Format String Vulnerability (CVE-2016-4864) #1077
Comments
|
Hello, I've updated following my binary package builder repositories too. It is highly recommended to update if you use them. |
|
What's the commit for the fix? |
|
This landed in FreeBSD ports tree 10h00 UTC https://svnweb.freebsd.org/ports?view=revision&revision=422122 and will be backported to quarterly branch once ports-secteam approve it. Follow https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211892 for more details. |
|
I've updated: https://hub.docker.com/r/lkwg82/h2o-http2-server/tags/ |
I am sorry but I am not sure if answering to the question at a public place would be a good thing to do at the moment. Please send me a mail if you need such information stating why you need it. |
|
@kazuho Well, it's open-source after all, so what would be the risk in making the commit public? Your comment makes me feel quite strange. |
|
11 months later it is ok, to make the fix public. So linking is ok now. |
Format string vulnerability exists in H2O upto and including version 2.0.3 / 2.1.0-beta2, that can be used by remote attackers to mount Denial-of-Service attacks.
Users using one of the following handlers of H2O may be affected by the issue and are advised to upgrade immediately to version 2.0.4 or 2.1.0-beta3.
Affected handlers:
Deployments only using the file handler is not affected by the vulnerability.
The text was updated successfully, but these errors were encountered: