Download
| Alert*
oval:org.secpod.oval:def:1507075
[1:1.20.1-1.0.1.1] - Resolves: RHEL-12732 - nginx:1.20/nginx: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack oval:org.secpod.oval:def:97266 The remote host is missing a patch 152643-17 containing a security fix. For more information please visit the reference link. oval:org.secpod.oval:def:1507077 [1:1.20.1-14.0.1.1] - Resolves: RHEL-12518 - nginx: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack oval:org.secpod.oval:def:1507079 [6.0.123-1.0.1] - Update to .NET SDK 6.0.123 and Runtime 6.0.23 - Resolves: RHEL-11696 [6.0.122-1.0.1] - Update to .NET SDK 6.0.122 and Runtime 6.0.22 - Resolves: RHEL-1996 [6.0.121-1.0.1] - Update to .NET SDK 6.0.121 and Runtime 6.0.21 - Resolves: RHBZ#2228567 [6.0.120-1.0.1] - Add missing Oracle L ... oval:org.secpod.oval:def:126358 Folly is a library of C++14 components designed with practicality and efficiency in mind. Folly contains a variety of core library components used extensively at Facebook. In particular, it's often a dependency of Facebook's other open source C++ efforts and place where those projects can share cod ... oval:org.secpod.oval:def:126352 The mod_h2 Apache httpd module implements the HTTP2 protocol on top of libnghttp2 for httpd 2.4 servers. oval:org.secpod.oval:def:126353 mvfst is a client and server implementation of IETF QUIC protocol in C++ by Facebook. QUIC is a UDP based reliable, multiplexed transport protocol that will become an internet standard. The goal of mvfst is to build a performant implementation of the QUIC transport protocol that applications could ... oval:org.secpod.oval:def:126355 Fizz is a TLS 1.3 implementation. Fizz currently supports TLS 1.3 drafts 28, 26 , and 23. All major handshake modes are supported, including PSK resumption, early data, client authentication, and HelloRetryRequest. oval:org.secpod.oval:def:126360 Folly is a library of C++14 components designed with practicality and efficiency in mind. Folly contains a variety of core library components used extensively at Facebook. In particular, it's often a dependency of Facebook's other open source C++ efforts and place where those projects can share cod ... oval:org.secpod.oval:def:126361 Warp speed Data Transfer is aiming to transfer data between two systems as fast as possible. oval:org.secpod.oval:def:3301920 Security update for nodejs12 oval:org.secpod.oval:def:1507085 delve golang [1.19.13-1] - Rebase to Go 1.19.13 [CVE-2023-39325] [CVE-2023-44487] go-toolset [1.19.13-1] - Rebase to Go 1.19.13 [CVE-2023-39325] [CVE-2023-44487] oval:org.secpod.oval:def:1507087 [7.0.112-1.0.1] - Update to .NET SDK 7.0.112 and Runtime 7.0.12 - Resolves: RHEL-11698 oval:org.secpod.oval:def:1507080 [6.0.123-1.0.1] - Update to .NET SDK 6.0.123 and Runtime 6.0.23 - Resolves: RHEL-11696 [6.0.122-1.0.1] - Update to .NET SDK 6.0.122 and Runtime 6.0.22 - Resolves: RHEL-1997 [6.0.121-1.0.1] - Update to .NET SDK 6.0.121 and Runtime 6.0.21 - Resolves: RHBZ#2228567 [6.0.120-1.0.1] - Add missing Oracle L ... oval:org.secpod.oval:def:97267 The remote host is missing a patch 152644-17 containing a security fix. For more information please visit the reference link. oval:org.secpod.oval:def:508045 The rhel9/toolbox container image can be used with Toolbox to obtain RHEL based containerized command line environments to aid with development and software testing. Toolbox is built on top of Podman and other standard container technologies from OCI. This updates the rhel9/toolbox image in the Red ... oval:org.secpod.oval:def:1507083 [1:1.22.1-1.0.1.1] - Resolves: RHEL-12728 - nginx:1.22/nginx: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack oval:org.secpod.oval:def:94676 nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fix(es): * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) For more details about the ... oval:org.secpod.oval:def:1507401 nodejs [1:16.20.2-4.0.1] - reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks Resolves: CVE-2024-22019 nodejs-nodemon nodejs-packaging [26-1] - nodejs.prov: find namespaced bundled dependencies - Apply https://src.fedoraproject.org/rpms/nodejs-packaging/c/e24e7df oval:org.secpod.oval:def:1701896 An issue was found in libcurl which allows cookies to be inserted into a running program if specific conditions are met. The libcurl provided function, curl_easy_duphandle, is used to duplicate the easy_handle associated with a transfer. If a duplicated transfer's easy_handle has cookies enabled whe ... oval:org.secpod.oval:def:612834 It was discovered that libnghttp2, a library implementing the HTTP/2 protocol, handled request cancellation incorrectly. This could result in denial of service. oval:org.secpod.oval:def:126368 fb303 is a base Thrift service and a common set of functionality for querying stats, options, and other information from a service. oval:org.secpod.oval:def:126363 Fizz is a TLS 1.3 implementation. Fizz currently supports TLS 1.3 drafts 28, 26 , and 23. All major handshake modes are supported, including PSK resumption, early data, client authentication, and HelloRetryRequest. oval:org.secpod.oval:def:126364 Proxygen comprises the core C++ HTTP abstractions used at Facebook. Internally, it is used as the basis for building many HTTP servers, proxies, and clients. This release focuses on the common HTTP abstractions and our simple HTTPServer framework. Future releases will provide simple client APIs as w ... oval:org.secpod.oval:def:126366 CacheLib is a C++ library providing in-process high performance caching mechanism. CacheLib provides a thread safe API to build high throughput, low overhead caching services, with built-in ability to leverage DRAM and SSD caching transparently. oval:org.secpod.oval:def:1507090 [7.0.112-1.0.1] - Update to .NET SDK 7.0.112 and Runtime 7.0.12 - Resolves: RHEL-11698 oval:org.secpod.oval:def:89051003 This update for netty, netty-tcnative fixes the following issues: * Updated netty to version 4.1.100: * CVE-2023-44487: Fixed a potential denial of service scenario via RST frame floods . * Updated netty-tcnative to version 2.0.62 Final. oval:org.secpod.oval:def:1507095 [1.33.0-5] - fix HTTP/2 Rapid Reset [1.33.0-4] - prevent DoS caused by overly large SETTINGS frames oval:org.secpod.oval:def:1601835 The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023 oval:org.secpod.oval:def:1507096 [1.43.0-5.1] - fix HTTP/2 Rapid Reset oval:org.secpod.oval:def:1507097 [1:9.0.62-11.3] - HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack oval:org.secpod.oval:def:1507093 golang [1.19.13-1] - Update to go 1.19.13 [CVE-2023-44487] [CVE-2023-39325] [CVE-2023-29409] go-toolset [1.19.13-1] - Update to Go version 1.19.13 oval:org.secpod.oval:def:509147 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks nodejs: HTTP/2: Multiple HTTP/2 enabled web servers are vul ... oval:org.secpod.oval:def:19500439 The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023 oval:org.secpod.oval:def:19500438 The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023 oval:org.secpod.oval:def:19500437 The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023 oval:org.secpod.oval:def:1507099 nodejs [1:18.18.2-1] - Rebase to version 18.18.2 Resolves: CVE-2023-44487 CVE-2023-45143 CVE-2023-38552 CVE-2023-39333 nodejs-nodemon nodejs-packaging oval:org.secpod.oval:def:126336 Traffic Server is a high-performance building block for cloud services. It's more than just a caching proxy server; it also has support for plugins to build large scale web applications. Key features: Caching - Improve your response time, while reducing server load and bandwidth needs by caching and ... oval:org.secpod.oval:def:126337 Traffic Server is a high-performance building block for cloud services. It's more than just a caching proxy server; it also has support for plugins to build large scale web applications. Key features: Caching - Improve your response time, while reducing server load and bandwidth needs by caching and ... oval:org.secpod.oval:def:612802 Two security vulnerabilities have been discovered in Netty, a Java NIO client/server socket framework. CVE-2023-34462 It might be possible for a remote peer to send a client hello packet during a TLS handshake which lead the server to buffer up to 16 MB of data per connection. This could lead to a O ... oval:org.secpod.oval:def:508064 Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don"t have to create the same web page over and over again, giving the website a significant speed up. Security Fix: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack For mo ... oval:org.secpod.oval:def:4501499 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack For more details about the security issue, including the impact, a CVSS ... oval:org.secpod.oval:def:4501496 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fix: * golang: net/http, x/net/http2: rapid stream resets can cause excessive work [CVE-2023-44487] * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack For ... oval:org.secpod.oval:def:4501497 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other relate ... oval:org.secpod.oval:def:3301598 Security update for nodejs10 oval:org.secpod.oval:def:612740 A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 . A wrong value for the overheadcount variable forced HTTP2 connections to close early. oval:org.secpod.oval:def:1601848 The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023 oval:org.secpod.oval:def:5800212 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: * nodejs: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack