Red Hat Product Errata RHSA-2023:5769 - Security Advisory
Issued:
2023-10-17
Updated:
2023-10-17

RHSA-2023:5769 - Security Advisory

Synopsis

Important: nghttp2 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for nghttp2 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

nghttp2 contains the Hypertext Transfer Protocol version 2 (HTTP/2) client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C.

Security Fix(es):

  • HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
  • Red Hat Enterprise Linux Server - AUS 8.6 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
  • Red Hat Enterprise Linux Server - TUS 8.6 x86_64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64
  • Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.6 x86_64
  • Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.6 ppc64le
  • Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 8.6 s390x
  • Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.6 aarch64

Fixes

  • BZ - 2242803 - CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6

SRPM
nghttp2-1.33.0-4.el8_6.1.src.rpm SHA-256: 86c5d10545a172e0d77e17bf881ff18a8aff69a89cd8fe0e691911df6eede949
x86_64
libnghttp2-1.33.0-4.el8_6.1.i686.rpm SHA-256: f337123c3f4660871bbbafd1fb3dff782a3314737ba6dd01c153fa5f64082dda
libnghttp2-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: aec363ade17c64f977820f8062a36463d77d040ce4f801c36e04a966ada7014b
libnghttp2-debuginfo-1.33.0-4.el8_6.1.i686.rpm SHA-256: 2b7e48610a943e3fb8f1fd4e57d7f0508c7108f29e17e8fb41aa4808b38032ef
libnghttp2-debuginfo-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 626cd1a667b0d871672a9ebba20c41c14f31cb3560073ea3ef2f394b041e81e2
nghttp2-debuginfo-1.33.0-4.el8_6.1.i686.rpm SHA-256: 15c9dbdd4b7c7eb15d96b33fe6aa6fb02d367d1ea4d3f871faca2100557c71de
nghttp2-debuginfo-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 630f335e05ea1569569c92129ce15cb4a6bd94309053c0a19e5595d4954e4275
nghttp2-debugsource-1.33.0-4.el8_6.1.i686.rpm SHA-256: 863c03ffb8528c188c275f42cf0fc00d44c97fde1b77a20bd0582db45acfec1a
nghttp2-debugsource-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 1758f8256adccec5b94972adc846e0683dd3c6a6025d2fbee9de012fac4c2922

Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.6

SRPM
nghttp2-1.33.0-4.el8_6.1.src.rpm SHA-256: 86c5d10545a172e0d77e17bf881ff18a8aff69a89cd8fe0e691911df6eede949
x86_64
libnghttp2-1.33.0-4.el8_6.1.i686.rpm SHA-256: f337123c3f4660871bbbafd1fb3dff782a3314737ba6dd01c153fa5f64082dda
libnghttp2-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: aec363ade17c64f977820f8062a36463d77d040ce4f801c36e04a966ada7014b
libnghttp2-debuginfo-1.33.0-4.el8_6.1.i686.rpm SHA-256: 2b7e48610a943e3fb8f1fd4e57d7f0508c7108f29e17e8fb41aa4808b38032ef
libnghttp2-debuginfo-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 626cd1a667b0d871672a9ebba20c41c14f31cb3560073ea3ef2f394b041e81e2
nghttp2-debuginfo-1.33.0-4.el8_6.1.i686.rpm SHA-256: 15c9dbdd4b7c7eb15d96b33fe6aa6fb02d367d1ea4d3f871faca2100557c71de
nghttp2-debuginfo-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 630f335e05ea1569569c92129ce15cb4a6bd94309053c0a19e5595d4954e4275
nghttp2-debugsource-1.33.0-4.el8_6.1.i686.rpm SHA-256: 863c03ffb8528c188c275f42cf0fc00d44c97fde1b77a20bd0582db45acfec1a
nghttp2-debugsource-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 1758f8256adccec5b94972adc846e0683dd3c6a6025d2fbee9de012fac4c2922

