[Bug 239834] www/nginx www/nginx-devel security update

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Aug 13 22:48:38 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239834

            Bug ID: 239834
           Summary: www/nginx www/nginx-devel security update
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: joneum at FreeBSD.org
          Reporter: ucu8u1b-ol at avksrv.org
          Assignee: joneum at FreeBSD.org
             Flags: maintainer-feedback?(joneum at FreeBSD.org)

Hello!

Lot of security problems in HTTP/2 were discovered
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

some of them related to nginx implementation 

http://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html

------------
Several security issues were identified in nginx HTTP/2
implementation, which might cause excessive memory consumption
and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).

The issues affect nginx compiled with the ngx_http_v2_module (not
compiled by default) if the "http2" option of the "listen" directive
is used in a configuration file.

The issues affect nginx 1.9.5 - 1.17.2.
The issues are fixed in nginx 1.17.3, 1.16.1.

Thanks to Jonathan Looney from Netflix for discovering these issues.
------------
nginx released version 1.16.1
http://mailman.nginx.org/pipermail/nginx-announce/2019/000248.html

-------------
Changes with nginx 1.16.1                                        13 Aug 2019

    *) Security: when using HTTP/2 a client might cause excessive memory
       consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
       CVE-2019-9516).
--------------
and
dev version 1.17.3 (there are more fixes released also, not only HTTP2)
http://mailman.nginx.org/pipermail/nginx-announce/2019/000247.html
------------------
Changes with nginx 1.17.3                                        13 Aug 2019

    *) Security: when using HTTP/2 a client might cause excessive memory
       consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
       CVE-2019-9516).

    *) Bugfix: "zero size buf" alerts might appear in logs when using
       gzipping; the bug had appeared in 1.17.2.

    *) Bugfix: a segmentation fault might occur in a worker process if the
       "resolver" directive was used in SMTP proxy.
---------------

Security problems related to all users who had enable http2 at build time and
added the http2 option to list directive in nginx configuration. HTTPv2 option
is enabled in ports tree by default.

With best regards
/Alexey

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list