Your message dated Fri, 23 Aug 2019 07:57:04 +0000 with message-id <e1i14ru-00066w...@fasolo.debian.org> and subject line Bug#935037: fixed in nginx 1.14.2-2+deb10u1 has caused the Debian Bug report #935037, regarding nginx: CVE-2019-9511 CVE-2019-9513 CVE-2019-9516 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 935037: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935037 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: nginx Version: 1.14.2-2 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1.10.3-1+deb9u2 Control: found -1 1.10.3-1 Hi, The following vulnerabilities were published for nginx. CVE-2019-9511[0]: | Some HTTP/2 implementations are vulnerable to window size manipulation | and stream prioritization manipulation, potentially leading to a | denial of service. The attacker requests a large amount of data from a | specified resource over multiple streams. They manipulate window size | and stream priority to force the server to queue the data in 1-byte | chunks. Depending on how efficiently this data is queued, this can | consume excess CPU, memory, or both. CVE-2019-9513[1]: | Some HTTP/2 implementations are vulnerable to resource loops, | potentially leading to a denial of service. The attacker creates | multiple request streams and continually shuffles the priority of the | streams in a way that causes substantial churn to the priority tree. | This can consume excess CPU. CVE-2019-9516[2]: | Some HTTP/2 implementations are vulnerable to a header leak, | potentially leading to a denial of service. The attacker sends a | stream of headers with a 0-length header name and 0-length header | value, optionally Huffman encoded into 1-byte or greater headers. Some | implementations allocate memory for these headers and keep the | allocation alive until the session dies. This can consume excess | memory. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511 https://github.com/nginx/nginx/commit/a987f81dd19210bc30b62591db331e31d3d74089 [1] https://security-tracker.debian.org/tracker/CVE-2019-9513 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513 https://github.com/nginx/nginx/commit/5ae726912654da10a9a81b2c8436829f3e94f69f [2] https://security-tracker.debian.org/tracker/CVE-2019-9516 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516 https://github.com/nginx/nginx/commit/6dfbc8b1c2116f362bb871efebbf9df576738e89 [3] https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: nginx Source-Version: 1.14.2-2+deb10u1 We believe that the bug you reported is fixed in the latest version of nginx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 935...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christos Trochalakis <ctrochala...@debian.org> (supplier of updated nginx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 20 Aug 2019 11:22:25 EEST Source: nginx Architecture: source Version: 1.14.2-2+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Nginx Maintainers <pkg-nginx-maintain...@alioth-lists.debian.net> Changed-By: Christos Trochalakis <ctrochala...@debian.org> Closes: 935037 Changes: nginx (1.14.2-2+deb10u1) buster-security; urgency=high . * Backport upstream fixes for 3 CVEs (Closes: #935037) Those fixes affect Nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU usage. (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). Checksums-Sha256: 8935b5c2112c455de7ce7ba72775c0a7bd78d81f414cef937ff9f1387f724add 4181 nginx_1.14.2-2+deb10u1.dsc 4ef00aec16c1e8a06b601ed289186c0c2f62a64bc26ac2d90ece206e1bf5414c 930528 nginx_1.14.2-2+deb10u1.debian.tar.xz 002d9f6154e331886a2dd4e6065863c9c1cf8291ae97a1255308572c02be9797 1015384 nginx_1.14.2.orig.tar.gz Checksums-Sha1: 323d63f03ee782b1df9ed7224ad3be55bd3a9eda 4181 nginx_1.14.2-2+deb10u1.dsc 06747ed005f581034b6474de27904ace0bb9d52d 930528 nginx_1.14.2-2+deb10u1.debian.tar.xz 4b4df8786b44e79cffd2e002a070e27fd774a17f 1015384 nginx_1.14.2.orig.tar.gz Files: 781029f4e8afd93c1adb17e37ceecc4f 4181 httpd optional nginx_1.14.2-2+deb10u1.dsc 46b6ddee759e727c57bcf688abc2f8d1 930528 httpd optional nginx_1.14.2-2+deb10u1.debian.tar.xz 239b829a13cea1d244c1044e830bd9c2 1015384 httpd optional nginx_1.14.2.orig.tar.gz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEf2SPbCEjyY+zKcgrETYmAKdH7NkFAl1bsDMACgkQETYmAKdH 7NnmFQ/+NVeW+WzKJM8yCdRLSVNaiyCKP1v8Fbpf97TGkyspN58Rfkg2Qf/EV5Fp PlYmrOkTAa5HuBqwkuJYDzcoOEcXJU/i8Hss1kvuaj/y1RmxYUo+TymG8720ftWu qQTUgyeBjxtlrY0gtN2dJICfrbVQhWbY/CxnOiPdPoBMIPZS1kwdUZCxnBJxPElq Iry7cTxW/4Alt1W2l93H/1UBmLIAUSPFIwJ80QaGIxwkx/s4E/ryfes7k93en42K MuPJfGTALmrkuWMdA1jUI3VQ9RqyCr7PXbAhOsZe4HPM6qdZJ5FCeK6JmCPXhxlo HoKF63OvZgz9c5GfYJhzthe/bl4h9t3L0uUST9eCLkDSLsbVAECsj9/6JilBhsda lflBKr/F6oREGgdLPnc8tGq6a3tAcQYmdF6+EivP96w7FwVkLNlGT00jKh/aRTB0 iiYZMwOcUssyyf/jDKYbM9vynPchbrFkx/DQG9DZaVKDpiPXHuYDPI2yD2jzrgLd ueeF4RCzK1dJOr9ga80w6+m13Cco5px5uDqsZPlUgCmLUwWRnPiuDbXE8ggrCt06 9Wm2ii8IBSD+T9BW5ZgRhgUukviS6hj5tx5a6XCc+qyPWsATEQjb0JACKVD6SvwJ e6GLSIE8c3rtDumqRTHWKRmJw5Q1DHx8MZZX6XcEAo6lHdlGhts= =YNLV -----END PGP SIGNATURE-----
--- End Message ---
