This description was provided in the disclosure from VINCE: An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in a DoS.
Created nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 2273036] Created nodejs tracking bugs for this issue: Affects: epel-all [bug 2273035] Created nodejs:13/nghttp2 tracking bugs for this issue: Affects: epel-all [bug 2273034] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2273038]
Created nghttp2 tracking bugs for this issue: Affects: epel-all [bug 2273388] Created nodejs16 tracking bugs for this issue: Affects: fedora-all [bug 2273389] Created nodejs18 tracking bugs for this issue: Affects: fedora-all [bug 2273390] Created nodejs20 tracking bugs for this issue: Affects: fedora-all [bug 2273391] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-all [bug 2273392] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2273393]
FEDORA-2024-da8cdd8414 (nghttp2-1.59.0-3.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-a00de83de9 (nghttp2-1.55.1-5.fc39) has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.