How are you handling CVE?

Question

How are you handling CVE?

rjmcguire opened this issue 8 years ago · comments

How are you handling CVE?
How directly do CVEs on nghttp2 apply to libhttp2?

Cheers,
R

Etienne Cimon · Answer 1 · Sun Oct 09 2016 21:41:50 GMT+0800 (China Standard Time)

The code is practically the same so the CVE from nghttp2 applies to libhttp2, however nghttp2 includes a webserver which will contain most of the vulnerabilities and this won't affect libhttp2. If you find a vulnerability just send me an email about it and I will resolve it

rjmcguire · Answer 2 · Sun Oct 09 2016 21:47:06 GMT+0800 (China Standard Time)

The thought that made me ask is:

Suppose there is a vulnerability announced in nghttp2, someone could then
target forks or ports of nghttp2 in the hopes of finding easy targets.

I wondered if you had used slices etc instead of pointers etc...

On Sun, Oct 9, 2016 at 3:41 PM, Etienne Cimon notifications@github.com
wrote:

The code is practically the same so the CVE from nghttp2 applies to
libhttp2, however nghttp2 includes a webserver which will contain most of
the vulnerabilities and this won't affect libhttp2. If you find a
vulnerability just send me an email about it and I will resolve it

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#3 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/ABU8CWYzQeRdQYmA-CNtwGnjh6Gn_LTrks5qyO8egaJpZM4KR_-r
.

Etienne Cimon · Answer 3 · Sun Oct 09 2016 22:15:18 GMT+0800 (China Standard Time)

I used slices in critical areas and pointers in other places. I think it will require some security analysis to know for sure

rjmcguire · Answer 4 · Sun Oct 09 2016 22:29:49 GMT+0800 (China Standard Time)

I'll close this issue. I think the only real option is to follow nghttp2
and then make unittests for any CVEs they encounter.

No time for even that though, but perhaps some time will become available
in future.

Thanks!

On Sun, Oct 9, 2016 at 4:15 PM, Etienne Cimon notifications@github.com
wrote:

I used slices in critical areas and pointers in other places. I think it
will require some security analysis to know for sure

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#3 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/ABU8CeY55T4syr2MLwXc5I2krbZ4Turrks5qyPb2gaJpZM4KR_-r
.

Etienne Cimon · Answer 5 · Sun Oct 09 2016 23:26:05 GMT+0800 (China Standard Time)

I see only 1 vulnerability on nghttp2 in the CVE which coincides with this patch: nghttp2/nghttp2@b7159f8

I'll take some time this week to merge it, but it looks like everything looks safe other than that. The protocol itself should have been designed with security in mind.

Etienne Cimon · Answer 6 · Mon Oct 10 2016 00:26:26 GMT+0800 (China Standard Time)

Actually it looks like this vulnerability was introduced in this commit which I didn't mirror:
nghttp2/nghttp2@5b59e46