Hi,
On Tue, Nov 28, 2023 at 08:56:28AM +0000, Marold Marcus (DC-AE/ESW1) wrote:
> I would like to request an upgrade of the curl package (Linux
> Ubuntu Core 22 / Jammy) to Nghttp2 v1.57.0 because of
> CVE-2023-44487<https://github.com/advisories/GHSA-qppj-fm5r-hxr3>:
> HTTP/2 Rapid Reset.
Your mention of the curl package is confusing since this is a bug in
Nghttp2 amongst other things, so I assume that was just an error.
Secondly, this is Debian, not Ubuntu. If you want to report
something to Ubuntu, report it to Ubuntu.
Next up, this is a user support list contributed to by users. It's
not the place to officially report bugs, at least not if you want
them to be read by the package maintainers and to have some sort of
audit trail.
Looking at:
https://security-tracker.debian.org/tracker/CVE-2023-44487
https://security-tracker.debian.org/tracker/source-package/nghttp2
I see that for some reason the bug is fixed in unstable and bullseye
(oldstable) but not stable. I can't see any open bugs in nghttp2 so
possibly it's just delayed slightly but you may want to officially
report it to Debian using "reportbug" or the instructions at
https://bugs.debian.org/.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
