Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3114
SwiftNIO HTTP/2 1.5.0
14 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: SwiftNIO HTTP/2
Publisher: Apple
Operating System: OS X
Ubuntu
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-9518 CVE-2019-9516 CVE-2019-9515
CVE-2019-9514 CVE-2019-9512
Reference: ASB-2019.0238
Original Bulletin:
https://support.apple.com/en-au/HT210436
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0
SwiftNIO HTTP/2 1.5.0 is now available and addresses the following:
SwiftNIO HTTP/2
Available for: SwiftNIO HTTP/2 1.0.0 through 1.4.0 on
macOS Sierra 10.12 and later and Ubuntu 14.04 and later
Impact: A HTTP/2 server may consume unbounded amounts of memory when
receiving certain traffic patterns and eventually suffer resource
exhaustion
Description: This issue was addressed with improved buffer size
management.
CVE-2019-9512: Jonathan Looney of Netflix
CVE-2019-9514: Jonathan Looney of Netflix
CVE-2019-9515: Jonathan Looney of Netflix
CVE-2019-9516: Jonathan Looney of Netflix
SwiftNIO HTTP/2
Available for: SwiftNIO HTTP/2 1.0.0 through 1.4.0 on
macOS Sierra 10.12 and later and Ubuntu 14.04 and later
Impact: A HTTP/2 server may consume excessive CPU resources when
receiving certain traffic patterns
Description: This issue was addressed with improved input validation.
CVE-2019-9518: Piotr Sikora of Google, Envoy Security Team
Installation note:
SwiftNIO HTTP/2 1.5.0 may be obtained via Swift Package Manager.
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222 and
https://github.com/apple/swift-nio-http2/releases/tag/1.5.0.
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAl1S69ApHHByb2R1Y3Qt
c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3Elqw//
TAkt1t7YKV8hvLOUd/60+kTutSQMapp6y6+UxaHmCXVp8ftwDz92Z0YD1RdBETjc
NrsUHWgfoHpKQgZSzfCQLqmSvxwzVw2JD1OjUCdwLLf7B7nO6sBIkmJzQ62HHuse
Ixy0fm06HXt1buDAhpG/cmOHtJYS0kNYfTONkv9WGuvkqr7/neaiMcsIRLdwUsim
AJZYt0vzKvyG8hnKH0NRp1EygGf9OBoJMdp6e21xeQxj1xqFKV9jnn43/1yhdqvY
201dzY2zJ3UycM5ao4vQndFQkysATRojjHEY7U+RMu3WJsqA5hKjQH6vvZDaVjsq
8Bx1otGPUHhl7YusdYD2LI927+tNH1SZDStdCutuho4rs2PvVeHW5SBug4decYOw
0VEl/UaIitHoDuzFGMyu9ZYdutsHdLgsFC1FtK62l8/CMASJJsRL+MsBj9WZmtMk
KzqQYYbkD0f3MVzesxTjM9tAqrItGglevkzSGL7jXN9oVz/Qr/I3A9u9BcQbgYbS
nwem75bWYkTDiXznxDST+iafKFWZurt66J/Akd0KadioEq5cxP/fL65DBQjrpuWr
1CQPErEfJyO8ngyhYTul3mqNHUyPIyEymihYg8+StN2PZDhOvHurrpP3GiWV1y9H
lsOyDbNanEeqFlQMzG/94j8dexBtKLQTcWJn1nf/Q/4=
=FBOZ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXVN312aOgq3Tt24GAQg8zg/6Alu2H79gHLWDNi5qCh6NcZ2s/uWbJq6j
1Gc+rQ0zK4i3MOpphfSPw0cyJ4taYeX7A5rPgY+V8rNTr8oNkY+foHsD/wbNrp51
DcoLNl0zExrUAImbH/5G2auBgSlq69KbwRr6oVbRG+lz6ZXqoMR3W6/5JVZl4vYw
WrYkjqzz1GVb5Ad71BblZye7H+iIicELEiMYOr0KwYSZOrobaM8n/aVHNyBxrwkZ
NsrXY9CpkYidD50ne+ch3L02lSzpDnbiQlXx7QEfComx+jHFI/r+tT7OzrIVPMxI
pJtR83sJm7tBqthK3C4CesqlhkU/hqsTutWgSKZpTgmpl1RJOBI5Gwo0j9gBgSH3
UzNx3iCWCAXJwMeE1fz6FuhfQvRpd73psD5P0kDLmW1OILSwt2wu7CjONyjoAmvA
vmPEZBqGsYkmW7SF+Q8FdXb/CyZ8Zb0fOh5pTrTvLsk/szBLG2fwGfKq0rVzqhUs
WtZp6Vsv1e9A2/K34D8Xgw3c/hqAI4EfDiwLkwIzrMD1LJUYWn4mgjOh7qNthgS0
R05aHqMG9tnxJpcVQJnafl97Ws40dnZGX7ejQA+fIbhPu7g6hBOf5xxwEoP59f27
KVZkLxo1BtIsSD5zTmUpi9tpYzAFLHbdJkuabjrKSFkqfvULUgmmei2ISvkJ2lN+
qwDp0mzNetA=
=GhVt
-----END PGP SIGNATURE-----