Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3114 SwiftNIO HTTP/2 1.5.0 14 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: SwiftNIO HTTP/2 Publisher: Apple Operating System: OS X Ubuntu Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-9518 CVE-2019-9516 CVE-2019-9515 CVE-2019-9514 CVE-2019-9512 Reference: ASB-2019.0238 Original Bulletin: https://support.apple.com/en-au/HT210436 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0 SwiftNIO HTTP/2 1.5.0 is now available and addresses the following: SwiftNIO HTTP/2 Available for: SwiftNIO HTTP/2 1.0.0 through 1.4.0 on macOS Sierra 10.12 and later and Ubuntu 14.04 and later Impact: A HTTP/2 server may consume unbounded amounts of memory when receiving certain traffic patterns and eventually suffer resource exhaustion Description: This issue was addressed with improved buffer size management. CVE-2019-9512: Jonathan Looney of Netflix CVE-2019-9514: Jonathan Looney of Netflix CVE-2019-9515: Jonathan Looney of Netflix CVE-2019-9516: Jonathan Looney of Netflix SwiftNIO HTTP/2 Available for: SwiftNIO HTTP/2 1.0.0 through 1.4.0 on macOS Sierra 10.12 and later and Ubuntu 14.04 and later Impact: A HTTP/2 server may consume excessive CPU resources when receiving certain traffic patterns Description: This issue was addressed with improved input validation. CVE-2019-9518: Piotr Sikora of Google, Envoy Security Team Installation note: SwiftNIO HTTP/2 1.5.0 may be obtained via Swift Package Manager. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 and https://github.com/apple/swift-nio-http2/releases/tag/1.5.0. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAl1S69ApHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3Elqw// TAkt1t7YKV8hvLOUd/60+kTutSQMapp6y6+UxaHmCXVp8ftwDz92Z0YD1RdBETjc NrsUHWgfoHpKQgZSzfCQLqmSvxwzVw2JD1OjUCdwLLf7B7nO6sBIkmJzQ62HHuse Ixy0fm06HXt1buDAhpG/cmOHtJYS0kNYfTONkv9WGuvkqr7/neaiMcsIRLdwUsim AJZYt0vzKvyG8hnKH0NRp1EygGf9OBoJMdp6e21xeQxj1xqFKV9jnn43/1yhdqvY 201dzY2zJ3UycM5ao4vQndFQkysATRojjHEY7U+RMu3WJsqA5hKjQH6vvZDaVjsq 8Bx1otGPUHhl7YusdYD2LI927+tNH1SZDStdCutuho4rs2PvVeHW5SBug4decYOw 0VEl/UaIitHoDuzFGMyu9ZYdutsHdLgsFC1FtK62l8/CMASJJsRL+MsBj9WZmtMk KzqQYYbkD0f3MVzesxTjM9tAqrItGglevkzSGL7jXN9oVz/Qr/I3A9u9BcQbgYbS nwem75bWYkTDiXznxDST+iafKFWZurt66J/Akd0KadioEq5cxP/fL65DBQjrpuWr 1CQPErEfJyO8ngyhYTul3mqNHUyPIyEymihYg8+StN2PZDhOvHurrpP3GiWV1y9H lsOyDbNanEeqFlQMzG/94j8dexBtKLQTcWJn1nf/Q/4= =FBOZ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXVN312aOgq3Tt24GAQg8zg/6Alu2H79gHLWDNi5qCh6NcZ2s/uWbJq6j 1Gc+rQ0zK4i3MOpphfSPw0cyJ4taYeX7A5rPgY+V8rNTr8oNkY+foHsD/wbNrp51 DcoLNl0zExrUAImbH/5G2auBgSlq69KbwRr6oVbRG+lz6ZXqoMR3W6/5JVZl4vYw WrYkjqzz1GVb5Ad71BblZye7H+iIicELEiMYOr0KwYSZOrobaM8n/aVHNyBxrwkZ NsrXY9CpkYidD50ne+ch3L02lSzpDnbiQlXx7QEfComx+jHFI/r+tT7OzrIVPMxI pJtR83sJm7tBqthK3C4CesqlhkU/hqsTutWgSKZpTgmpl1RJOBI5Gwo0j9gBgSH3 UzNx3iCWCAXJwMeE1fz6FuhfQvRpd73psD5P0kDLmW1OILSwt2wu7CjONyjoAmvA vmPEZBqGsYkmW7SF+Q8FdXb/CyZ8Zb0fOh5pTrTvLsk/szBLG2fwGfKq0rVzqhUs WtZp6Vsv1e9A2/K34D8Xgw3c/hqAI4EfDiwLkwIzrMD1LJUYWn4mgjOh7qNthgS0 R05aHqMG9tnxJpcVQJnafl97Ws40dnZGX7ejQA+fIbhPu7g6hBOf5xxwEoP59f27 KVZkLxo1BtIsSD5zTmUpi9tpYzAFLHbdJkuabjrKSFkqfvULUgmmei2ISvkJ2lN+ qwDp0mzNetA= =GhVt -----END PGP SIGNATURE-----