023-1caffb88af
- FEDORA-2023-3f70b8d406
- FEDORA-2023-492b7be466
- FEDORA-2023-17efd3f2cd
- FEDORA-2023-e9c04d81c1
- FEDORA-2023-822aab0a5a
- FEDORA-2023-7934802344
- FEDORA-2023-54fadada12
- FEDORA-2023-2a9214af5f
- https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
- https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
- https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
- https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
- https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
- https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
- https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
- https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
- https://my.f5.com/manage/s/article/K000137106
- https://my.f5.com/manage/s/article/K000137106
- https://netty.io/news/2023/10/10/4-1-100-Final.html
- https://netty.io/news/2023/10/10/4-1-100-Final.html
- https://news.ycombinator.com/item?id=37830987
- https://news.ycombinator.com/item?id=37830987
- https://news.ycombinator.com/item?id=37830998
- https://news.ycombinator.com/item?id=37830998
- https://news.ycombinator.com/item?id=37831062
- https://news.ycombinator.com/item?id=37831062
- https://news.ycombinator.com/item?id=37837043
- https://news.ycombinator.com/item?id=37837043
- https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
- https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
- https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
- https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
- GLSA-202311-09
- GLSA-202311-09
- https://security.netapp.com/advisory/ntap-20231016-0001/
- https://security.netapp.com/advisory/ntap-20231016-0001/
- https://security.netapp.com/advisory/ntap-20240426-0007/
- https://security.netapp.com/advisory/ntap-20240426-0007/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://security.paloaltonetworks.com/CVE-2023-44487
- https://security.paloaltonetworks.com/CVE-2023-44487
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
- https://ubuntu.com/security/CVE-2023-44487
- https://ubuntu.com/security/CVE-2023-44487
- https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
- https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
- https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
- https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
- https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
- https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
- DSA-5521
- DSA-5521
- DSA-5522
- DSA-5522
- DSA-5540
- DSA-5540
- DSA-5549
- DSA-5549
- DSA-5558
- DSA-5558
- DSA-5570
- DSA-5570
- https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
- https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
- https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
- https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
- https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
- https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
- https://www.openwall.com/lists/oss-security/2023/10/10/6
- https://www.openwall.com/lists/oss-security/2023/10/10/6
- https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
- https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
- https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
- https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
- https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause