FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

h2o -- DoS in workers

Affected packages
h2o < 2.2.3

Details

VuXML ID 10c0fabc-b5da-11e7-816e-00bd5d1fff09
Discovery 2017-07-19
Entry 2017-10-17

Frederik Deweerdt reports:

Multiple Denial-of-Service vulnerabilities exist in h2o workers - see references for full details.

CVE-2017-10868: Worker processes may crash when receiving a request with invalid framing.

CVE-2017-10869: The stack may overflow when proxying huge requests.

References

CVE Name CVE-2017-10868
CVE Name CVE-2017-10869
URL https://github.com/h2o/h2o/issues/1459
URL https://github.com/h2o/h2o/issues/1460
URL https://github.com/h2o/h2o/releases/tag/v2.2.3