Format String Vulnerability (CVE-2016-4864) #1077

Closed
kazuho opened this Issue Sep 14, 2016 · 5 comments

Projects

None yet

5 participants

@kazuho
Member
kazuho commented Sep 14, 2016

Format string vulnerability exists in H2O upto and including version 2.0.3 / 2.1.0-beta2, that can be used by remote attackers to mount Denial-of-Service attacks.

Users using one of the following handlers of H2O may be affected by the issue and are advised to upgrade immediately to version 2.0.4 or 2.1.0-beta3.

Affected handlers:

Deployments only using the file handler is not affected by the vulnerability.

@tatsushid

Hello,

I've updated following my binary package builder repositories too.

It is highly recommended to update if you use them.

@judofyr
judofyr commented Sep 14, 2016

What's the commit for the fix?

@dch
dch commented Sep 14, 2016

This landed in FreeBSD ports tree 10h00 UTC https://svnweb.freebsd.org/ports?view=revision&revision=422122 and will be backported to quarterly branch once ports-secteam approve it. Follow https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211892 for more details.

@kazuho
Member
kazuho commented Sep 14, 2016

@judofyr

What's the commit for the fix?

I am sorry but I am not sure if answering to the question at a public place would be a good thing to do at the moment. Please send me a mail if you need such information stating why you need it.

@kazuho kazuho closed this Sep 23, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment