{"id":"MGASA-2024-0135","summary":"Updated nghttp2 packages fix security vulnerability","details":"nghttp2 library keeps reading the unbounded number of HTTP/2\nCONTINUATION frames even after a stream is reset to keep HPACK context\nin sync. This causes excessive CPU usage to decode HPACK stream.\nThis update fixes the issue.\nThis is the latest release, which will bring some more fixes and\nimprovements.\n","modified":"2026-04-16T04:41:25.712625354Z","published":"2024-04-17T02:13:57Z","upstream":["CVE-2024-28182"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2024-0135.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=33087"},{"type":"WEB","url":"https://nowotarski.info/http2-continuation-flood/"},{"type":"ADVISORY","url":"https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q"}],"affected":[{"package":{"name":"nghttp2","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/nghttp2?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.61.0-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2024-0135.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}