Actions
Security #7658
closed
PA
PA
http2: global tx (stream id 0) may open file and never close it
Security #7658:
http2: global tx (stream id 0) may open file and never close it
Git IDs:
1d6d331752e933c46aca0ae7a9679b27462246e3
Severity:
HIGH
Disclosure Date:
07/26/2025
Description
Per RFC 9113 section 5.1.1
the stream identifier of zero cannot be used to establish a new stream
So, we should not accept DATA frame with a stream id 0
Somes from oss-fuzz https://issues.oss-fuzz.com/u/1/issues/42534790
PA Updated by Philippe Antoine about 1 year ago
Or section 6.1
If a DATA frame is received whose Stream Identifier field is 0x00, the recipient MUST respond with a connection error (Section 5.4.1) of type PROTOCOL_ERROR
PA Updated by Philippe Antoine about 1 year ago
- Status changed from New to In Review
Gitlab MR
OT Updated by OISF Ticketbot about 1 year ago
- Subtask #7659 added
OT Updated by OISF Ticketbot about 1 year ago
- Label deleted (
Needs backport to 7.0)
PA Updated by Philippe Antoine 12 months ago
- Tracker changed from Bug to Security
- Severity set to MODERATE
- Disclosure Date set to 07/26/2024
PA Updated by Philippe Antoine 11 months ago
- Disclosure Date changed from 07/26/2024 to 07/26/2025
PA Updated by Philippe Antoine 10 months ago
- Target version changed from 8.0.0-rc1 to 8.0.0
No security fix in rc1
VJ Updated by Victor Julien 10 months ago
- Severity changed from MODERATE to HIGH
VJ Updated by Victor Julien 9 months ago
- Status changed from In Review to Resolved
JF Updated by Juliana Fajardini Reichow 9 months ago
- CVE set to 2025-53538
PA Updated by Philippe Antoine 9 months ago
- Status changed from Resolved to Closed
Fixed by commit 1d6d331752e933c46aca0ae7a9679b27462246e3
Actions