Bugzilla – Bug 1208551
VUL-0: TRACKERBUG: CVE-2022-31394: hyper: max header list size not settable allowing deny of service
Last modified: 2024-05-06 08:17:09 UTC
CVE-2022-31394 Hyperium Hyper before 0.14.19 does not allow for customization of the max_header_list_size method in the H2 third-party software, allowing attackers to perform HTTP2 attacks. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31394 https://www.cve.org/CVERecord?id=CVE-2022-31394 https://github.com/hyperium/hyper/compare/v0.14.18...v0.14.19 https://github.com/hyperium/hyper/issues/2826 https://github.com/hyperium/hyper/pull/2828
Packages embedding a vulnerable version of the hyper crate: SUSE:SLE-15-SP3:Update/rustup,2,hyper,0.14.5 SUSE:SLE-15-SP3:Update/rustup,2,hyper,0.14.13 SUSE:SLE-15-SP3:Update/sccache,1,hyper,0.12.35 SUSE:SLE-15-SP3:Update/sccache,1,hyper,0.12.36 SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update/afterburn,1,hyper,0.14.11 SUSE:SLE-15-SP4:Update/aws-nitro-enclaves-cli,2,hyper,0.14.16 SUSE:SLE-15-SP4:Update/gstreamer-plugins-rs,1,hyper,0.14.17 SUSE:SLE-15-SP4:Update/rustup,1,hyper,0.14.13 SUSE:SLE-15-SP4:Update/rustup,1,hyper,0.14.5 SUSE:SLE-15-SP4:Update/sccache,1,hyper,0.12.35 SUSE:SLE-15-SP4:Update/sccache,1,hyper,0.12.36 SUSE:SLE-15-SP4:Update:Products:Micro53:Update/afterburn,1,hyper,0.14.11 openSUSE:Factory/afterburn,9,hyper,0.14.17 openSUSE:Factory/aws-nitro-enclaves-cli,4,hyper,0.14.16 openSUSE:Factory/fractal,13,hyper,0.14.5 openSUSE:Factory/gnome-podcasts,2,hyper,0.14.16 openSUSE:Factory/pijul,10,hyper,0.14.18 openSUSE:Factory/sccache,21,hyper,0.14.5 openSUSE:Factory/spotifyd,13,hyper,0.13.10 openSUSE:Factory/spotifyd,13,hyper,0.13.2 openSUSE:Factory/spotifyd,13,hyper,0.14.5 openSUSE:Factory/tectonic,1,hyper,0.12.36 openSUSE:Factory/tectonic,1,hyper,0.14.18 openSUSE:Factory/wasm-pack,3,hyper,0.12.36