A Rocky Enterprise Software Foundation Security Bulletin which ... oval:org.secpod.oval:def:5800214 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. The golang packages provide the Go programming language compiler. Security Fix: * golang: net/http, x/net/http2: rapid stream resets can cause excessive work [CVE-2023-44487] * HTTP/2: Multiple ... oval:org.secpod.oval:def:5800213 Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don"t have to create the same web page over and over again, giving the website a significant speed up. Security Fix: * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack For ... oval:org.secpod.oval:def:5800216 nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Security Fix: * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack For more details about the security issue, including the impact, a C ... oval:org.secpod.oval:def:19500553 The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023 oval:org.secpod.oval:def:95287 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es): * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) * nodejs: permission model impr ... oval:org.secpod.oval:def:19500436 The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023 oval:org.secpod.oval:def:19500435 Line directives can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file ... oval:org.secpod.oval:def:19500548 The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023 oval:org.secpod.oval:def:1601839 Incomplete Cleanup vulnerability in Apache Tomcat. When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling p ... oval:org.secpod.oval:def:1507166 nodejs [1:20.8.1-1] - Update node and nghttp - Add fips patch - Fixes CVE-2023-44487 - Fixes CVE-2023-45143, CVE-2023-39331, CVE-2023-39332, CVE-2023-38552, CVE-2023-39333 nodejs-nodemon [3.0.1-1] - Rebase to 3.0.1 - Resolves: CVE-2022-25883 nodejs-packaging oval:org.secpod.oval:def:1601837 Line directives can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file ... oval:org.secpod.oval:def:126325 This package contains the HTTP/2 client, server and proxy programs. oval:org.secpod.oval:def:126440 The mod_h2 Apache httpd module implements the HTTP2 protocol on top of libnghttp2 for httpd 2.4 servers. oval:org.secpod.oval:def:93999 An update for go-toolset and golang is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:93997 An update for dotnet6.0 is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:93998 An update for nginx is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:93991 An update for the nginx:1.22 module is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:93992 An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:4501500 Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don"t have to create the same web page over and over again, giving the website a significant speed up. Security Fix: * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack For ... oval:org.secpod.oval:def:96465 nghttp2: HTTP/2 C Library and tools nghttp2 could be made to consume resources if it received specially crafted network traffic. oval:org.secpod.oval:def:93990 An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:4501501 Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB OpenTSDB. Security Fix: * grafana: golang: net/http, x/net/http2: rapid stream resets can cause excessive work * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack A Rocky En ... oval:org.secpod.oval:def:1701837 The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023 oval:org.secpod.oval:def:93995 An update for grafana is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:93996 An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:93993 An update for nghttp2 is now available for Red Hat Enterprise Linux 8 oval:org.secpod.oval:def:93994 An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:1701846 Incomplete Cleanup vulnerability in Apache Tomcat. When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling p ... oval:org.secpod.oval:def:95384 Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service or information disclosure. oval:org.secpod.oval:def:126416 The Go Programming Language. oval:org.secpod.oval:def:1701845 Incomplete Cleanup vulnerability in Apache Tomcat. When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling p ... oval:org.secpod.oval:def:1701844 The HTTP/2 protocol allows a denial of service because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023 oval:org.secpod.oval:def:126412 This package contains the HTTP/2 client, server and proxy programs. oval:org.secpod.oval:def:126414 The Go Programming Language. oval:org.secpod.oval:def:95145 libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 (HTTP/2) protocol in C. Security