FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

nghttp2 -- Out of memory in nghttpd, nghttp, and libnghttp2_asio

Affected packages
nghttp2 < 1.7.1

Details

VuXML ID 07718e2b-d29d-11e5-a95f-b499baebfeaf
Discovery 2016-02-03
Entry 2016-02-13

Nghttp2 reports:

Out of memory in nghttpd, nghttp, and libnghttp2_asio applications due to unlimited incoming HTTP header fields.

nghttpd, nghttp, and libnghttp2_asio applications do not limit the memory usage for the incoming HTTP header field. If peer sends specially crafted HTTP/2 HEADERS frames and CONTINUATION frames, they will crash with out of memory error.

Note that libnghttp2 itself is not affected by this vulnerability.

References

CVE Name CVE-2016-1544
URL http://nghttp2.org/blog/2016/02/11/nghttp2-v1-7-1/