Red Hat Enterprise Linux Server - AUS 8.6

SRPM
nghttp2-1.33.0-4.el8_6.1.src.rpm SHA-256: 86c5d10545a172e0d77e17bf881ff18a8aff69a89cd8fe0e691911df6eede949
x86_64
libnghttp2-1.33.0-4.el8_6.1.i686.rpm SHA-256: f337123c3f4660871bbbafd1fb3dff782a3314737ba6dd01c153fa5f64082dda
libnghttp2-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: aec363ade17c64f977820f8062a36463d77d040ce4f801c36e04a966ada7014b
libnghttp2-debuginfo-1.33.0-4.el8_6.1.i686.rpm SHA-256: 2b7e48610a943e3fb8f1fd4e57d7f0508c7108f29e17e8fb41aa4808b38032ef
libnghttp2-debuginfo-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 626cd1a667b0d871672a9ebba20c41c14f31cb3560073ea3ef2f394b041e81e2
nghttp2-debuginfo-1.33.0-4.el8_6.1.i686.rpm SHA-256: 15c9dbdd4b7c7eb15d96b33fe6aa6fb02d367d1ea4d3f871faca2100557c71de
nghttp2-debuginfo-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 630f335e05ea1569569c92129ce15cb4a6bd94309053c0a19e5595d4954e4275
nghttp2-debugsource-1.33.0-4.el8_6.1.i686.rpm SHA-256: 863c03ffb8528c188c275f42cf0fc00d44c97fde1b77a20bd0582db45acfec1a
nghttp2-debugsource-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 1758f8256adccec5b94972adc846e0683dd3c6a6025d2fbee9de012fac4c2922

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6

SRPM
nghttp2-1.33.0-4.el8_6.1.src.rpm SHA-256: 86c5d10545a172e0d77e17bf881ff18a8aff69a89cd8fe0e691911df6eede949
s390x
libnghttp2-1.33.0-4.el8_6.1.s390x.rpm SHA-256: 130e4c3bb038aa4a92e444ca445d77229b78be4046308bdfc9fbdbc38732fc00
libnghttp2-debuginfo-1.33.0-4.el8_6.1.s390x.rpm SHA-256: af89922676c786d97c1b9193765341f515d624a7c65b66e134c35a3f8a59dee7
nghttp2-debuginfo-1.33.0-4.el8_6.1.s390x.rpm SHA-256: d74ff835461732325e72207d5bacf33697ad082cb47c8e69d264c37405e3e7f2
nghttp2-debugsource-1.33.0-4.el8_6.1.s390x.rpm SHA-256: 77899540e9d22055ecd885fcf12cef9942f6bb2b9ccca5f398243036394a69ee

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6

SRPM
nghttp2-1.33.0-4.el8_6.1.src.rpm SHA-256: 86c5d10545a172e0d77e17bf881ff18a8aff69a89cd8fe0e691911df6eede949
ppc64le
libnghttp2-1.33.0-4.el8_6.1.ppc64le.rpm SHA-256: 34fc3d47f37fc0c3512ed4eeb053a02692b8b6830acc9905a06bfd78eb75e522
libnghttp2-debuginfo-1.33.0-4.el8_6.1.ppc64le.rpm SHA-256: 2047ffddc9497a39be2462520cde1002e25a026c850bef39b47d69a56ac55b98
nghttp2-debuginfo-1.33.0-4.el8_6.1.ppc64le.rpm SHA-256: 2f6d4e9c8e123b5c0b1275a70f727294cc404e8e683e5fcc5cf02f5c7aa9c481
nghttp2-debugsource-1.33.0-4.el8_6.1.ppc64le.rpm SHA-256: 9b45bb3dabde18c5a138db220644f3113dc951ebd73f012004b4e95fed8da406

Red Hat Enterprise Linux Server - TUS 8.6

SRPM
nghttp2-1.33.0-4.el8_6.1.src.rpm SHA-256: 86c5d10545a172e0d77e17bf881ff18a8aff69a89cd8fe0e691911df6eede949
x86_64
libnghttp2-1.33.0-4.el8_6.1.i686.rpm SHA-256: f337123c3f4660871bbbafd1fb3dff782a3314737ba6dd01c153fa5f64082dda
libnghttp2-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: aec363ade17c64f977820f8062a36463d77d040ce4f801c36e04a966ada7014b
libnghttp2-debuginfo-1.33.0-4.el8_6.1.i686.rpm SHA-256: 2b7e48610a943e3fb8f1fd4e57d7f0508c7108f29e17e8fb41aa4808b38032ef
libnghttp2-debuginfo-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 626cd1a667b0d871672a9ebba20c41c14f31cb3560073ea3ef2f394b041e81e2
nghttp2-debuginfo-1.33.0-4.el8_6.1.i686.rpm SHA-256: 15c9dbdd4b7c7eb15d96b33fe6aa6fb02d367d1ea4d3f871faca2100557c71de
nghttp2-debuginfo-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 630f335e05ea1569569c92129ce15cb4a6bd94309053c0a19e5595d4954e4275
nghttp2-debugsource-1.33.0-4.el8_6.1.i686.rpm SHA-256: 863c03ffb8528c188c275f42cf0fc00d44c97fde1b77a20bd0582db45acfec1a
nghttp2-debugsource-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 1758f8256adccec5b94972adc846e0683dd3c6a6025d2fbee9de012fac4c2922

