Debian Package Tracker
Register | Log in
Subscribe

h2o

optimized HTTP/1.x, HTTP/2 server

Choose email to subscribe with

general
  • source: h2o (main)
  • version: 2.2.5+dfsg2-11
  • maintainer: Apollon Oikonomopoulos (DMD) (LowNMU)
  • uploaders: Anton Gladky [DMD]
  • arch: all any
  • std-ver: 4.7.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.2.5+dfsg2-2+deb10u1
  • o-o-sec: 2.2.5+dfsg2-2+deb10u2
  • oldstable: 2.2.5+dfsg2-6
  • stable: 2.2.5+dfsg2-7
  • unstable: 2.2.5+dfsg2-11
versioned links
  • 2.2.5+dfsg2-2+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.2.5+dfsg2-2+deb10u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.2.5+dfsg2-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.2.5+dfsg2-7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.2.5+dfsg2-11: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • h2o (2 bugs: 1, 1, 0, 0)
  • h2o-doc
  • libh2o-dev
  • libh2o-dev-common
  • libh2o-evloop-dev
  • libh2o-evloop0.13t64
  • libh2o0.13t64
action needed
Problems while searching for a new upstream version high
uscan had problems while searching for a new upstream version:
In debian/watch no matching files for watch line
  https://github.com/h2o/h2o/releases .*/archive/v(.*)\.tar\.gz
Created: 2021-03-23 Last update: 2025-05-19 12:30
3 security issues in sid high

There are 3 open security issues in sid.

3 important issues:
  • CVE-2023-41337: h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent. The attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. Session IDs and tickets generated by h2o are not bound to information specific to the server address, port, or the X.509 certificate, and therefore it is possible for an attacker to force the victim connection to wrongfully resume against a different server address or port on which the same h2o instance is listening. Once a TLS session is misdirected to resume to a server address / port that is configured to use an attacker-controlled server as the backend, depending on the configuration, HTTPS requests from the victim client may be forwarded to the attacker's server. An H2O instance is vulnerable to this attack only if the instance is configured to listen to different addresses or ports using the listen directive at the host level and the instance is configured to connect to backend servers managed by multiple entities. A patch is available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may stop using using host-level listen directives in favor of global-level ones.
  • CVE-2024-25622: h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler allows users to modify the response headers being sent by h2o. The configuration file of h2o has scopes, and the inner scopes (e.g., path level) are expected to inherit the configuration defined in outer scopes (e.g., global level). However, if a header directive is used in the inner scope, all the definition in outer scopes are ignored. This can lead to headers not being modified as expected. Depending on the headers being added or removed unexpectedly, this behavior could lead to unexpected client behavior. This vulnerability is fixed in commit 123f5e2b65dcdba8f7ef659a00d24bd1249141be.
  • CVE-2024-45397: h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.
Created: 2023-12-24 Last update: 2025-05-02 22:55
3 security issues in trixie high

There are 3 open security issues in trixie.

3 important issues:
  • CVE-2023-41337: h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent. The attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. Session IDs and tickets generated by h2o are not bound to information specific to the server address, port, or the X.509 certificate, and therefore it is possible for an attacker to force the victim connection to wrongfully resume against a different server address or port on which the same h2o instance is listening. Once a TLS session is misdirected to resume to a server address / port that is configured to use an attacker-controlled server as the backend, depending on the configuration, HTTPS requests from the victim client may be forwarded to the attacker's server. An H2O instance is vulnerable to this attack only if the instance is configured to listen to different addresses or ports using the listen directive at the host level and the instance is configured to connect to backend servers managed by multiple entities. A patch is available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may stop using using host-level listen directives in favor of global-level ones.
  • CVE-2024-25622: h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler allows users to modify the response headers being sent by h2o. The configuration file of h2o has scopes, and the inner scopes (e.g., path level) are expected to inherit the configuration defined in outer scopes (e.g., global level). However, if a header directive is used in the inner scope, all the definition in outer scopes are ignored. This can lead to headers not being modified as expected. Depending on the headers being added or removed unexpectedly, this behavior could lead to unexpected client behavior. This vulnerability is fixed in commit 123f5e2b65dcdba8f7ef659a00d24bd1249141be.
  • CVE-2024-45397: h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.
Created: 2023-12-24 Last update: 2025-02-27 05:02
debian/patches: 1 patch with invalid metadata, 11 patches to forward upstream high

