-
Notifications
You must be signed in to change notification settings - Fork 824
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Format String Vulnerability (CVE-2016-4864) #1077
Comments
Hello, I've updated following my binary package builder repositories too. It is highly recommended to update if you use them. |
What's the commit for the fix? |
This landed in FreeBSD ports tree 10h00 UTC https://svnweb.freebsd.org/ports?view=revision&revision=422122 and will be backported to quarterly branch once ports-secteam approve it. Follow https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211892 for more details. |
I've updated: https://hub.docker.com/r/lkwg82/h2o-http2-server/tags/ |
I am sorry but I am not sure if answering to the question at a public place would be a good thing to do at the moment. Please send me a mail if you need such information stating why you need it. |
@kazuho Well, it's open-source after all, so what would be the risk in making the commit public? Your comment makes me feel quite strange. |
11 months later it is ok, to make the fix public. So linking is ok now. |
Format string vulnerability exists in H2O upto and including version 2.0.3 / 2.1.0-beta2, that can be used by remote attackers to mount Denial-of-Service attacks.
Users using one of the following handlers of H2O may be affected by the issue and are advised to upgrade immediately to version 2.0.4 or 2.1.0-beta3.
Affected handlers:
Deployments only using the file handler is not affected by the vulnerability.
The text was updated successfully, but these errors were encountered: