DEBIAN-CVE-2023-44487

Source
https://security-tracker.debian.org/tracker/CVE-2023-44487
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-44487.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-44487
Upstream
Published
2023-10-10T14:15:10Z
Modified
2025-09-25T23:28:48.721466Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

References

Affected packages

Debian:11

dnsdist

Package

Name
dnsdist
Purl
pkg:deb/debian/dnsdist?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5.1-3
1.6.0-1
1.6.0-2
1.6.1-1
1.7.0-1
1.7.1-1
1.7.2-1
1.7.2-2
1.7.3-1
1.7.3-2
1.8.0-1
1.8.1-1
1.8.2-1
1.8.2-2
1.8.2-3
1.8.3-1
1.8.3-2
1.8.3-3
1.9.3-1
1.9.4-1
1.9.5-1
1.9.6-1
1.9.8-1
1.9.9-1
1.9.10-1

2.*

2.0.0~rc1-1
2.0.0~rc1-2
2.0.0~rc2-1
2.0.0-1
2.0.0-2
2.0.0-3
2.0.0-4
2.0.0-5
2.0.0-6
2.0.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

grpc

Package

Name
grpc
Purl
pkg:deb/debian/grpc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.30.2-3
1.30.2-4
1.30.2-4+0.riscv64.1
1.30.2-4+0.riscv64.2
1.44.0-1
1.44.0-2
1.44.0-3
1.50.1-1
1.51.0-1
1.51.1-1
1.51.1-2
1.51.1-3
1.51.1-4
1.51.1-4.1~exp1
1.51.1-4.1
1.51.1-5
1.51.1-6
1.59.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

h2o

Package

Name
h2o
Purl
pkg:deb/debian/h2o?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.5+dfsg2-6
2.2.5+dfsg2-6.1
2.2.5+dfsg2-6.2
2.2.5+dfsg2-7
2.2.5+dfsg2-8
2.2.5+dfsg2-8.1~exp1
2.2.5+dfsg2-8.1
2.2.5+dfsg2-9
2.2.5+dfsg2-10
2.2.5+dfsg2-11

Ecosystem specific

{
    "urgency": "not yet assigned"
}

haproxy

Package

Name
haproxy
Purl
pkg:deb/debian/haproxy?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

jetty9

Package

Name
jetty9
Purl
pkg:deb/debian/jetty9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.4.50-4+deb11u1

Affected versions

9.*

9.4.39-3
9.4.39-3+deb11u1
9.4.39-3+deb11u2
9.4.44-1
9.4.44-2
9.4.44-3
9.4.44-4
9.4.45-1
9.4.46-1
9.4.48-1
9.4.49-1
9.4.49-1.1
9.4.50-1~bpo11+1
9.4.50-1
9.4.50-2
9.4.50-3
9.4.50-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

netty

Package

Name
netty
Purl
pkg:deb/debian/netty?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:4.1.48-4+deb11u2

Affected versions

1:4.*

1:4.1.48-4
1:4.1.48-4+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

nghttp2

Package

Name
nghttp2
Purl
pkg:deb/debian/nghttp2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.43.0-1+deb11u1

Affected versions

1.*

1.43.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

nginx

Package

Name
nginx
Purl
pkg:deb/debian/nginx?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.18.0-6.1
1.18.0-6.1+deb11u1
1.18.0-6.1+deb11u2
1.18.0-6.1+deb11u3
1.18.0-6.1+deb11u4
1.18.0-6.1+deb11u5
1.18.0-7
1.18.0-8
1.18.0-9
1.20.2-1
1.20.2-2
1.20.2-3~exp1
1.22.0-1~exp1
1.22.0-1~exp2
1.22.0-1
1.22.0-2~exp1
1.22.0-2~exp2
1.22.0-2~exp3
1.22.0-2~exp4
1.22.0-2
1.22.0-3
1.22.0-3.1
1.22.1-1~exp1
1.22.1-1~exp2
1.22.1-1
1.22.1-2~exp1
1.22.1-2~exp2
1.22.1-2
1.22.1-3~exp1
1.22.1-3
1.22.1-4
1.22.1-5
1.22.1-6~exp1
1.22.1-6
1.22.1-7
1.22.1-8
1.22.1-9
1.24.0-1~exp1
1.24.0-1
1.24.0-2
1.26.0-1~exp1
1.26.0-1
1.26.0-2
1.26.0-3
1.26.2-1
1.26.3-1
1.26.3-2
1.26.3-3
1.28.0-1
1.28.0-2
1.28.0-3
1.28.0-4
1.28.0-5
1.28.0-6