Among the 12 debian patches available in version 2.2.5+dfsg2-11 of the package, we noticed the following issues:

  • 1 patch with invalid metadata that ought to be fixed.
  • 11 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2024-12-30 20:01
1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:
  • CVE-2023-41337: h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent. The attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. Session IDs and tickets generated by h2o are not bound to information specific to the server address, port, or the X.509 certificate, and therefore it is possible for an attacker to force the victim connection to wrongfully resume against a different server address or port on which the same h2o instance is listening. Once a TLS session is misdirected to resume to a server address / port that is configured to use an attacker-controlled server as the backend, depending on the configuration, HTTPS requests from the victim client may be forwarded to the attacker's server. An H2O instance is vulnerable to this attack only if the instance is configured to listen to different addresses or ports using the listen directive at the host level and the instance is configured to connect to backend servers managed by multiple entities. A patch is available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may stop using using host-level listen directives in favor of global-level ones.
Created: 2023-12-24 Last update: 2024-05-03 05:39
The package has not entered testing even though the delay is over normal
The package has not entered testing even though the 20-day delay is over. Check why.
Created: 2025-05-02 Last update: 2025-05-19 16:04
1 bug tagged patch in the BTS normal
The BTS contains patches fixing 1 bug, consider including or untagging them.
Created: 2025-01-06 Last update: 2025-05-19 16:00
Multiarch hinter reports 3 issue(s) normal
There are issues with the multiarch metadata for this package.
  • h2o-doc could be marked Multi-Arch: foreign
  • libh2o-dev could be marked Multi-Arch: same
  • libh2o-evloop-dev could be marked Multi-Arch: same
Created: 2017-09-21 Last update: 2025-05-19 12:01
RM: This package has been requested to be removed. normal
This package has been requested to be removed. This means that, when this request gets processed by an ftp-master, this package will no longer be in unstable, and will automatically be removed from testing too afterwards. If for some reason you want keep this package in unstable, please discuss so in the bug. Please see bug number #1103775 for more information.
Created: 2025-04-21 Last update: 2025-04-21 15:31
lintian reports 1 warning normal
Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.
Created: 2025-04-11 Last update: 2025-04-11 03:30
4 low-priority security issues in bookworm low

There are 4 open security issues in bookworm.

