Test ID:	1.3.6.1.4.1.25623.1.0.885077
Category:	Fedora Local Security Checks
Title:	Fedora: Security Advisory for proxygen (FEDORA-2023-17efd3f2cd)
Summary:	The remote host is missing an update for the 'proxygen'; package(s) announced via the FEDORA-2023-17efd3f2cd advisory.
Description:	Summary: The remote host is missing an update for the 'proxygen' package(s) announced via the FEDORA-2023-17efd3f2cd advisory. Vulnerability Insight: Proxygen comprises the core C++ HTTP abstractions used at Facebook. Internally, it is used as the basis for building many HTTP servers, proxies, and clients. This release focuses on the common HTTP abstractions and our simple HTTPServer framework. Future releases will provide simple client APIs as well. The framework supports HTTP/1.1, SPDY/3, SPDY/3.1, HTTP/2, and HTTP/3. The goal is to provide a simple, performant, and modern C++ HTTP library. Affected Software/OS: 'proxygen' package(s) on Fedora 38. Solution: Please install the updated package(s). CVSS Score: 7.8 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2023-44487 Debian Security Information: DSA-5521 (Google Search) https://www.debian.org/security/2023/dsa-5521 Debian Security Information: DSA-5522 (Google Search) https://www.debian.org/security/2023/dsa-5522 Debian Security Information: DSA-5540 (Google Search) https://www.debian.org/security/2023/dsa-5540 Debian Security Information: DSA-5549 (Google Search) https://www.debian.org/security/2023/dsa-5549 Debian Security Information: DSA-5558 (Google Search) https://www.debian.org/security/2023/dsa-5558 Debian Security Information: DSA-5570 (Google Search) https://www.debian.org/security/2023/dsa-5570 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/ https://security.gentoo.org/glsa/202311-09 https://access.redhat.com/security/cve/cve-2023-44487 https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/ https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/ https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack https://blog.vespa.ai/cve-2023-44487/ https://bugzilla.redhat.com/show_bug.cgi?id=2242803 https://bugzilla.suse.com/show_bug.cgi?id=1216123 https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125 https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715 https://github.com/Azure/AKS/issues/3947 https://github.com/Kong/kong/discussions/11741 https://github.com/advisories/GHSA-qppj-fm5r-hxr3 https://github.com/advisories/GHSA-xpw8-rcwv-8f8p https://github.com/akka/akka-http/issues/4323 https://github.com/apache/apisix/issues/10320 https://github.com/apache/httpd-site/pull/10 https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113 https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487 https://github.com/caddyserver/caddy/releases/tag/v2.7.5 https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73 https://github.com/etcd-io/etcd/issues/16740 https://github.com/junkurihara/rust-rpxy/issues/97 https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1 https://github.com/kazu-yamamoto/http2/issues/93 https://github.com/kubernetes/kubernetes/pull/121120 https://github.com/line/armeria/pull/5232 https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632 https://github.com/ninenines/cowboy/issues/1615 https://github.com/openresty/openresty/issues/930 https://github.com/opensearch-project/data-prepper/issues/3474 https://github.com/oqtane/oqtane.framework/discussions/3367 https://github.com/projectcontour/contour/pull/5826 https://github.com/tempesta-tech/tempesta/issues/1986 https://github.com/varnishcache/varnish-cache/issues/3996 https://istio.io/latest/news/security/istio-security-2023-004/ https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/ https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html https://netty.io/news/2023/10/10/4-1-100-Final.html https://news.ycombinator.com/item?id=37837043 https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected https://security.paloaltonetworks.com/CVE-2023-44487 https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14 https://ubuntu.com/security/CVE-2023-44487 https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487 https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487 https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/ https://www.openwall.com/lists/oss-security/2023/10/10/6 https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/ https://aws.amazon.com/security/security-bulletins/AWS-2023-011/ https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/ https://bugzilla.proxmox.com/show_bug.cgi?id=4988 https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9 https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/ https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764 https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088 https://github.com/advisories/GHSA-vx74-f528-fxqg https://github.com/alibaba/tengine/issues/1872 https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2 https://github.com/apache/trafficserver/pull/10564 https://github.com/bcdannyboy/CVE-2023-44487 https://github.com/caddyserver/caddy/issues/5877 https://github.com/dotnet/announcements/issues/277 https://github.com/eclipse/jetty.project/issues/10679 https://github.com/envoyproxy/envoy/pull/30055 https://github.com/facebook/proxygen/pull/466 https://github.com/golang/go/issues/63417 https://github.com/grpc/grpc-go/pull/6703 https://github.com/h2o/h2o/pull/3291 https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf https://github.com/haproxy/haproxy/issues/2312 https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244 https://github.com/micrictor/http2-rst-stream https://github.com/microsoft/CBL-Mariner/pull/6381 https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 https://github.com/nghttp2/nghttp2/pull/1961 https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0 https://github.com/nodejs/node/pull/50121 https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/ https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487 https://my.f5.com/manage/s/article/K000137106 https://news.ycombinator.com/item?id=37830987 https://news.ycombinator.com/item?id=37830998 https://news.ycombinator.com/item?id=37831062 https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/ https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/ https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html http://www.openwall.com/lists/oss-security/2023/10/13/4 http://www.openwall.com/lists/oss-security/2023/10/13/9 http://www.openwall.com/lists/oss-security/2023/10/18/8 http://www.openwall.com/lists/oss-security/2023/10/18/4 http://www.openwall.com/lists/oss-security/2023/10/19/6 http://www.openwall.com/lists/oss-security/2023/10/20/8
Copyright	Copyright (C) 2023 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.