Arch Linux Security Advisory ASA-201512-16 ========================================== Severity: High Date : 2015-12-25 CVE-ID : CVE-2015-8659 Package : nghttp2 Type : use-after-free Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package nghttp2 before version 1.6.0-1 is vulnerable to a heap-based use-after-free, leading to denial of service or possibly arbitrary code execution. Resolution ========== Upgrade to 1.6.0-1. # pacman -Syu "nghttp2>=1.6.0-1" The problem has been fixed upstream in version 1.6.0. Workaround ========== None. Description =========== nghttp2 1.6.0 fixes a heap-based use-after-free bug in idle stream handling code, where an idle/closed stream could possibly be destroyed while it was still referenced. Impact ====== A remote attacker could exploit this bug in a HTTP/2 client or server, leading to denial of service or even arbitrary code execution. References ========== https://access.redhat.com/security/cve/CVE-2015-8659 http://seclists.org/oss-sec/2015/q4/576 https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/ https://github.com/tatsuhiro-t/nghttp2/commit/92a56d034f201cbb609606184822cf...