Your message dated Fri, 23 Aug 2019 05:47:47 +0000
with message-id <e1i12qn-0003vz...@fasolo.debian.org>
and subject line Bug#935037: fixed in nginx 1.10.3-1+deb9u3
has caused the Debian Bug report #935037,
regarding nginx: CVE-2019-9511 CVE-2019-9513 CVE-2019-9516
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
935037: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935037
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: nginx
Version: 1.14.2-2
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 1.10.3-1+deb9u2
Control: found -1 1.10.3-1
Hi,
The following vulnerabilities were published for nginx.
CVE-2019-9511[0]:
| Some HTTP/2 implementations are vulnerable to window size manipulation
| and stream prioritization manipulation, potentially leading to a
| denial of service. The attacker requests a large amount of data from a
| specified resource over multiple streams. They manipulate window size
| and stream priority to force the server to queue the data in 1-byte
| chunks. Depending on how efficiently this data is queued, this can
| consume excess CPU, memory, or both.
CVE-2019-9513[1]:
| Some HTTP/2 implementations are vulnerable to resource loops,
| potentially leading to a denial of service. The attacker creates
| multiple request streams and continually shuffles the priority of the
| streams in a way that causes substantial churn to the priority tree.
| This can consume excess CPU.
CVE-2019-9516[2]:
| Some HTTP/2 implementations are vulnerable to a header leak,
| potentially leading to a denial of service. The attacker sends a
| stream of headers with a 0-length header name and 0-length header
| value, optionally Huffman encoded into 1-byte or greater headers. Some
| implementations allocate memory for these headers and keep the
| allocation alive until the session dies. This can consume excess
| memory.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9511
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511
https://github.com/nginx/nginx/commit/a987f81dd19210bc30b62591db331e31d3d74089
[1] https://security-tracker.debian.org/tracker/CVE-2019-9513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513
https://github.com/nginx/nginx/commit/5ae726912654da10a9a81b2c8436829f3e94f69f
[2] https://security-tracker.debian.org/tracker/CVE-2019-9516
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516
https://github.com/nginx/nginx/commit/6dfbc8b1c2116f362bb871efebbf9df576738e89
[3]
https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.10.3-1+deb9u3
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 935...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christos Trochalakis <ctrochala...@debian.org> (supplier of updated nginx
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 19 Aug 2019 12:31:19 +0300
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-light nginx-extras
libnginx-mod-http-geoip libnginx-mod-http-image-filter
libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream
libnginx-mod-http-perl libnginx-mod-http-auth-pam libnginx-mod-http-lua
libnginx-mod-http-ndk libnginx-mod-nchan libnginx-mod-http-echo
libnginx-mod-http-upstream-fair libnginx-mod-http-headers-more-filter
libnginx-mod-http-cache-purge libnginx-mod-http-fancyindex
libnginx-mod-http-uploadprogress libnginx-mod-http-subs-filter
libnginx-mod-http-dav-ext
Architecture: source
Version: 1.10.3-1+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Debian Nginx Maintainers
<pkg-nginx-maintain...@lists.alioth.debian.org>
Changed-By: Christos Trochalakis <ctrochala...@debian.org>
Description:
libnginx-mod-http-auth-pam - PAM authentication module for Nginx
libnginx-mod-http-cache-purge - Purge content from Nginx caches
libnginx-mod-http-dav-ext - WebDAV missing commands support for Nginx
libnginx-mod-http-echo - Bring echo and more shell style goodies to Nginx
libnginx-mod-http-fancyindex - Fancy indexes module for the Nginx
libnginx-mod-http-geoip - GeoIP HTTP module for Nginx
libnginx-mod-http-headers-more-filter - Set and clear input and output headers
for Nginx
libnginx-mod-http-image-filter - HTTP image filter module for Nginx
libnginx-mod-http-lua - Lua module for Nginx
libnginx-mod-http-ndk - Nginx Development Kit module
libnginx-mod-http-perl - Perl module for Nginx
libnginx-mod-http-subs-filter - Substitution filter module for Nginx
libnginx-mod-http-uploadprogress - Upload progress system for Nginx
libnginx-mod-http-upstream-fair - Nginx Upstream Fair Proxy Load Balancer
libnginx-mod-http-xslt-filter - XSLT Transformation module for Nginx
libnginx-mod-mail - Mail module for Nginx
libnginx-mod-nchan - Fast, flexible pub/sub server for Nginx
libnginx-mod-stream - Stream module for Nginx
nginx - small, powerful, scalable web/proxy server
nginx-common - small, powerful, scalable web/proxy server - common files
nginx-doc - small, powerful, scalable web/proxy server - documentation
nginx-extras - nginx web/proxy server (extended version)
nginx-full - nginx web/proxy server (standard version)
nginx-light - nginx web/proxy server (basic version)
Closes: 935037
Changes:
nginx (1.10.3-1+deb9u3) stretch-security; urgency=high
.
* Backport upstream fixes for 3 CVEs (Closes: #935037)
Those fixes affect Nginx HTTP/2 implementation, which might cause
excessive memory consumption and CPU usage.
(CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).
Checksums-Sha1:
cbec633b8f3ef8a100ee8840bdf5cf869fac1ebd 4232 nginx_1.10.3-1+deb9u3.dsc
6dd7c497529a075b7efebd2449f6f56740343b2d 848956
nginx_1.10.3-1+deb9u3.debian.tar.xz
Checksums-Sha256:
7358b9acafa1f86c47cbb59ccc4cca02cd6229f1290f782311a29e727ef044ce 4232
nginx_1.10.3-1+deb9u3.dsc
9ff3d3c05c551e77321785185879106438d808c13bd10150ef2539776ea25686 848956
nginx_1.10.3-1+deb9u3.debian.tar.xz
Files:
e0e207a9be566060354cb7a9dbcbcae6 4232 httpd optional nginx_1.10.3-1+deb9u3.dsc
ad5bd2faa7caa88a18d12390d9a7014f 848956 httpd optional
nginx_1.10.3-1+deb9u3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEf2SPbCEjyY+zKcgrETYmAKdH7NkFAl1br70ACgkQETYmAKdH
7NnDzw/9Gqpl3up7Q7LqfJDBWZPaf0InwGFL0KFI1iY/dhOFZYJMBClTTUiFhH8x
1Yh6+oHn28QT8sV34ekokqx16DazF3XmTjN3soKBsiVweHE8nOj39dKmDGVZTr/H
QBM+Y0kAN0RsUWcKgfcZKWnIOtDrnZFh1eBwflsvsDQhPIHCCQIU0d8N4MX+GrzQ
SgWWJe74fvBfmTuZk6TF1r1TvyleZ+CgUbfL5XlP31YMnRZy1SyaAyz4oUKAeaHn
v7Rdoi8e6aErMOAUZGmdL3QCOX1UT2SpH6OC5cabE0/Oxxvp44MNQ7VgQXgG7HQ8
dZVX95FQTicR8hS4OT7tKbaOEs5e2GoIEpr1ZeuTr7XRTyeXPJwzFPTr3e73k9ba
FD3QpwNY1vKN2Tce+qF9Vdc6a8iHl9C2Rg7vvCEkfGxH/TidGmW20NAEE907UYVO
oiuxP2gBQzalQlzdHC8b3WGIWNzgAi7caeNKpoSzgp71HyARIH7g+K5NG4vMuVe+
vWSbl0h3qBvCNzqRlS0mlDeD1vOpq6pcOEYu87d9+Hp9rKWExAoQToT+pkoRY6r8
sERKzF6EMVT1EC43QbwH2OQMwkIwNR5e9QODVsHtQw/sP3sRl0lPjBqCiDqmPISz
JGZ/PawCsfjbJYr3sHxjRfPZc0iWvOBA6zgyEv7Wt18uLKPLUt0=
=Or3r
-----END PGP SIGNATURE-----
--- End Message ---