REDHAT-BUG-2448754
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2448754?
The severity of REDHAT-BUG-2448754 is classified as important.
How do I fix REDHAT-BUG-2448754?
To fix REDHAT-BUG-2448754, upgrade to nghttp2 version 1.68.1 or later.
What impact does REDHAT-BUG-2448754 have on applications using nghttp2?
REDHAT-BUG-2448754 could cause applications to stop reading incoming data when certain API calls are made.
Which versions of nghttp2 are affected by REDHAT-BUG-2448754?
REDHAT-BUG-2448754 affects nghttp2 versions prior to 1.68.1.
Is there a workaround for REDHAT-BUG-2448754 before applying the fix?
There is no documented workaround for REDHAT-BUG-2448754, so it is recommended to upgrade as soon as possible.