HTTP/2 DoS attack vulnerabilities CVE-2019-9512 CVE-2019-9514 CVE-2019-9515

[kazuho]

Recently, a series of DoS attack vulnerabilities have been reported on a broad range of HTTP/2 stacks. Among the vulnerabilities, H2O is exposed to the following:

• CVE-2019-9512 (Ping Flood)
• CVE-2019-9514 (Reset Flood)
• CVE-2019-9515 (Settings Flood)

These vulnerabilities have been fixed in version 2.2.6 and 2.3.0-beta2.

H2O is not vulnerable to CVE-2019-9511 (Data Dribble), CVE-2019-9513 (Resource Loop), CVE-2019-9516 (0-Length Headers Leak), CVE-2019-9517 (Internal Data Buffering), CVE-2019-9518 (Empty Frames Flood).

TBD: links to CVEs, acknowledgements.

[mmuehlenhoff]

Is this all fixed by 743d6b6 or is this issue kept open for some other angles?

[kazuho]

@mmuehlenhoff All fixed as of that commit.

[gladk]

Can this issue then be closed please?