A vulnerability was found in a way nghttp2 processes incoming packets. Nghttpd, nghttp, and libnghttp2_asio applications do not limit the memory usage for the incoming HTTP header field. If peer sends specially crafted HTTP/2 HEADERS frames and CONTINUATION frames, they will crash with out of memory error. Upstream report and fix: https://github.com/tatsuhiro-t/nghttp2/releases/tag/v1.7.1
Created nghttp2 tracking bugs for this issue: Affects: epel-7 [bug 1308463]
Created nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 1308467]
The fix seems to be spread across multiple commits. The changes between 1.7.0 and 1.7.1 seem almost limited to this issue: https://github.com/tatsuhiro-t/nghttp2/compare/v1.7.0...v1.7.1
nghttp2-1.7.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
nghttp2-1.7.1-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
nghttp2-1.7.1-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.