Fix(es): * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) oval:org.secpod.oval:def:612735 The patch to address CVE-2023-44487 was incomplete and caused a regression when using asynchronous I/O . DATA frames must be included when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated. oval:org.secpod.oval:def:1701836 Line directives can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file ... oval:org.secpod.oval:def:95393 Two security vulnerabilities have been discovered in Netty, a Java NIO client/server socket framework. CVE-2023-34462 It might be possible for a remote peer to send a client hello packet during a TLS handshake which lead the server to buffer up to 16 MB of data per connection. This could lead to a O ... oval:org.secpod.oval:def:3301431 Security update for netty, netty-tcnative oval:org.secpod.oval:def:2501193 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. oval:org.secpod.oval:def:2501194 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. oval:org.secpod.oval:def:2501195 nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. oval:org.secpod.oval:def:2501198 Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB OpenTSDB. oval:org.secpod.oval:def:89051067 This update for nodejs12 fixes the following issues: * CVE-2023-44487: Fixed the Rapid Reset attack in nghttp2. * CVE-2023-38552: Fixed an integrity checks according to policies that could be circumvented oval:org.secpod.oval:def:93733 The host is missing an important security update KB5031901 oval:org.secpod.oval:def:2600415 libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 protocol in C. oval:org.secpod.oval:def:89051065 This update for nodejs12 fixes the following issues: * CVE-2023-44487: Fixed the Rapid Reset attack in nghttp2. * CVE-2023-38552: Fixed an integrity checks according to policies that could be circumvented oval:org.secpod.oval:def:95234 The patch to address CVE-2023-44487 was incomplete and caused a regression when using asynchronous I/O . DATA frames must be included when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated. oval:org.secpod.oval:def:93732 The host is missing an important security update KB5031900 oval:org.secpod.oval:def:95236 A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 . A wrong value for the overheadcount variable forced HTTP2 connections to close early. oval:org.secpod.oval:def:1507116 [1:1.22.1-3.0.1.1] - Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack oval:org.secpod.oval:def:1507111 [1:9.0.62-5.2] - HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack oval:org.secpod.oval:def:93988 An update for dotnet7.0 is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:93989 An update for dotnet6.0 is now available for Red Hat Enterprise Linux 8. oval:org.secpod.oval:def:3301886 Security update for go1.21 oval:org.secpod.oval:def:508202 The rhc-worker-script packages provide Remote Host Configuration worker for executing an interpreted programming language script on hosts managed by Red Hat Insights. Security Fix: golang: net/http, x/net/http2: rapid stream resets can cause excessive work HTTP/2: Multiple HTTP/2 enabled web serv ... oval:org.secpod.oval:def:4501511 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack * nodejs: permission model improperly protects against path traversal ... oval:org.secpod.oval:def:612793 Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service or information disclosure. oval:org.secpod.oval:def:2501210 nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. oval:org.secpod.oval:def:2501211 Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don"t have to create the same web page over and over again, giving the website a significant speed up. oval:org.secpod.oval:def:126400 Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. oval:org.secpod.oval:def:126401 Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. oval:org.secpod.oval:def:93713 The host is missing a critical security update for KB5031361 oval:org.secpod.oval:def:93714 The host is missing a critical security update for KB5031362 oval:org.secpod.oval:def:93711 The host is missing a critical security update for KB5031356 oval:org.secpod.oval:def:93712 The host is missing a critical security update for KB5031358 oval:org.secpod.oval:def:93715 The host is missing a critical security update for KB5031364 oval:org.secpod.oval:def:94002 An update for nodejs is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:94003 An update for nghttp2 is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:94000 An update for .NET 7.0 is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:94006 An update for tomcat is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:94004 An update for nghttp2 is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:94005 An update for grafana is now available