StackPatch is liveSee product

Back to CVE digest
CVE-2023-44487 · cross-distro fix matrix

CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Affects 7 Linux releases across 50 (distro × package) combinations.

Fix per ecosystem

Each block below is a distro release where CVE-2023-44487 has a known fix. Run the listed command on that distro to remediate.

Debian bullseye

Source: Debian Security Tracker

  • haproxy→ fixed in1.8.13-1urgency: not yet assigned
    sudo apt-get install --only-upgrade -y haproxy
  • jetty9→ fixed in9.4.50-4+deb11u1urgency: not yet assigned
    sudo apt-get install --only-upgrade -y jetty9
  • netty→ fixed in1:4.1.48-4+deb11u2urgency: not yet assigned
    sudo apt-get install --only-upgrade -y netty
  • nghttp2→ fixed in1.43.0-1+deb11u1urgency: not yet assigned
    sudo apt-get install --only-upgrade -y nghttp2
  • tomcat9→ fixed in9.0.43-2~deb11u7urgency: not yet assigned
    sudo apt-get install --only-upgrade -y tomcat9
  • trafficserver→ fixed in8.1.9+ds-1~deb11u1urgency: not yet assigned
    sudo apt-get install --only-upgrade -y trafficserver

Debian bookworm

Source: Debian Security Tracker

  • haproxy→ fixed in1.8.13-1urgency: not yet assigned
    sudo apt-get install --only-upgrade -y haproxy
  • jetty9→ fixed in9.4.50-4+deb12u2urgency: not yet assigned
    sudo apt-get install --only-upgrade -y jetty9
  • netty→ fixed in1:4.1.48-7+deb12u1urgency: not yet assigned
    sudo apt-get install --only-upgrade -y netty
  • nghttp2→ fixed in1.52.0-1+deb12u1urgency: not yet assigned
    sudo apt-get install --only-upgrade -y nghttp2
  • tomcat10→ fixed in10.1.6-1+deb12u1urgency: not yet assigned
    sudo apt-get install --only-upgrade -y tomcat10
  • tomcat9→ fixed in9.0.70-2urgency: not yet assigned
    sudo apt-get install --only-upgrade -y tomcat9
  • trafficserver→ fixed in9.2.3+ds-1+deb12u1urgency: not yet assigned
    sudo apt-get install --only-upgrade -y trafficserver

Debian trixie

Source: Debian Security Tracker

  • dnsdist→ fixed in1.8.2-2urgency: not yet assigned
    sudo apt-get install --only-upgrade -y dnsdist
  • haproxy→ fixed in1.8.13-1urgency: not yet assigned
    sudo apt-get install --only-upgrade -y haproxy
  • jetty9→ fixed in9.4.53-1urgency: not yet assigned
    sudo apt-get install --only-upgrade -y jetty9
  • netty→ fixed in1:4.1.48-8urgency: not yet assigned
    sudo apt-get install --only-upgrade -y netty
  • nghttp2→ fixed in1.57.0-1urgency: not yet assigned
    sudo apt-get install --only-upgrade -y nghttp2
  • nginx→ fixed in1.24.0-2urgency: unimportant
    sudo apt-get install --only-upgrade -y nginx
  • tomcat10→ fixed in10.1.14-1urgency: not yet assigned
    sudo apt-get install --only-upgrade -y tomcat10
  • tomcat9→ fixed in9.0.70-2urgency: not yet assigned
    sudo apt-get install --only-upgrade -y tomcat9
  • varnish→ fixed in7.5.0-1urgency: not yet assigned
    sudo apt-get install --only-upgrade -y varnish

Alpine v3.20

Source: Alpine secdb

  • nghttp2→ fixed in1.57.0-r0
    apk update && apk add --upgrade nghttp2
  • nginx→ fixed in1.24.0-r12
    apk update && apk add --upgrade nginx
  • dotnet6-build→ fixed in6.0.123-r0
    apk update && apk add --upgrade dotnet6-build
  • dotnet6-build→ fixed in6.0.124-r0
    apk update && apk add --upgrade dotnet6-build
  • dotnet6-runtime→ fixed in6.0.23-r0
    apk update && apk add --upgrade dotnet6-runtime
  • dotnet6-runtime→ fixed in6.0.24-r0
    apk update && apk add --upgrade dotnet6-runtime
  • go→ fixed in1.21.3-r0
    apk update && apk add --upgrade go
  • grpc→ fixed in1.59.3-r0
    apk update && apk add --upgrade grpc
  • jetty-runner→ fixed in9.4.53.20231009-r0
    apk update && apk add --upgrade jetty-runner
  • netdata→ fixed in1.43.2-r1
    apk update && apk add --upgrade netdata
  • openjdk21→ fixed in21.0.2_p13-r0
    apk update && apk add --upgrade openjdk21

Alpine v3.21

Source: Alpine secdb

  • nghttp2→ fixed in1.57.0-r0
    apk update && apk add --upgrade nghttp2
  • nginx→ fixed in1.24.0-r12
    apk update && apk add --upgrade nginx
  • go→ fixed in1.21.3-r0
    apk update && apk add --upgrade go
  • grpc→ fixed in1.59.3-r0
    apk update && apk add --upgrade grpc
  • jetty-runner→ fixed in9.4.53.20231009-r0
    apk update && apk add --upgrade jetty-runner
  • netdata→ fixed in1.43.2-r1
    apk update && apk add --upgrade netdata
  • openjdk21→ fixed in21.0.2_p13-r0
    apk update && apk add --upgrade openjdk21
  • trafficserver9→ fixed in9.2.3-r0
    apk update && apk add --upgrade trafficserver9

Alpine edge

Source: Alpine secdb

  • nghttp2→ fixed in1.57.0-r0
    apk update && apk add --upgrade nghttp2
  • nginx→ fixed in1.24.0-r12
    apk update && apk add --upgrade nginx
  • go→ fixed in1.21.3-r0
    apk update && apk add --upgrade go
  • grpc→ fixed in1.59.3-r0
    apk update && apk add --upgrade grpc
  • jetty-runner→ fixed in9.4.53.20231009-r0
    apk update && apk add --upgrade jetty-runner
  • netdata→ fixed in1.43.2-r1
    apk update && apk add --upgrade netdata
  • openjdk21→ fixed in21.0.2_p13-r0
    apk update && apk add --upgrade openjdk21
  • trafficserver9→ fixed in9.2.3-r0
    apk update && apk add --upgrade trafficserver9

Alpine v3.18

Source: Alpine secdb

  • nghttp2→ fixed in1.57.0-r0
    apk update && apk add --upgrade nghttp2
Are YOU affected by CVE-2023-44487?

5-second check on your actual server. Reads /etc/os-release, uname -r, and the distro's package manager; matches against this same cross-source index live.

curl https://mindsparkstack.com/scan.sh | bash
Form-based quickscan View on NVD
Continuous monitoring beats manual checking

CVE-2023-44487dropped silently in your distro's update channel. Every new CVE is the same story. StackPatch runs the matcher hourly against all 5 sources and emails the exact remediation when something new applies to one of your servers. $99 lifetime, 50 founder seats, 30-day refund.

See StackPatch ($99 lifetime)