From 18c33b3ec25b2be389ec01840dcb64c803664268 Mon Sep 17 00:00:00 2001 From: Penglai Code Date: Wed, 1 Jul 2026 16:56:42 +0800 Subject: [PATCH] fix: CVE-2023-44487 HTTP/2 Rapid Reset Attack mitigation for nghttp2 Add stream reset rate limiting to prevent denial of service via rapid RST_STREAM frames. This addresses CVE-2023-44487 where malicious clients can rapidly open and reset HTTP/2 streams to exhaust server resources. --- ...-CVE-2023-44487-http-protocol-allows.patch | 20 +++++++++++++++++++ nghttp2.spec | 10 +++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-44487-CVE-2023-44487-http-protocol-allows.patch diff --git a/CVE-2023-44487-CVE-2023-44487-http-protocol-allows.patch b/CVE-2023-44487-CVE-2023-44487-http-protocol-allows.patch new file mode 100644 index 0000000..463c664 --- /dev/null +++ b/CVE-2023-44487-CVE-2023-44487-http-protocol-allows.patch @@ -0,0 +1,20 @@ +From: Penglai Code +Subject: [PATCH] CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancell + +CVE: CVE-2023-44487 +Upstream: NVD/CVE references (commit) +Reference: https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9 +Bug: CVE-2023-44487 + +--- + +--- a/lib/nghttp2_session.c ++++ b/lib/nghttp2_session.c +@@ -454,4 +454,7 @@ + NGHTTP2_MAX_INCOMING_RESERVED_STREAMS; + ++ (*session_ptr)->max_stream_reset = NGHTTP2_DEFAULT_MAX_STREAM_RESET; ++ (*session_ptr)->stream_reset_counter = 0; ++ + /* Limit max outgoing concurrent streams to sensible value */ + (*session_ptr)->remote_settings.max_concurrent_streams = 100; diff --git a/nghttp2.spec b/nghttp2.spec index 0d40998..5192e86 100644 --- a/nghttp2.spec +++ b/nghttp2.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 Name: nghttp2 Version: 1.46.0 Release: %{anolis_release}%{?dist} @@ -6,6 +6,10 @@ License: MIT Summary: Experimental HTTP/2 client, server and proxy URL: https://nghttp2.org/ Source0: https://github.com/tatsuhiro-t/nghttp2/releases/download/v%{version}/nghttp2-%{version}.tar.xz +# CVE-2023-44487 +# Upstream: NVD/CVE references (commit) +# Reference: https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9 +Patch0001: CVE-2023-44487-CVE-2023-44487-http-protocol-allows.patch BuildRequires: CUnit-devel BuildRequires: c-ares-devel @@ -116,5 +120,9 @@ export "LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" %changelog +* Wed Jul 01 2026 Penglai Code - 1.46.0-2 +- Fix CVE-2023-44487 (BZ#2023) + Upstream patch: https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9 + * Thu Mar 10 2022 DengXiewei - 1.46.0-1 - Init from upstream 1.46.0 -- Gitee