for Red Hat Enterprise Linux 9. oval:org.secpod.oval:def:2501200 nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. oval:org.secpod.oval:def:97760 [CLSA-2023:1698101447] nginx: Fix of CVE-2023-44487 oval:org.secpod.oval:def:2501204 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. oval:org.secpod.oval:def:2501205 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. oval:org.secpod.oval:def:3301864 Security update for go1.20 oval:org.secpod.oval:def:708530 dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime Several security issues were fixed in dotnet6, dotnet7. oval:org.secpod.oval:def:1507148 [1.43.0-5.1] - fix HTTP/2 Rapid Reset oval:org.secpod.oval:def:93609 HTTP/2 Rapid Reset Attack oval:org.secpod.oval:def:508192 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack For more details about the security issue, including the impact, a CVSS score, acknowledgments, and other related ... oval:org.secpod.oval:def:508199 Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don"t have to create the same web page over and over again, giving the website a significant speed up. Security Fix: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack For mo ... oval:org.secpod.oval:def:708528 dotnet8: .NET CLI tools and runtime Details: USN-6427-1 fixed a vulnerability in .NET. This update provides the corresponding update for .NET 8. Original advisory .NET could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:89051815 This update for abseil-cpp, grpc, opencensus-proto, protobuf, python-abseil, python-grpcio, re2 fixes the following issues: abseil-cpp was updated to: Update to 20230802.1: * Add StdcppWaiter to the end of the list of waiter implementations Update to 20230802.0 What"s New: * Added the nullability li ... oval:org.secpod.oval:def:126399 Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. oval:org.secpod.oval:def:2600347 nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. oval:org.secpod.oval:def:2600348 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. oval:org.secpod.oval:def:708514 dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime .NET could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:2600349 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. oval:org.secpod.oval:def:89051015 This update for nodejs18 fixes the following issues: * Update to version 18.18.2 * CVE-2023-44487: Fixed the Rapid Reset attack in nghttp2. * CVE-2023-45143: Fixed a cookie leakage in undici. * CVE-2023-38552: Fixed an integrity checks according to policies that could be circumvented. * CVE-2023- ... oval:org.secpod.oval:def:2600344 Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. oval:org.secpod.oval:def:2600345 .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. oval:org.secpod.oval:def:89051014 This update for nghttp2 fixes the following issues: * CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack oval:org.secpod.oval:def:96412 dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime .NET could be made to crash if it received specially crafted network traffic. oval:org.secpod.oval:def:96530 It was discovered that libnghttp2, a library implementing the HTTP/2 protocol, handled request cancellation incorrectly. This could result in denial of service. oval:org.secpod.oval:def:2108399 Oracle Solaris 11 - ( CVE-2023-44487 ) oval:org.secpod.oval:def:3302382 Security update for abseil-cpp, grpc, opencensus-proto, protobuf, python-abseil, python-grpcio, re2 oval:org.secpod.oval:def:1507447 [6.6.2-4.1] - Resolves: RHEL-30387 - varnish: HTTP/2 Broken Window Attack may result in denial of service [6.6.2-4] - Add parameters h2_rst_allowance and h2_rst_allowance_period to mitigate CVE-2023-44487 - Resolves: RHEL-12817 oval:org.secpod.oval:def:4501549 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: * nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks * nodejs: HTTP/2: Multiple HTTP/2 enabled web servers are ... oval:org.secpod.oval:def:89051009 This update for nghttp2 fixes the following issues: * CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack oval:org.secpod.oval:def:89051127 This update for nghttp2 fixes the following issues: * CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack oval:org.secpod.oval:def:93709 The host is missing a critical security update for KB5031354 oval:org.secpod.oval:def:126370 Wangle is a library that makes it easy to build protocols, application clients, and application servers. It's like Netty + Finagle smooshed together, but in C++. oval:org.secpod.oval:def:2600358 Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don"t have to create the same web page over and over again, giving the website a significant speed up. oval:org.secpod.oval:def:126372 mvfst is a client and server implementation of IETF