4 issues left for the package maintainer to handle:
  • CVE-2023-41337: (needs triaging) h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent. The attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. Session IDs and tickets generated by h2o are not bound to information specific to the server address, port, or the X.509 certificate, and therefore it is possible for an attacker to force the victim connection to wrongfully resume against a different server address or port on which the same h2o instance is listening. Once a TLS session is misdirected to resume to a server address / port that is configured to use an attacker-controlled server as the backend, depending on the configuration, HTTPS requests from the victim client may be forwarded to the attacker's server. An H2O instance is vulnerable to this attack only if the instance is configured to listen to different addresses or ports using the listen directive at the host level and the instance is configured to connect to backend servers managed by multiple entities. A patch is available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may stop using using host-level listen directives in favor of global-level ones.
  • CVE-2023-44487: (needs triaging) The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
  • CVE-2024-25622: (needs triaging) h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. The configuration directives provided by the headers handler allows users to modify the response headers being sent by h2o. The configuration file of h2o has scopes, and the inner scopes (e.g., path level) are expected to inherit the configuration defined in outer scopes (e.g., global level). However, if a header directive is used in the inner scope, all the definition in outer scopes are ignored. This can lead to headers not being modified as expected. Depending on the headers being added or removed unexpectedly, this behavior could lead to unexpected client behavior. This vulnerability is fixed in commit 123f5e2b65dcdba8f7ef659a00d24bd1249141be.
  • CVE-2024-45397: (needs triaging) h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets is received and the IP-address-based access control is used, the access control does not detect and prohibit HTTP requests conveyed by packets with a spoofed source address. This behavior allows attackers on the network to execute HTTP requests from addresses that are otherwise rejected by the address-based access control. The vulnerability has been addressed in commit 15ed15a. Users may disable the use of TCP FastOpen and QUIC to mitigate the issue.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2025-05-02 22:55
Build log checks report 1 warning low
Build log checks report 1 warning
Created: 2018-06-03 Last update: 2018-09-23 06:00
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).
Created: 2025-02-21 Last update: 2025-02-27 13:25
testing migrations
  • excuses:
    • Migration status for h2o (- to 2.2.5+dfsg2-11): BLOCKED: Rejected/violates migration policy/introduces a regression
    • Issues preventing migration:
    • ∙ ∙ Updating h2o would introduce bugs in testing: #1103733
    • ∙ ∙ blocked by freeze: is not in testing
    • Additional info:
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/h/h2o.html
    • ∙ ∙ autopkgtest for h2o/2.2.5+dfsg2-11: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
    • ∙ ∙ 140 days old (needed 20 days)
    • Not considered
news
[rss feed]
  • [2025-05-03] h2o REMOVED from testing (Debian testing watch)
  • [2025-01-01] h2o 2.2.5+dfsg2-11 MIGRATED to testing (Debian testing watch)
  • [2024-12-30] Accepted h2o 2.2.5+dfsg2-11 (source) into unstable (Gianfranco Costamagna)
  • [2024-12-30] Accepted h2o 2.2.5+dfsg2-10 (source) into unstable (Gianfranco Costamagna)
  • [2024-10-20] h2o 2.2.5+dfsg2-9 MIGRATED to testing (Debian testing watch)
  • [2024-10-18] Accepted h2o 2.2.5+dfsg2-9 (source) into unstable (Anton Gladky)
  • [2024-08-10] h2o REMOVED from testing (Debian testing watch)
  • [2024-05-03] h2o 2.2.5+dfsg2-8.1 MIGRATED to testing (Debian testing watch)
  • [2024-02-28] Accepted h2o 2.2.5+dfsg2-8.1 (source) into unstable (Lukas Märdian)
  • [2024-02-01] Accepted h2o 2.2.5+dfsg2-8.1~exp1 (source) into experimental (Graham Inggs)
  • [2023-10-29] Accepted h2o 2.2.5+dfsg2-2+deb10u2 (source) into oldoldstable (Anton Gladky)
  • [2023-10-22] h2o 2.2.5+dfsg2-8 MIGRATED to testing (Debian testing watch)
  • [2023-10-22] h2o 2.2.5+dfsg2-8 MIGRATED to testing (Debian testing watch)
  • [2023-10-20] Accepted h2o 2.2.5+dfsg2-8 (source) into unstable (Anton Gladky)
  • [2023-04-11] h2o 2.2.5+dfsg2-7 MIGRATED to testing (Debian testing watch)
  • [2023-03-21] Accepted h2o 2.2.5+dfsg2-7 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
  • [2022-04-21] h2o 2.2.5+dfsg2-6.2 MIGRATED to testing (Debian testing watch)
  • [2022-04-19] Accepted h2o 2.2.5+dfsg2-6.2 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
  • [2021-10-19] h2o 2.2.5+dfsg2-6.1 MIGRATED to testing (Debian testing watch)
  • [2021-10-17] Accepted h2o 2.2.5+dfsg2-6.1 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
  • [2020-12-21] h2o 2.2.5+dfsg2-6 MIGRATED to testing (Debian testing watch)
  • [2020-12-16] Accepted h2o 2.2.5+dfsg2-6 (source) into unstable (Anton Gladky)
  • [2020-05-04] h2o 2.2.5+dfsg2-5 MIGRATED to testing (Debian testing watch)
  • [2020-05-02] Accepted h2o 2.2.5+dfsg2-5 (source) into unstable (Anton Gladky)
  • [2020-05-01] Accepted h2o 2.2.5+dfsg2-5~exp1 (source) into experimental (Anton Gladky)
  • [2020-04-28] Accepted h2o 2.2.5+dfsg2-4 (source) into unstable (Anton Gladky)
  • [2019-08-31] Accepted h2o 2.2.5+dfsg2-2+deb10u1 (source amd64 all) into proposed-updates->stable-new, proposed-updates (Anton Gladky)
  • [2019-08-25] Accepted h2o 2.2.5+dfsg2-3~bpo9+1 (source) into stretch-backports->backports-policy, stretch-backports (Anton Gladky)
  • [2019-08-24] Accepted h2o 2.2.5+dfsg2-2+deb10u1 (source amd64 all) into stable->embargoed, stable (Anton Gladky)
  • [2019-08-23] h2o 2.2.5+dfsg2-3 MIGRATED to testing (Debian testing watch)
  • 1
  • 2
bugs [bug history graph]
  • all: 8
  • RC: 1
  • I&N: 7
  • M&W: 0
  • F&P: 0
  • patch: 1
links
  • homepage
  • lintian (0, 1)
  • buildd: logs, checks, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2.2.5+dfsg2-11
  • 2 bugs

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing