Debian Bug report logs -
#913090
nginx: CVE-2018-16843 CVE-2018-16844 CVE-2018-16845
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 6 Nov 2018 20:27:01 UTC
Severity: grave
Tags: security, upstream
Found in versions nginx/1.10.3-1, nginx/1.14.0-1, nginx/1.10.3-1+deb9u1
Fixed in versions nginx/1.14.1-1, nginx/1.10.3-1+deb9u2
Done: Christos Trochalakis <ctrochalakis@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>:
Bug#913090; Package src:nginx.
(Tue, 06 Nov 2018 20:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>.
(Tue, 06 Nov 2018 20:27:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: nginx
Version: 1.10.3-1
Severity: important
Tags: security upstream
Control: found -1 1.10.3-1+deb9u1
Control: found -1 1.14.0-1
Hi,
The following vulnerabilities were published for nginx.
CVE-2018-16843[0]:
Excessive memory usage in HTTP/2
CVE-2018-16844[1]:
Excessive CPU usage in HTTP/2
CVE-2018-16845[2]:
Memory disclosure in the ngx_http_mp4_module
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-16843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16843
[1] https://security-tracker.debian.org/tracker/CVE-2018-16844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16844
[2] https://security-tracker.debian.org/tracker/CVE-2018-16845
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16845
Regards,
Salvatore
Marked as found in versions nginx/1.10.3-1+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 06 Nov 2018 20:27:04 GMT) (full text, mbox, link).
Marked as found in versions nginx/1.14.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Tue, 06 Nov 2018 20:27:04 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from jmm@inutil.org (Moritz Muehlenhoff)
to control@bugs.debian.org.
(Tue, 06 Nov 2018 21:09:02 GMT) (full text, mbox, link).
Reply sent
to Christos Trochalakis <ctrochalakis@debian.org>:
You have taken responsibility.
(Wed, 07 Nov 2018 07:09:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 07 Nov 2018 07:09:08 GMT) (full text, mbox, link).
Message #16 received at 913090-close@bugs.debian.org (full text, mbox, reply):
Source: nginx
Source-Version: 1.14.1-1
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 913090@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christos Trochalakis <ctrochalakis@debian.org> (supplier of updated nginx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 07 Nov 2018 07:16:00 +0200
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-light nginx-extras libnginx-mod-http-geoip libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libnginx-mod-http-perl libnginx-mod-http-auth-pam libnginx-mod-http-lua libnginx-mod-http-ndk libnginx-mod-nchan libnginx-mod-http-echo libnginx-mod-http-upstream-fair libnginx-mod-http-headers-more-filter libnginx-mod-http-cache-purge libnginx-mod-http-fancyindex libnginx-mod-http-uploadprogress libnginx-mod-http-subs-filter libnginx-mod-http-dav-ext libnginx-mod-rtmp
Architecture: source
Version: 1.14.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>
Changed-By: Christos Trochalakis <ctrochalakis@debian.org>
Description:
libnginx-mod-http-auth-pam - PAM authentication module for Nginx
libnginx-mod-http-cache-purge - Purge content from Nginx caches
libnginx-mod-http-dav-ext - WebDAV missing commands support for Nginx
libnginx-mod-http-echo - Bring echo and more shell style goodies to Nginx
libnginx-mod-http-fancyindex - Fancy indexes module for the Nginx
libnginx-mod-http-geoip - GeoIP HTTP module for Nginx
libnginx-mod-http-headers-more-filter - Set and clear input and output headers for Nginx
libnginx-mod-http-image-filter - HTTP image filter module for Nginx
libnginx-mod-http-lua - Lua module for Nginx
libnginx-mod-http-ndk - Nginx Development Kit module
libnginx-mod-http-perl - Perl module for Nginx
libnginx-mod-http-subs-filter - Substitution filter module for Nginx
libnginx-mod-http-uploadprogress - Upload progress system for Nginx
libnginx-mod-http-upstream-fair - Nginx Upstream Fair Proxy Load Balancer
libnginx-mod-http-xslt-filter - XSLT Transformation module for Nginx
libnginx-mod-mail - Mail module for Nginx
libnginx-mod-nchan - Fast, flexible pub/sub server for Nginx
libnginx-mod-rtmp - RTMP support for Nginx
libnginx-mod-stream - Stream module for Nginx
nginx - small, powerful, scalable web/proxy server
nginx-common - small, powerful, scalable web/proxy server - common files
nginx-doc - small, powerful, scalable web/proxy server - documentation
nginx-extras - nginx web/proxy server (extended version)
nginx-full - nginx web/proxy server (standard version)
nginx-light - nginx web/proxy server (basic version)
Closes: 913090
Changes:
nginx (1.14.1-1) unstable; urgency=medium
.
[ Kartik Mistry ]
* Removed unused lintian override.
* Fixed trailing whitespaces in changelog.
.
[ Christos Trochalakis ]
* New upstream version. (Closes: #913090)
+ CVE-2018-16843 Excessive memory usage in HTTP/2
+ CVE-2018-16844 Excessive CPU usage in HTTP/2
+ CVE-2018-16845 Memory disclosure in the ngx_http_mp4_module
Checksums-Sha1:
206f5e2a4d4a6554094f95826377c6911bd6520a 4149 nginx_1.14.1-1.dsc
a9dc8c5b055a3f0021d09c112d27422f45dd439c 1014040 nginx_1.14.1.orig.tar.gz
0ee7b68e27c16ccf8d799b183a3d4329eb93e39c 923328 nginx_1.14.1-1.debian.tar.xz
80d8a3afc452edee5067914fff1427573377833b 22731 nginx_1.14.1-1_amd64.buildinfo
Checksums-Sha256:
7c15bdfb2959bfe2a1fddfdafb5a63f3ddca9b730ab36a9ae1ff00b733d2ea64 4149 nginx_1.14.1-1.dsc
bf09974130c0d41c0a811decc17a96ec2f58cdc8bbacb771de8d38c9ba14a4a4 1014040 nginx_1.14.1.orig.tar.gz
441f2a1ec5b8416aa10232c825cb41c84eb63294e48b4315617626e33ff013e0 923328 nginx_1.14.1-1.debian.tar.xz
1a4e3e4ff8ef76cea219db648562e0480669d53e956af2548de0d1d36e4d13b7 22731 nginx_1.14.1-1_amd64.buildinfo
Files:
d712430a2fa7204fb365ee35eb1e7095 4149 httpd optional nginx_1.14.1-1.dsc
18561561ffa2b63885b607453390b49c 1014040 httpd optional nginx_1.14.1.orig.tar.gz
bd4eac44e90020b875dbac077e512300 923328 httpd optional nginx_1.14.1-1.debian.tar.xz
f61190469aa8fae1c209e44b5ce66a69 22731 httpd optional nginx_1.14.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEf2SPbCEjyY+zKcgrETYmAKdH7NkFAlviif8ACgkQETYmAKdH
7NliMg/+M31E1b7Q8+Cbjb0l+XU9A9nsfTg0OuOYAqdAR8+ctAZ21pWB9pB+u1vU
ga41gu1p7UmYRP8OnfXYDR41Gg9vQ/UvR39dHu8GTQKJH9hAt1JHgvch6FaFsOaA
fFMtPsguR+YLzDrS6rwK830E1zDNLdG/cbXl0K9P6EOpyWdsEFb1D6etIcab7BPU
ZV7tuE4i9Y4xDplBs+vIfLqtsJi6DMSxH8ggwQHnFAAsxtuIRZdqIX9xllXM4DIJ
4I6o3Q06324Di/r+IEHpUpFjXHs0L4/84NHjLXYkjNcd8LzOcitHV4eM6j3otIwc
aBQEEMTiacyjglqabwGSl89b+12CNX9VXggclPr4Zo7VESph01MOa4b/5pdv5zsA
KuG2U7TeUBypZJIg4sof++ji2BVwyzRJNzYmnZV8S4pmECLOsaRWoZFYfK2ttFfD
dBvjbpFl8z7Z9aoVfPaEz7ptiIDSTndaq2o9dE0ZRLo5DM8D3ZUS9G4ojh4vGX7x
XURB0mX6m4TkjTG1hCQNI6ZPBghVkTE2cyKXO9UG9QHt7T9O63nW7nmHvBJZjvbf
UhYEWnS1oI0JSkS5EZtCHEgIVtSVW2qfWrCGm/k21bELAxlps1QEYvdXhMvA84G+
jXdBjw8P0behK7NlNMxHIqMVSZF88i2HzFxqBkCuvUJY4lD+Y/w=
=hW/W
-----END PGP SIGNATURE-----
Message #17 received at 913090-done@bugs.debian.org (full text, mbox, reply):
Hello,
Bug #913090 in nginx reported by you has been fixed in the Git repository.
You can see the commit message below, and you can check the diff of the fix at:
https://salsa.debian.org/nginx-team/nginx/commit/c7d98a1a4c2bec188ef994304202fcb486a0472d
------------------------------------------------------------------------
Prevent a denial of service vulnerability due to an integer underflow whilst calculating an MP4 header sizes. (Closes: #913090
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/913090
Reply sent
to Christos Trochalakis <ctrochalakis@debian.org>:
You have taken responsibility.
(Sat, 10 Nov 2018 11:21:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 10 Nov 2018 11:21:07 GMT) (full text, mbox, link).
Message #22 received at 913090-close@bugs.debian.org (full text, mbox, reply):
Source: nginx
Source-Version: 1.10.3-1+deb9u2
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 913090@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christos Trochalakis <ctrochalakis@debian.org> (supplier of updated nginx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 07 Nov 2018 07:40:42 +0200
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-light nginx-extras libnginx-mod-http-geoip libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libnginx-mod-http-perl libnginx-mod-http-auth-pam libnginx-mod-http-lua libnginx-mod-http-ndk libnginx-mod-nchan libnginx-mod-http-echo libnginx-mod-http-upstream-fair libnginx-mod-http-headers-more-filter libnginx-mod-http-cache-purge libnginx-mod-http-fancyindex libnginx-mod-http-uploadprogress libnginx-mod-http-subs-filter libnginx-mod-http-dav-ext
Architecture: source
Version: 1.10.3-1+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@lists.alioth.debian.org>
Changed-By: Christos Trochalakis <ctrochalakis@debian.org>
Description:
libnginx-mod-http-auth-pam - PAM authentication module for Nginx
libnginx-mod-http-cache-purge - Purge content from Nginx caches
libnginx-mod-http-dav-ext - WebDAV missing commands support for Nginx
libnginx-mod-http-echo - Bring echo and more shell style goodies to Nginx
libnginx-mod-http-fancyindex - Fancy indexes module for the Nginx
libnginx-mod-http-geoip - GeoIP HTTP module for Nginx
libnginx-mod-http-headers-more-filter - Set and clear input and output headers for Nginx
libnginx-mod-http-image-filter - HTTP image filter module for Nginx
libnginx-mod-http-lua - Lua module for Nginx
libnginx-mod-http-ndk - Nginx Development Kit module
libnginx-mod-http-perl - Perl module for Nginx
libnginx-mod-http-subs-filter - Substitution filter module for Nginx
libnginx-mod-http-uploadprogress - Upload progress system for Nginx
libnginx-mod-http-upstream-fair - Nginx Upstream Fair Proxy Load Balancer
libnginx-mod-http-xslt-filter - XSLT Transformation module for Nginx
libnginx-mod-mail - Mail module for Nginx
libnginx-mod-nchan - Fast, flexible pub/sub server for Nginx
libnginx-mod-stream - Stream module for Nginx
nginx - small, powerful, scalable web/proxy server
nginx-common - small, powerful, scalable web/proxy server - common files
nginx-doc - small, powerful, scalable web/proxy server - documentation
nginx-extras - nginx web/proxy server (extended version)
nginx-full - nginx web/proxy server (standard version)
nginx-light - nginx web/proxy server (basic version)
Closes: 913090
Changes:
nginx (1.10.3-1+deb9u2) stretch-security; urgency=high
.
* Backport http2_max_requests directive needed for
CVE-2018-16844 mitigation
* Backport upstream fixes for 3 CVEs (Closes: #913090)
+ CVE-2018-16843 Excessive memory usage in HTTP/2
+ CVE-2018-16844 Excessive CPU usage in HTTP/2
This change limits the maximum allowed number of idle state
switches to 10 * http2_max_requests (i.e., 10000 by default).
This limits possible CPU usage in one connection, and also
imposes a limit on the maximum lifetime of a connection
+ CVE-2018-16845 Memory disclosure in the ngx_http_mp4_module
Checksums-Sha1:
d4eb4a8ee02083cf3d089b4fd1fe8190241ac2e9 4232 nginx_1.10.3-1+deb9u2.dsc
6d1f0e634a679993357e7e689f617a3b66909521 847720 nginx_1.10.3-1+deb9u2.debian.tar.xz
2d4c4312bca4e1e4547a292fcd1041756540ffb4 22683 nginx_1.10.3-1+deb9u2_amd64.buildinfo
Checksums-Sha256:
9557cbc82c09ad8f7f5a3768d44fcf17597b26c815d0e01280f45b96435fb485 4232 nginx_1.10.3-1+deb9u2.dsc
df36d4a157e668a1836f40ac0e97239845b9dd43217cb912aeb1e1c3791fbbfa 847720 nginx_1.10.3-1+deb9u2.debian.tar.xz
68bf3c53c68d5ca5c1567ea7c390567e4140289295ce877dcaecad74e58c5ec8 22683 nginx_1.10.3-1+deb9u2_amd64.buildinfo
Files:
67917768f9376acbcad20a9dccd80642 4232 httpd optional nginx_1.10.3-1+deb9u2.dsc
42abc6defd19be5e8d7f64a3dbf0908f 847720 httpd optional nginx_1.10.3-1+deb9u2.debian.tar.xz
3604cdd4d8c8d400342b491bf7ce87d2 22683 httpd optional nginx_1.10.3-1+deb9u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEf2SPbCEjyY+zKcgrETYmAKdH7NkFAlvkDa8ACgkQETYmAKdH
7NmPOw/+JzsjMY3Dj1TZ6qWmxnsgfgqo/u7Znxi06Tdt+mop2kqk+WX+SM5J3+g+
5klMXZ2WPJz0UPlLphK/koYWbmKMuEpV5iGlPXo02pQn5mxawUQSU/Sw3eo/mhd3
z8oPjiPFeth7ARfd0Hft9tbN8tKQ8hbfWyaLx7G+AZy+AVk8S/oaZrNytPke5/oI
tRVueG3Uij+mA8SUty2ax7ZdXKlVvmqXNJlbMO8lazTVxDbKgGmKgTcZ4rNVQXb9
mrtOVIEg+M9K3l86TIFSYig39ve+LEn86xMeI1myYcXb8WZ8M9U9XGxD6feVEeg/
taNfivj/q3QpsxTQipR7guRPsqvE9cFxqWk+SuBQXO+GxiRe824fa5lGB0s0Zq6g
iz4pjuwM+EvJjdhfLFuxZ9VfxyPVsXso4ED4gFefZmH0dm+S7cFOneB1/xX6Ofzl
DcDEr0bPWwDIh5H6o47aP4z0eJb4ud4SQOKbgzNqVky/c2opekfCDTe++AcIAacy
kroLyvUWVQEEj+LZP5AO2r6S+pMdhlwrc1wrgWmIo9np6n6VOUo/crMKXP+6A2Vo
OeDcMXt0nQtU5gdnq7bJwzJc6DYqBiBMQsATzFHLy+RNAz55zFuWizVao5jHFZ3N
HwzgOKfO5kpsUUAtyqRZDqvSK+29TZzB4cd0ko6lqmts6n/aeAI=
=SKqU
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 17 Feb 2019 07:35:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:31:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon