*** This bug is a security vulnerability *** Public security bug reported:
The following was put out in a security advisory notice over nginx- announce's mailing list today: http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html Hello! Two security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844). The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the "http2" option of the "listen" directive is used in a configuration file. The issues affect nginx 1.9.5 - 1.15.5. The issues are fixed in nginx 1.15.6, 1.14.1. Thanks to Gal Goldshtein from F5 Networks for initial report of the CPU usage issue. ----- Based on the version strings specified, the following Ubuntu versions of nginx are affected: * Xenial (1.9.15-0ubuntu1, 1.10.3-0ubuntu0.16.04.2) * Bionic (1.14.0-0ubuntu1, 1.14.0-0ubuntu1.1) * Cosmic (1.15.0-0ubuntu1, 1.15.0-0ubuntu2) * Disco (1.15.0-0ubuntu1, 1.15.0-0ubuntu3) ** Affects: nginx (Ubuntu) Importance: Undecided Status: Confirmed ** Affects: nginx (Ubuntu Xenial) Importance: Undecided Status: Confirmed ** Affects: nginx (Ubuntu Bionic) Importance: Undecided Status: Confirmed ** Affects: nginx (Ubuntu Cosmic) Importance: Undecided Status: Confirmed ** Affects: nginx (Ubuntu Disco) Importance: Undecided Status: Confirmed ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16843 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-16844 ** Also affects: nginx (Ubuntu Disco) Importance: Undecided Status: Confirmed ** Also affects: nginx (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: nginx (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: nginx (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: nginx (Ubuntu Bionic) Status: New => Confirmed ** Changed in: nginx (Ubuntu Cosmic) Status: New => Confirmed ** Changed in: nginx (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1801982 Title: Security Advisory - Nov. 6, 2018 - CVE-2018-16843, CVE-2018-16844 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1801982/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
