In nghttp2 before version 1.41.0, if an overly large HTTP/2 SETTINGS frame with a length of 14,400 bytes is repeatedly constructed it can cause the CPU to spike to 100% and cause a DoS.
External References: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr
Created nghttp2 tracking bugs for this issue: Affects: epel-7 [bug 1844931] Affects: epel-8 [bug 1844932] Affects: fedora-all [bug 1844930]
Acknowledgments: Name: the Envoy security team
(In reply to Mark Cooper from comment #2) > Created nghttp2 tracking bugs for this issue: > > Affects: epel-7 [bug 1844931] > Affects: epel-8 [bug 1844932] nghttp2 is not in epel-8. Please consider creating a rhel-8 tracking bug instead.
All LTS versions of Node.js in Fedora were updated to latest releases providing nghttp2-1.41.0 https://src.fedoraproject.org/rpms/nodejs/c/fa3bbd7aedac586123f61db60a4bc2b20177503d?branch=10 https://src.fedoraproject.org/rpms/nodejs/c/b031e5cbac070ad813f7e7723a122287a451aa7e?branch=12 https://src.fedoraproject.org/rpms/nodejs/c/78887f1479112d6d5671c012b841411e2b89758f?branch=14
In reply to comment #8: > (In reply to Mark Cooper from comment #2) > > Created nghttp2 tracking bugs for this issue: > > > > Affects: epel-7 [bug 1844931] > > Affects: epel-8 [bug 1844932] > > nghttp2 is not in epel-8. Please consider creating a rhel-8 tracking bug > instead. I believe @mbenatto has this done this. Thanks
This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:2523 https://access.redhat.com/errata/RHSA-2020:2523
This issue has been addressed in the following products: OpenShift Service Mesh 1.0 Via RHSA-2020:2524 https://access.redhat.com/errata/RHSA-2020:2524
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11080
What is the ETA for this fix with RHEL 8 and NodeJS 12? We have a release deadline for July and this CVE is needed.
See https://issues.redhat.com/browse/JBCS-976 too
Created nodejs:10/nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 1847481] Created nodejs:11/nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 1847482] Created nodejs:12/nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 1847483] Created nodejs:13/nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 1847484] Created nodejs:14/nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 1847485]
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 JBoss Core Services on RHEL 7 Via RHSA-2020:2644 https://access.redhat.com/errata/RHSA-2020:2644
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2020:2646 https://access.redhat.com/errata/RHSA-2020:2646
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2755 https://access.redhat.com/errata/RHSA-2020:2755
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2020:2784 https://access.redhat.com/errata/RHSA-2020:2784
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2823 https://access.redhat.com/errata/RHSA-2020:2823
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:2850 https://access.redhat.com/errata/RHSA-2020:2850
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2847 https://access.redhat.com/errata/RHSA-2020:2847
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2849 https://access.redhat.com/errata/RHSA-2020:2849
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2848 https://access.redhat.com/errata/RHSA-2020:2848
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2852 https://access.redhat.com/errata/RHSA-2020:2852
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:2895 https://access.redhat.com/errata/RHSA-2020:2895
How is this closed when nodejs:14/nodejs is not showed as patched?
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:3042 https://access.redhat.com/errata/RHSA-2020:3042
I'm not tracking. The errata link posted is for node10. The https://access.redhat.com/security/cve/CVE-2020-11080 page still shows both node10 and node14 affected with no fix.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:3084 https://access.redhat.com/errata/RHSA-2020:3084