[Bug 239834] www/nginx www/nginx-devel security update

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[Bug 239834] www/nginx www/nginx-devel security update


            Bug ID: 239834
           Summary: www/nginx www/nginx-devel security update
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: [hidden email]
          Reporter: [hidden email]
          Assignee: [hidden email]
             Flags: maintainer-feedback?([hidden email])


Lot of security problems in HTTP/2 were discovered

some of them related to nginx implementation


Several security issues were identified in nginx HTTP/2
implementation, which might cause excessive memory consumption
and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).

The issues affect nginx compiled with the ngx_http_v2_module (not
compiled by default) if the "http2" option of the "listen" directive
is used in a configuration file.

The issues affect nginx 1.9.5 - 1.17.2.
The issues are fixed in nginx 1.17.3, 1.16.1.

Thanks to Jonathan Looney from Netflix for discovering these issues.
nginx released version 1.16.1

Changes with nginx 1.16.1                                        13 Aug 2019

    *) Security: when using HTTP/2 a client might cause excessive memory
       consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
dev version 1.17.3 (there are more fixes released also, not only HTTP2)
Changes with nginx 1.17.3                                        13 Aug 2019

    *) Security: when using HTTP/2 a client might cause excessive memory
       consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,

    *) Bugfix: "zero size buf" alerts might appear in logs when using
       gzipping; the bug had appeared in 1.17.2.

    *) Bugfix: a segmentation fault might occur in a worker process if the
       "resolver" directive was used in SMTP proxy.

Security problems related to all users who had enable http2 at build time and
added the http2 option to list directive in nginx configuration. HTTPv2 option
is enabled in ports tree by default.

With best regards

You are receiving this mail because:
You are the assignee for the bug.
[hidden email] mailing list
To unsubscribe, send any mail to "[hidden email]"