New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Format String Vulnerability (CVE-2016-4864) #1077

Closed
kazuho opened this Issue Sep 14, 2016 · 7 comments

Comments

Projects
None yet
6 participants
@kazuho
Member

kazuho commented Sep 14, 2016

Format string vulnerability exists in H2O upto and including version 2.0.3 / 2.1.0-beta2, that can be used by remote attackers to mount Denial-of-Service attacks.

Users using one of the following handlers of H2O may be affected by the issue and are advised to upgrade immediately to version 2.0.4 or 2.1.0-beta3.

Affected handlers:

Deployments only using the file handler is not affected by the vulnerability.

@tatsushid

This comment has been minimized.

Show comment
Hide comment
@tatsushid

tatsushid Sep 14, 2016

Hello,

I've updated following my binary package builder repositories too.

It is highly recommended to update if you use them.

tatsushid commented Sep 14, 2016

Hello,

I've updated following my binary package builder repositories too.

It is highly recommended to update if you use them.

@judofyr

This comment has been minimized.

Show comment
Hide comment
@judofyr

judofyr Sep 14, 2016

What's the commit for the fix?

judofyr commented Sep 14, 2016

What's the commit for the fix?

@dch

This comment has been minimized.

Show comment
Hide comment
@dch

dch Sep 14, 2016

Collaborator

This landed in FreeBSD ports tree 10h00 UTC https://svnweb.freebsd.org/ports?view=revision&revision=422122 and will be backported to quarterly branch once ports-secteam approve it. Follow https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211892 for more details.

Collaborator

dch commented Sep 14, 2016

This landed in FreeBSD ports tree 10h00 UTC https://svnweb.freebsd.org/ports?view=revision&revision=422122 and will be backported to quarterly branch once ports-secteam approve it. Follow https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211892 for more details.

@lkwg82

This comment has been minimized.

Show comment
Hide comment
Member

lkwg82 commented Sep 14, 2016

@kazuho

This comment has been minimized.

Show comment
Hide comment
@kazuho

kazuho Sep 14, 2016

Member

@judofyr

What's the commit for the fix?

I am sorry but I am not sure if answering to the question at a public place would be a good thing to do at the moment. Please send me a mail if you need such information stating why you need it.

Member

kazuho commented Sep 14, 2016

@judofyr

What's the commit for the fix?

I am sorry but I am not sure if answering to the question at a public place would be a good thing to do at the moment. Please send me a mail if you need such information stating why you need it.

@kazuho kazuho closed this Sep 23, 2016

@ge-fa

This comment has been minimized.

Show comment
Hide comment
@ge-fa

ge-fa Aug 31, 2017

@kazuho Well, it's open-source after all, so what would be the risk in making the commit public? Your comment makes me feel quite strange.

ge-fa commented Aug 31, 2017

@kazuho Well, it's open-source after all, so what would be the risk in making the commit public? Your comment makes me feel quite strange.

@lkwg82

This comment has been minimized.

Show comment
Hide comment
@lkwg82

lkwg82 Sep 1, 2017

Member

11 months later it is ok, to make the fix public. So linking is ok now.

Member

lkwg82 commented Sep 1, 2017

11 months later it is ok, to make the fix public. So linking is ok now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment