Security fix for the ALT Linux 9 package nginx version 1.14.1-alt1

Nov. 6, 2018 Anton Farygin 1.14.1-alt1 - 1.14.1 fixes: CVE-2018-16845, CVE-2018-16843, CVE-2018-16844...

CVE-2018-16844

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngxhttpv2module not compiled by default if the 'http2' option of the 'listen' directive is used in a configuration file...

CVE-2018-16843

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngxhttpv2module not compiled by default if the 'http2' option of the 'listen' directive is used in a configuratio...

UBUNTU-CVE-2018-16844

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngxhttpv2module not compiled by default if the 'http2' option of the 'listen' directive is used in a configuration file...

UBUNTU-CVE-2018-16843

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngxhttpv2module not compiled by default if the 'http2' option of the 'listen' directive is used in a configuratio...

NGINX -- Multiple vulnerabilities

NGINX Team reports: Two security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption CVE-2018-16843 and CPU usage CVE-2018-16844. The issues affect nginx compiled with the ngxhttpv2module not compiled by default if the "http2" option of the "liste...

UBUNTU-CVE-2018-16845

nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngxhttpmp4module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affec...

PT-2018-2561 · Nginx +4 · Nginx +4

Name of the Vulnerable Software and Affected Versions: nginx versions prior to 1.15.6 nginx versions prior to 1.14.1 Description: The issue is related to the implementation of the HTTP/2 protocol in the nginx server, which can lead to uncontrolled resource consumption. This can allow a remote...

PT-2018-2562 · Nginx +4 · Nginx +4

Name of the Vulnerable Software and Affected Versions: nginx versions 1.14.0 through 1.14.1 nginx versions 1.15.0 through 1.15.6 Description: The issue is related to the implementation of HTTP/2 in nginx, which can lead to excessive CPU usage. This problem affects nginx compiled with the ngx http...

Nginx < 1.5.12 SPDY Heap Buffer Overflow

According to the self-reported version in the server response header, the installed 1.3.x version of nginx is 1.3.15 or higher, or 1.4.x prior to 1.4.7, or 1.5.x prior to 1.5.12. It is, therefore, affected by a heap buffer overflow vulnerability. A flaw exists with the SPDY protocol implementatio...

Nginx < 1.4.4 ngx_parse_http Security Bypass

According to the self-reported version in the Server response header, the installed version of nginx is greater than 0.8.41 but prior to 1.4.4 / 1.5.7. It is, therefore, affected by a security bypass vulnerability in 'ngxhttpparse.c' when a file with a space at the end of the URI is requested. No...

Nginx < 1.7.5 SSL Session Reuse

According to the self-reported version in the server response header, the version of nginx installed on the remote host is 0.5.6 or higher, 1.6.x prior to 1.6.2, or 1.7.x prior to 1.7.5. It is, therefore, affected by an SSL session or TLS session ticket key handling error. A flaw exists in the fi...

Nginx < 1.2.9 ngx_http_proxy_module.c Multiple Vulnerabilities

According to its Server response header, the installed version of nginx is greater than or equal to 1.1.4 and prior to 1.2.9, or greater than or equal to 1.3.0 and prior to 1.4.1. It is, therefore, affected by multiple vulnerabilities : - A stack-based buffer overflow in 'ngxhttpparse.c' may allo...

Nginx < 1.4.7 SPDY Heap Buffer Overflow

According to the self-reported version in the server response header, the installed 1.3.x version of nginx is 1.3.15 or higher, or 1.4.x prior to 1.4.7, or 1.5.x prior to 1.5.12. It is, therefore, affected by a heap buffer overflow vulnerability. A flaw exists with the SPDY protocol implementatio...

Nginx < 1.4.1 ngx_http_proxy_module.c Multiple Vulnerabilities

According to its Server response header, the installed version of nginx is greater than or equal to 1.1.4 and prior to 1.2.9, or greater than or equal to 1.3.0 and prior to 1.4.1. It is, therefore, affected by multiple vulnerabilities : - A stack-based buffer overflow in 'ngxhttpparse.c' may allo...

Nginx < 1.5.7 ngx_parse_http Security Bypass

According to the self-reported version in the Server response header, the installed version of nginx is greater than 0.8.41 but prior to 1.4.4 / 1.5.7. It is, therefore, affected by a security bypass vulnerability in 'ngxhttpparse.c' when a file with a space at the end of the URI is requested. No...

Nginx 1.5.10 SPDY Memory Corruption

According to the self-reported version in the server response header, the installed nginx version is 1.5.10. It is, therefore, affected by a memory corruption vulnerability. A flaw exists with the SPDY module implementation, where worker process memory could be corrupted via a specially crafted...

Nginx < 1.9.10 Multiple Vulnerabilities

According to the self-reported version in its response header, the version of nginx hosted on the remote web server is less than 1.8.1 or 1.9.x prior to 1.9.10. It is, therefore, affected by multiple vulnerabilities as noted in the vendor advisory. Note that the scanner has not tested for these...

Nginx < 1.12.1 Integer Overflow

According to the self-reported version in its response header, the version of nginx hosted on the remote web server is 1.13.3. It is, therefore, affected by an integer overflow vulnerability Note that the scanner has not tested for these issues but has instead relied only on the application's...

Nginx < 1.10.1 NULL Pointer Dereference

According to the self-reported version in its response header, the version of nginx hosted on the remote web server is 1.11.1. It is, therefore, affected by an NULL pointer dereference vulnerability Note that the scanner has not tested for these issues but has instead relied only on the...