QUIC protocol in C++ by Facebook. QUIC is a UDP based reliable, multiplexed transport protocol that will become an internet standard. The goal of mvfst is to build a performant implementation of the QUIC transport protocol that applications could ... oval:org.secpod.oval:def:2600359 The rhel9/toolbox container image can be used with Toolbox to obtain AlmaLinux based containerized command line environments to aid with development and software testing. Toolbox is built on top of Podman and other standard container technologies from OCI. oval:org.secpod.oval:def:126373 Wangle is a library that makes it easy to build protocols, application clients, and application servers. It's like Netty + Finagle smooshed together, but in C++. oval:org.secpod.oval:def:2600353 Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. oval:org.secpod.oval:def:89051048 This update for nodejs10 fixes the following issues: * CVE-2023-44487: Fixed the Rapid Reset attack in nghttp2 oval:org.secpod.oval:def:2600351 libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 protocol in C. oval:org.secpod.oval:def:2600352 Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB OpenTSDB. oval:org.secpod.oval:def:126378 fb303 is a base Thrift service and a common set of functionality for querying stats, options, and other information from a service. oval:org.secpod.oval:def:126379 Mcrouter is a memcached protocol router for scaling memcached deployments. Because the routing and feature logic are abstracted from the client in mcrouter deployments, the client may simply communicate with destination hosts through mcrouter over a TCP connection using standard memcached protocol. ... oval:org.secpod.oval:def:126374 Thrift is a serialization and RPC framework for service communication. Thrift enables these features in all major languages, and there is strong support for C++, Python, Hack, and Java. Most services at Facebook are written using Thrift for RPC, and some storage systems use Thrift for serializing re ... oval:org.secpod.oval:def:126376 Mcrouter is a memcached protocol router for scaling memcached deployments. Because the routing and feature logic are abstracted from the client in mcrouter deployments, the client may simply communicate with destination hosts through mcrouter over a TCP connection using standard memcached protocol. ... oval:org.secpod.oval:def:708613 nghttp2: HTTP/2 C Library and tools nghttp2 could be made to consume resources if it received specially crafted network traffic. oval:org.secpod.oval:def:126382 Warp speed Data Transfer is aiming to transfer data between two systems as fast as possible. oval:org.secpod.oval:def:96518 It was discovered that libnghttp2, a library implementing the HTTP/2 protocol, handled request cancellation incorrectly. This could result in denial of service. oval:org.secpod.oval:def:126383 Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. oval:org.secpod.oval:def:89050980 This update for tomcat fixes the following issues: Tomcat was updated to version 9.0.82 : * Security issues fixed: * CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. * CVE-2023-44487: Fix HTTP/2 Rapid Reset Attack. * Update to Tomcat 9.0.82: * Catalina * Add: 65770: Provid ... oval:org.secpod.oval:def:3301943 Security update for go1.20-openssl oval:org.secpod.oval:def:126380 Watchman exists to watch files and record when they actually change. It can also trigger actions when matching files change. oval:org.secpod.oval:def:2600360 nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. oval:org.secpod.oval:def:19500497 An issue was found in libcurl which allows cookies to be inserted into a running program if specific conditions are met. The libcurl provided function, curl_easy_duphandle, is used to duplicate the easy_handle associated with a transfer. If a duplicated transfer's easy_handle has cookies enabled whe ... oval:org.secpod.oval:def:1507103 [7.5.15-5] - Resolve CVE-2023-44487 Rapid Reset Attack - Resolve CVE-2023-39325 rapid stream resets can cause excessive work oval:org.secpod.oval:def:1507104 nodejs [1:18.18.2-2] - Rebase to version 18.18.2 Resolves: CVE-2023-44487 CVE-2023-45143 CVE-2023-38552 CVE-2023-39333 nodejs-nodemon [3.0.1-1] - Rebase to 3.0.1 - Resolves: CVE-2022-25883 nodejs-packaging [2021.06-4] - NPM bundler: also find namespaced bundled dependencies [2021.06-3] - Rebuilt for ... oval:org.secpod.oval:def:1507105 nodejs [1:16.20.2-3.0.1] - Update nghttp2 to 1.57.0 Resolves: CVE-2023-44487 nodejs-nodemon nodejs-packaging [26-1] - nodejs.prov: find namespaced bundled dependencies - Apply https://src.fedoraproject.org/rpms/nodejs-packaging/c/e24e7df oval:org.secpod.oval:def:1507100 [9.0.9-4] - Resolve CVE-2023-44487 Rapid Reset Attack - Resolve CVE-2023-39325 rapid stream resets can cause