FreeBSD : nghttp2 -- Out of memory in nghttpd, nghttp, and libnghttp2_asio (07718e2b-d29d-11e5-a95f-b499baebfeaf)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing a security-related update.

Description :

Nghttp2 reports :

Out of memory in nghttpd, nghttp, and libnghttp2_asio applications due
to unlimited incoming HTTP header fields.

nghttpd, nghttp, and libnghttp2_asio applications do not limit the
memory usage for the incoming HTTP header field. If peer sends
specially crafted HTTP/2 HEADERS frames and CONTINUATION frames, they
will crash with out of memory error.

Note that libnghttp2 itself is not affected by this vulnerability.

See also :

http://nghttp2.org/blog/2016/02/11/nghttp2-v1-7-1/
http://www.nessus.org/u?8631e030

Solution :

Update the affected package.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 88729 ()

Bugtraq ID:

CVE ID: CVE-2016-1544

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now