Debian: Security Advisory (DSA-4503-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Nginx 1.17.x < 1.17.3 Multiple Vulnerabilties

According to its Server response header, the installed version of nginx is 1.9.5 to 1.16.0 or 1.17.x prior to 1.17.3. It is, therefore, affected by the following issues : - An excessive CPU usage in HTTP/2 with small window updates exists related to the module 'ngxhttpv2module'. CVE-2019-9511 - A...

FreeBSD : NGINX -- Multiple vulnerabilities (87679fcb-be60-11e9-9051-4c72b94353b5) (0-Length Headers Leak) (Data Dribble) (Resource Loop)

NGINX Team reports : Several security issues were identified in nginx HTTP/2 implementation which might cause excessive memory consumption and CPU usage CVE-2019-9511, CVE-2019-9513, CVE-2019-9516. The issues affect nginx compiled with the ngxhttpv2module not compiled by default if the http2 opti...

Debian DSA-4503-1 : golang-1.11 - security update (Ping Flood) (Reset Flood)

Three vulnerabilities have been discovered in the Go programming language; 'net/url' accepted some invalid hosts in URLs which could result in authorisation bypass in some applications and the HTTP/2 implementation was susceptible to denial of service. C Tenable Network Security, Inc. The...

Nginx 1.9.5 < 1.16.1 Multiple Vulnerabilties

According to its Server response header, the installed version of nginx is 1.9.5 to 1.16.0 or 1.17.x prior to 1.17.3. It is, therefore, affected by the following issues : - An excessive CPU usage in HTTP/2 with small window updates exists related to the module 'ngxhttpv2module'. CVE-2019-9511 - A...

Apache 2.4.x < 2.4.41 Multiple Vulnerabilities

The version of Apache httpd installed on the remote host is prior to 2.4.41. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.41 advisory, including the following: - A limited cross-site scripting issue was reported affecting the modproxy error page. An attacker cou...

August 2019 Security Releases

August 2019 Security Releases Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. Updates are now available for all...

nginx 1.9.5 < 1.16.1 / 1.17.x < 1.17.3 Multiple Vulnerabilities

According to its Server response header, the installed version of nginx is 1.9.5 prior to 1.16.1 or 1.17.x prior to 1.17.3. It is, therefore, affected by multiple denial of service vulnerabilities : - A denial of service vulnerability exists in the HTTP/2 protocol stack due to improper handling o...

[ASA-201908-13] nginx: denial of service

Arch Linux Security Advisory ASA-201908-13 ========================================== Severity: Medium Date : 2019-08-16 CVE-ID : CVE-2019-9511 CVE-2019-9513 CVE-2019-9516 Package : nginx Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1023 Summary ======= The...

Ubuntu: Security Advisory (USN-4099-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Node.js -- multiple vulnerabilities

Node.js reports: Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. Updates are now available for all active Node....

[ASA-201908-12] nginx-mainline: denial of service

Arch Linux Security Advisory ASA-201908-12 ========================================== Severity: Medium Date : 2019-08-16 CVE-ID : CVE-2019-9511 CVE-2019-9513 CVE-2019-9516 Package : nginx-mainline Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1022 Summary =======...

CVE-2019-10081

HTTP/2 2.4.20 through 2.4.39 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client...

CVE-2019-10081

HTTP/2 2.4.20 through 2.4.39 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client...

Design/Logic Flaw

HTTP/2 2.4.20 through 2.4.39 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client...

CVE-2019-10081

HTTP/2 2.4.20 through 2.4.39 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client...

CVE-2019-10081

HTTP/2 2.4.20 through 2.4.39 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client...

CVE-2019-10081

CVE-2019-10081 affects Apache httpd's HTTP/2 implementation (mod_http2) where very early pushes can overwrite memory in the pushing request’s pool, causing crashes. The vulnerable facet is the handling of push headers (not client data) and memory being copied from the configured push link header ...

CVE-2019-10081

HTTP/2 2.4.20 through 2.4.39 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client...

HTTP Bugs Open Websites to DoS Attacks

Eight bugs in the implementation of HTTP/2, the most recent version of the HTTP protocol, can be exploited to launch denial of service attacks. The flaws were found in vendor server configurations ranging from Amazon, Google, Microsoft and Apache. Bugs are similar in nature and can be exploited b...