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6

SRPM
nghttp2-1.33.0-4.el8_6.1.src.rpm SHA-256: 86c5d10545a172e0d77e17bf881ff18a8aff69a89cd8fe0e691911df6eede949
aarch64
libnghttp2-1.33.0-4.el8_6.1.aarch64.rpm SHA-256: fa32165e9071c4c94aba21b8d50161dd9ae4dd4aeda85ab62d485cfc94c1f970
libnghttp2-debuginfo-1.33.0-4.el8_6.1.aarch64.rpm SHA-256: 086377936abb382530b975ead373ebbea2595a53a2e85ccc10224e89a009dc4a
nghttp2-debuginfo-1.33.0-4.el8_6.1.aarch64.rpm SHA-256: a5e6d24d73c49c93e4d128600421c2282725b59aca21b6b765cc0dcaceca1627
nghttp2-debugsource-1.33.0-4.el8_6.1.aarch64.rpm SHA-256: dff2a0cdbdfae272ea236e77d4e65187da3d76dfec512545555f19d5b1a233b8

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6

SRPM
nghttp2-1.33.0-4.el8_6.1.src.rpm SHA-256: 86c5d10545a172e0d77e17bf881ff18a8aff69a89cd8fe0e691911df6eede949
ppc64le
libnghttp2-1.33.0-4.el8_6.1.ppc64le.rpm SHA-256: 34fc3d47f37fc0c3512ed4eeb053a02692b8b6830acc9905a06bfd78eb75e522
libnghttp2-debuginfo-1.33.0-4.el8_6.1.ppc64le.rpm SHA-256: 2047ffddc9497a39be2462520cde1002e25a026c850bef39b47d69a56ac55b98
nghttp2-debuginfo-1.33.0-4.el8_6.1.ppc64le.rpm SHA-256: 2f6d4e9c8e123b5c0b1275a70f727294cc404e8e683e5fcc5cf02f5c7aa9c481
nghttp2-debugsource-1.33.0-4.el8_6.1.ppc64le.rpm SHA-256: 9b45bb3dabde18c5a138db220644f3113dc951ebd73f012004b4e95fed8da406

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6

SRPM
nghttp2-1.33.0-4.el8_6.1.src.rpm SHA-256: 86c5d10545a172e0d77e17bf881ff18a8aff69a89cd8fe0e691911df6eede949
x86_64
libnghttp2-1.33.0-4.el8_6.1.i686.rpm SHA-256: f337123c3f4660871bbbafd1fb3dff782a3314737ba6dd01c153fa5f64082dda
libnghttp2-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: aec363ade17c64f977820f8062a36463d77d040ce4f801c36e04a966ada7014b
libnghttp2-debuginfo-1.33.0-4.el8_6.1.i686.rpm SHA-256: 2b7e48610a943e3fb8f1fd4e57d7f0508c7108f29e17e8fb41aa4808b38032ef
libnghttp2-debuginfo-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 626cd1a667b0d871672a9ebba20c41c14f31cb3560073ea3ef2f394b041e81e2
nghttp2-debuginfo-1.33.0-4.el8_6.1.i686.rpm SHA-256: 15c9dbdd4b7c7eb15d96b33fe6aa6fb02d367d1ea4d3f871faca2100557c71de
nghttp2-debuginfo-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 630f335e05ea1569569c92129ce15cb4a6bd94309053c0a19e5595d4954e4275
nghttp2-debugsource-1.33.0-4.el8_6.1.i686.rpm SHA-256: 863c03ffb8528c188c275f42cf0fc00d44c97fde1b77a20bd0582db45acfec1a
nghttp2-debugsource-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 1758f8256adccec5b94972adc846e0683dd3c6a6025d2fbee9de012fac4c2922

Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 8.6

SRPM
x86_64
libnghttp2-debuginfo-1.33.0-4.el8_6.1.i686.rpm SHA-256: 2b7e48610a943e3fb8f1fd4e57d7f0508c7108f29e17e8fb41aa4808b38032ef
libnghttp2-debuginfo-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 626cd1a667b0d871672a9ebba20c41c14f31cb3560073ea3ef2f394b041e81e2
libnghttp2-devel-1.33.0-4.el8_6.1.i686.rpm SHA-256: 3a752a927cb0e6c9404db56528db6f74b74488425b91c2bf4bf1c97a77ad5f3f
libnghttp2-devel-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 8f18ae5b642c6066e56328b29281338d4135ef793206e061c905fefa02d338d6
nghttp2-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 61a09a20d5af64b740a8de3187296691781652a990bc26f7b78b2b8b41c972aa
nghttp2-debuginfo-1.33.0-4.el8_6.1.i686.rpm SHA-256: 15c9dbdd4b7c7eb15d96b33fe6aa6fb02d367d1ea4d3f871faca2100557c71de
nghttp2-debuginfo-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 630f335e05ea1569569c92129ce15cb4a6bd94309053c0a19e5595d4954e4275
nghttp2-debugsource-1.33.0-4.el8_6.1.i686.rpm SHA-256: 863c03ffb8528c188c275f42cf0fc00d44c97fde1b77a20bd0582db45acfec1a
nghttp2-debugsource-1.33.0-4.el8_6.1.x86_64.rpm SHA-256: 1758f8256adccec5b94972adc846e0683dd3c6a6025d2fbee9de012fac4c2922

Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 8.6

SRPM
ppc64le
libnghttp2-debuginfo-1.33.0-4.el8_6.1.ppc64le.rpm SHA-256: 2047ffddc9497a39be2462520cde1002e25a026c850bef39b47d69a56ac55b98
libnghttp2-devel-1.33.0-4.el8_6.1.ppc64le.rpm SHA-256: fcbd527cda6db92ed9d6b274c873a66a8b1d321d13db91fa61e4b182f153d7df
nghttp2-1.33.0-4.el8_6.1.ppc64le.rpm SHA-256: 1f3f3c6c630535ad775a723d5c9db2524f9cc7e49676d5cc94bb8914335efb28
nghttp2-debuginfo-1.33.0-4.el8_6.1.ppc64le.rpm SHA-256: 2f6d4e9c8e123b5c0b1275a70f727294cc404e8e683e5fcc5cf02f5c7aa9c481
nghttp2-debugsource-1.33.0-4.el8_6.1.ppc64le.rpm SHA-256: 9b45bb3dabde18c5a138db220644f3113dc951ebd73f012004b4e95fed8da406

Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 8.6

SRPM
s390x
libnghttp2-debuginfo-1.33.0-4.el8_6.1.s390x.rpm SHA-256: af89922676c786d97c1b9193765341f515d624a7c65b66e134c35a3f8a59dee7
libnghttp2-devel-1.33.0-4.el8_6.1.s390x.rpm SHA-256: e6a381ffbe3bf6a048d107f163ba5d3256c9ae6a6f6f28d6a5f65545c2d83f84
nghttp2-1.33.0-4.el8_6.1.s390x.rpm SHA-256: 0cb257bfee4e0d92b5570c478032ab4293e3798b4c0f3f578be5424486161fe8
nghttp2-debuginfo-1.33.0-4.el8_6.1.s390x.rpm SHA-256: d74ff835461732325e72207d5bacf33697ad082cb47c8e69d264c37405e3e7f2
nghttp2-debugsource-1.33.0-4.el8_6.1.s390x.rpm SHA-256: 77899540e9d22055ecd885fcf12cef9942f6bb2b9ccca5f398243036394a69ee

Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 8.6

SRPM
aarch64
libnghttp2-debuginfo-1.33.0-4.el8_6.1.aarch64.rpm SHA-256: 086377936abb382530b975ead373ebbea2595a53a2e85ccc10224e89a009dc4a
libnghttp2-devel-1.33.0-4.el8_6.1.aarch64.rpm SHA-256: 0586a79f259dcc9cc40fa44f44d520391b18b03bc0267e7affaf86d916476798
nghttp2-1.33.0-4.el8_6.1.aarch64.rpm SHA-256: 64065c66d41ffb7554f81084edfe289f6995593384c9df36bf411278adb27376
nghttp2-debuginfo-1.33.0-4.el8_6.1.aarch64.rpm SHA-256: a5e6d24d73c49c93e4d128600421c2282725b59aca21b6b765cc0dcaceca1627
nghttp2-debugsource-1.33.0-4.el8_6.1.aarch64.rpm SHA-256: dff2a0cdbdfae272ea236e77d4e65187da3d76dfec512545555f19d5b1a233b8

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.