Debian Patches
Status for libprotocol-http2-perl/1.12-2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| CVE-2026-10725-r1.patch | Protocol::HTTP2: enforce MAX_HEADER_LIST_SIZE + cap CONTINUATION accumulation (HTTP/2 HPACK bomb) The HPACK decoder materialised a full header copy per indexed reference with no limit, and the per-stream header block accumulated CONTINUATION frames unbounded — the HTTP/2 "bomb" (HPACK count amplification + CONTINUATION flood, remote memory-DoS). MAX_HEADER_LIST_SIZE was advertised in SETTINGS but never enforced on decode. Fix, two parts: - HeaderCompression.pm headers_decode: track the running emitted header-list size (RFC 7541 4.1: name_len + value_len + 32) and reject with ENHANCE_YOUR_CALM once it exceeds the connection's advertised SETTINGS_MAX_HEADER_LIST_SIZE, before materialising further headers. - Stream.pm stream_header_block_add: cap the accumulated HEADERS + CONTINUATION block at MAX_HEADER_LIST_SIZE (the compressed block cannot legitimately exceed the decoded-list limit), rejecting a CONTINUATION flood before it buffers unbounded memory. |
CPANSec Security Scanner Bot <cpan-security@security.metacpan.org> | no |