Chapter 4. MTA 6.2.1
4.1. Resolved issues
The following highlighted issues have been resolved in MTA version 6.2.1.
CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. In previous releases of MTA, the HTTP/2 protocol allowed a denial of service (server resource consumption) because request cancellation could reset multiple streams quickly. The server had to set up and tear down the streams while not hitting any server-side limit for the maximum number of active streams per connection, which resulted in a denial of service due to server resource consumption.
The following issues have been listed under this issue:
To resolve this issue, upgrade to MTA 6.2.1 or later.
For more information, see CVE-2023-44487 (Rapid Reset Attack).
CVE-2023-39325: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack in the Go language packages)
The HTTP/2 protocol is susceptible to a denial of service attack because request cancellation can reset multiple streams quickly. The server has to set up and tear down the streams while not hitting any server-side limit for the maximum number of active streams per connection. This results in a denial of service due to server resource consumption.
The following issues have been listed under this issue:
To resolve this issue, upgrade to MTA 6.2.1 or later.
For more information, see CVE-2023-39325 (Rapid Reset Attack in the Go language packages).
