Issue
If you are looking to update when ea-nghttp2 to 1.57.0 to patch CVE-2023-44487 but checking CloudLinux repos, there are no updates available in any of the public rollout/beta repositories.
This was patched in cPanel managed EA repos but not for Cloudlinux:
# rpm -q --changelog ea-nghttp2 | head
* Tue Oct 10 2023 Cory McIntire <cory@cpanel.net> - 1.57.0-1
- EA-11729: Update ea-nghttp2 from v1.56.0 to v1.57.0
- CVE-2023-44487 - The HTTP/2 protocol allows a denial of service (server resource consumption)
Environment
- cPanel
Solution
- According to our developers, we are waiting for release updates from our upstream provider - RHEL. All the mentioned packages at https://access.redhat.com/security/cve/cve-2023-44487 were affected for Red Hat Enterprise Linux on 7/8/9.
- As a temporary solution, they recommend disabling the HTTP2 protocol because it is the only one affected while we are waiting for the fix.
Comments
0 comments
Please sign in to leave a comment.