Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix crash when receiving request with invalid framing (CVE-2017-10868) #1459

Closed
kazuho opened this issue Oct 18, 2017 · 0 comments
Closed

fix crash when receiving request with invalid framing (CVE-2017-10868) #1459

kazuho opened this issue Oct 18, 2017 · 0 comments
Labels
vulnerability

Comments

@kazuho
Copy link
Member

kazuho commented Oct 18, 2017
edited

The worker process of H2O may crash (and automatically respawned depending on the configuration) when it receives a HTTP request with an invalid framing specifier (i.e. content-length or transfer-encoding header).

The crash disrupts other requests in-flight, and therefore is being classified as a DoS vulnerability.

Details TBD.

Affected systems: H2O up to version 2.2.2, serving HTTP/1 traffic.
Resolution: upgrade to 2.2.3.
@kazuho kazuho changed the title test fix crash when receiving request with invalid framing (CVE-2017-10868) Oct 19, 2017
@kazuho kazuho closed this as completed Jan 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kazuho