Ecosystem specific

{
    "urgency": "unimportant"
}

tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.43-2~deb11u7

Affected versions

9.*

9.0.43-1
9.0.43-2~deb11u1
9.0.43-2~deb11u2
9.0.43-2~deb11u3
9.0.43-2~deb11u4
9.0.43-2~deb11u5
9.0.43-2~deb11u6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

trafficserver

Package

Name
trafficserver
Purl
pkg:deb/debian/trafficserver?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.1.9+ds-1~deb11u1

Affected versions

8.*

8.1.1+ds-1.1
8.1.1+ds-1.1+deb11u1
8.1.5+ds-1~deb11u1
8.1.6+ds-1~deb10u1
8.1.6+ds-1~deb11u1
8.1.7+ds-1~deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

varnish

Package

Name
varnish
Purl
pkg:deb/debian/varnish?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*

6.5.1-1
6.5.1-1+deb11u1
6.5.1-1+deb11u2
6.5.1-1+deb11u3
6.5.1-1+deb11u4
6.5.1-1+deb11u5
6.5.2-1
6.6.1-1

7.*

7.1.0-4
7.1.0-5
7.1.0-6
7.1.1-1
7.1.1-1.1
7.1.1-1.2
7.5.0-1
7.5.0-2
7.5.0-3
7.6.0-1
7.6.0-2
7.6.1-1
7.6.1-2
7.7.0-1
7.7.0-2
7.7.0-3
7.7.1-1
7.7.2-1
7.7.2-2
7.7.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12

dnsdist

Package

Name
dnsdist
Purl
pkg:deb/debian/dnsdist?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.7.3-2
1.8.0-1
1.8.1-1
1.8.2-1
1.8.2-2
1.8.2-3
1.8.3-1
1.8.3-2
1.8.3-3
1.9.3-1
1.9.4-1
1.9.5-1
1.9.6-1
1.9.8-1
1.9.9-1
1.9.10-1

2.*

2.0.0~rc1-1
2.0.0~rc1-2
2.0.0~rc2-1
2.0.0-1
2.0.0-2
2.0.0-3
2.0.0-4
2.0.0-5
2.0.0-6
2.0.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

grpc

Package

Name
grpc
Purl
pkg:deb/debian/grpc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.51.1-3
1.51.1-4
1.51.1-4.1~exp1
1.51.1-4.1
1.51.1-5
1.51.1-6
1.59.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

h2o

Package

Name
h2o
Purl
pkg:deb/debian/h2o?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.5+dfsg2-7
2.2.5+dfsg2-8
2.2.5+dfsg2-8.1~exp1
2.2.5+dfsg2-8.1
2.2.5+dfsg2-9
2.2.5+dfsg2-10
2.2.5+dfsg2-11

Ecosystem specific

{
    "urgency": "not yet assigned"
}

haproxy

Package

Name
haproxy
Purl
pkg:deb/debian/haproxy?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

jetty9

Package

Name
jetty9
Purl
pkg:deb/debian/jetty9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.4.50-4+deb12u2

Affected versions

9.*

9.4.50-4
9.4.50-4+deb12u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

netty

Package

Name
netty
Purl
pkg:deb/debian/netty?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:4.1.48-7+deb12u1

Affected versions

1:4.*

1:4.1.48-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

nghttp2

Package

Name
nghttp2
Purl
pkg:deb/debian/nghttp2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.52.0-1+deb12u1

Affected versions

1.*

1.52.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

nginx

Package

Name
nginx
Purl
pkg:deb/debian/nginx?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.22.1-9
1.22.1-9+deb12u1
1.22.1-9+deb12u2
1.22.1-9+deb12u3
1.24.0-1~exp1
1.24.0-1
1.24.0-2
1.26.0-1~exp1
1.26.0-1
1.26.0-2
1.26.0-3
1.26.2-1
1.26.3-1
1.26.3-2
1.26.3-3
1.28.0-1
1.28.0-2
1.28.0-3
1.28.0-4
1.28.0-5
1.28.0-6

Ecosystem specific

{
    "urgency": "unimportant"
}

tomcat10

Package

Name
tomcat10
Purl
pkg:deb/debian/tomcat10?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.1.6-1+deb12u1

Affected versions

10.*

10.1.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.70-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

trafficserver

Package

Name
trafficserver
Purl
pkg:deb/debian/trafficserver?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.2.3+ds-1+deb12u1

Affected versions

9.*

9.2.0+ds-2
9.2.0+ds-2+deb12u1
9.2.1+ds-1
9.2.2+ds-1
9.2.3+ds-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

varnish

Package

Name
varnish
Purl
pkg:deb/debian/varnish?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.1.1-1.1
7.1.1-1.1+deb12u1
7.1.1-1.2
7.1.1-2+deb12u1
7.5.0-1
7.5.0-2
7.5.0-3
7.6.0-1
7.6.0-2
7.6.1-1
7.6.1-2
7.7.0-1
7.7.0-2
7.7.0-3
7.7.1-1
7.7.2-1
7.7.2-2
7.7.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13

dnsdist

Package

Name
dnsdist
Purl
pkg:deb/debian/dnsdist?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.2-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

grpc

Package

Name
grpc
Purl
pkg:deb/debian/grpc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.51.1-6
1.59.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

haproxy

Package

Name
haproxy
Purl
pkg:deb/debian/haproxy?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

jetty9

Package

Name
jetty9
Purl
pkg:deb/debian/jetty9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.4.53-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

netty

Package

Name
netty
Purl
pkg:deb/debian/netty?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:4.1.48-8

Ecosystem specific

{
    "urgency": "not yet assigned"
}

nghttp2

Package

Name
nghttp2
Purl
pkg:deb/debian/nghttp2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.57.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

nginx

Package

Name
nginx
Purl
pkg:deb/debian/nginx?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.24.0-2

Ecosystem specific

{
    "urgency": "unimportant"
}

tomcat10

Package

Name
tomcat10
Purl
pkg:deb/debian/tomcat10?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.1.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.70-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

varnish

Package

Name
varnish
Purl
pkg:deb/debian/varnish?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.5.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14

dnsdist

Package

Name
dnsdist
Purl
pkg:deb/debian/dnsdist?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.2-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

grpc

Package

Name
grpc
Purl
pkg:deb/debian/grpc?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.51.1-6
1.59.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

haproxy

Package

Name
haproxy
Purl
pkg:deb/debian/haproxy?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.8.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

jetty9

Package

Name
jetty9
Purl
pkg:deb/debian/jetty9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.4.53-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

netty

Package

Name
netty
Purl
pkg:deb/debian/netty?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:4.1.48-8

Ecosystem specific

{
    "urgency": "not yet assigned"
}

nghttp2

Package

Name
nghttp2
Purl
pkg:deb/debian/nghttp2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.57.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

nginx

Package

Name
nginx
Purl
pkg:deb/debian/nginx?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.24.0-2

Ecosystem specific

{
    "urgency": "unimportant"
}

tomcat10

Package

Name
tomcat10
Purl
pkg:deb/debian/tomcat10?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.1.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.70-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

varnish

Package

Name
varnish
Purl
pkg:deb/debian/varnish?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.5.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}