Date: Tue, 13 Aug 2019 22:48:35 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 239834] www/nginx www/nginx-devel security update Message-ID: <bug-239834-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D239834 Bug ID: 239834 Summary: www/nginx www/nginx-devel security update Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: joneum@FreeBSD.org Reporter: ucu8u1b-ol@avksrv.org Assignee: joneum@FreeBSD.org Flags: maintainer-feedback?(joneum@FreeBSD.org) Hello! Lot of security problems in HTTP/2 were discovered https://github.com/Netflix/security-bulletins/blob/master/advisories/third-= party/2019-002.md some of them related to nginx implementation=20 http://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html ------------ Several security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the "http2" option of the "listen" directive is used in a configuration file. The issues affect nginx 1.9.5 - 1.17.2. The issues are fixed in nginx 1.17.3, 1.16.1. Thanks to Jonathan Looney from Netflix for discovering these issues. ------------ nginx released version 1.16.1 http://mailman.nginx.org/pipermail/nginx-announce/2019/000248.html ------------- Changes with nginx 1.16.1 13 Aug 2019 *) Security: when using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). -------------- and dev version 1.17.3 (there are more fixes released also, not only HTTP2) http://mailman.nginx.org/pipermail/nginx-announce/2019/000247.html ------------------ Changes with nginx 1.17.3 13 Aug 2019 *) Security: when using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). *) Bugfix: "zero size buf" alerts might appear in logs when using gzipping; the bug had appeared in 1.17.2. *) Bugfix: a segmentation fault might occur in a worker process if the "resolver" directive was used in SMTP proxy. --------------- Security problems related to all users who had enable http2 at build time a= nd added the http2 option to list directive in nginx configuration. HTTPv2 opt= ion is enabled in ports tree by default. With best regards /Alexey --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-239834-7788>