excessive work oval:org.secpod.oval:def:1507102 [1:16.20.2-3.0.1] - Update nghttp2 to 1.57.0 Resolves: CVE-2023-44487 oval:org.secpod.oval:def:126389 Proxygen comprises the core C++ HTTP abstractions used at Facebook. Internally, it is used as the basis for building many HTTP servers, proxies, and clients. This release focuses on the common HTTP abstractions and our simple HTTPServer framework. Future releases will provide simple client APIs as w ... oval:org.secpod.oval:def:93807 A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any serve ... oval:org.secpod.oval:def:126385 Thrift is a serialization and RPC framework for service communication. Thrift enables these features in all major languages, and there is strong support for C++, Python, Hack, and Java. Most services at Facebook are written using Thrift for RPC, and some storage systems use Thrift for serializing re ... oval:org.secpod.oval:def:1507107 [6.6.2-3.el9_2.1] - Add parameters h2_rst_allowance and h2_rst_allowance_period to mitigate CVE-2023-44487 - Resolves: RHEL-12818 oval:org.secpod.oval:def:126386 Watchman exists to watch files and record when they actually change. It can also trigger actions when matching files change. oval:org.secpod.oval:def:1507109 varnish [6.0.8-3.1] - Add parameters h2_rst_allowance and h2_rst_allowance_period to mitigate CVE-2023-44487 varnish-modules oval:org.secpod.oval:def:126388 CacheLib is a C++ library providing in-process high performance caching mechanism. CacheLib provides a thread safe API to build high throughput, low overhead caching services, with built-in ability to leverage DRAM and SSD caching transparently. oval:org.secpod.oval:def:4501503 Rocky Enterprise Software Foundation Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Security Fix: * golang: net/http, x/net/http2: rapid stream resets c ... oval:org.secpod.oval:def:612757 Two remotely exploitable security vulnerabilities were discovered in Jetty 9, a Java based web server and servlet engine. The HTTP/2 protocol implementation did not sufficiently verify if HPACK header values exceed their size limit. Furthermore the HTTP/2 protocol allowed a denial of service becaus ... oval:org.secpod.oval:def:95248 Two remotely exploitable security vulnerabilities were discovered in Jetty 9, a Java based web server and servlet engine. The HTTP/2 protocol implementation did not sufficiently verify if HPACK header values exceed their size limit. Furthermore the HTTP/2 protocol allowed a denial of service becaus ... oval:org.secpod.oval:def:3301641 Security update for jetty-minimal oval:org.secpod.oval:def:89051020 This update for jetty-minimal fixes the following issues: * Updated to version 9.4.53.v20231009: * CVE-2023-44487: Fixed a potential denial of service scenario via RST frame floods . * CVE-2023-36478: Fixed an integer overflow in the HTTP/2 HPACK decoder . * CVE-2023-40167: Fixed a permissive HTTP h ... oval:org.secpod.oval:def:708697 golang-1.20: Go programming language compiler - golang-1.21: Go programming language compiler Several security issues were fixed in Go. oval:org.secpod.oval:def:98655 golang-1.20: Go programming language compiler - golang-1.21: Go programming language compiler Several security issues were fixed in Go. oval:org.secpod.oval:def:3301762 Security update for go1.21-openssl oval:org.secpod.oval:def:95375 Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2023-28709 Denial of Service. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exac ... oval:org.secpod.oval:def:612724 Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2023-28709 Denial of Service. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exac ... oval:org.secpod.oval:def:612725 Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2023-24998 Denial of service. Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, the ... oval:org.secpod.oval:def:95230 Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2023-24998 Denial of service. Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, the ... oval:org.secpod.oval:def:99944 The host is installed with Jenkins LTS before 2.414.3 or Jenkins rolling release before 2.428 is prone to a denial of service vulnerability. A flaw is present in the application, which fails to properly handle bundled Winstone-Jetty. Successful exploitation could lead to denial of service. oval:org.secpod.oval:def:2501197 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. oval:org.secpod.oval:def:2501199 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. oval:org.secpod.oval:def:2501266 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. oval:org.secpod.oval:def:2501355 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. oval:org.secpod.oval:def:2600350 Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. |