Your message dated Mon, 19 Aug 2019 11:10:42 +0000 with message-id <e1hzfyg-0002lb...@fasolo.debian.org> and subject line Bug#935037: fixed in nginx 1.14.2-3 has caused the Debian Bug report #935037, regarding nginx: CVE-2019-9511 CVE-2019-9513 CVE-2019-9516 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 935037: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935037 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: nginx Version: 1.14.2-2 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1.10.3-1+deb9u2 Control: found -1 1.10.3-1 Hi, The following vulnerabilities were published for nginx. CVE-2019-9511[0]: | Some HTTP/2 implementations are vulnerable to window size manipulation | and stream prioritization manipulation, potentially leading to a | denial of service. The attacker requests a large amount of data from a | specified resource over multiple streams. They manipulate window size | and stream priority to force the server to queue the data in 1-byte | chunks. Depending on how efficiently this data is queued, this can | consume excess CPU, memory, or both. CVE-2019-9513[1]: | Some HTTP/2 implementations are vulnerable to resource loops, | potentially leading to a denial of service. The attacker creates | multiple request streams and continually shuffles the priority of the | streams in a way that causes substantial churn to the priority tree. | This can consume excess CPU. CVE-2019-9516[2]: | Some HTTP/2 implementations are vulnerable to a header leak, | potentially leading to a denial of service. The attacker sends a | stream of headers with a 0-length header name and 0-length header | value, optionally Huffman encoded into 1-byte or greater headers. Some | implementations allocate memory for these headers and keep the | allocation alive until the session dies. This can consume excess | memory. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511 https://github.com/nginx/nginx/commit/a987f81dd19210bc30b62591db331e31d3d74089 [1] https://security-tracker.debian.org/tracker/CVE-2019-9513 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513 https://github.com/nginx/nginx/commit/5ae726912654da10a9a81b2c8436829f3e94f69f [2] https://security-tracker.debian.org/tracker/CVE-2019-9516 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516 https://github.com/nginx/nginx/commit/6dfbc8b1c2116f362bb871efebbf9df576738e89 [3] https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: nginx Source-Version: 1.14.2-3 We believe that the bug you reported is fixed in the latest version of nginx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 935...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christos Trochalakis <ctrochala...@debian.org> (supplier of updated nginx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 19 Aug 2019 11:30:08 +0300 Source: nginx Architecture: source Version: 1.14.2-3 Distribution: unstable Urgency: high Maintainer: Debian Nginx Maintainers <pkg-nginx-maintain...@alioth-lists.debian.net> Changed-By: Christos Trochalakis <ctrochala...@debian.org> Closes: 935037 Changes: nginx (1.14.2-3) unstable; urgency=high . * Backport upstream fixes for 3 CVEs (Closes: #935037) Those fixes affect Nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU usage. (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). Checksums-Sha1: a88dbf47cde24a040af9359704e54e3f41b9b186 4149 nginx_1.14.2-3.dsc 0285ab4a477eba8a0b849beeb1ddd7dd5adf463a 930492 nginx_1.14.2-3.debian.tar.xz 0cf38803ebb320ba32dcd560a0c54b1cad23f4fd 22111 nginx_1.14.2-3_amd64.buildinfo Checksums-Sha256: 9b0ef5ac174928107647794875903db684a28447ed683c6e84e9280756eb46b2 4149 nginx_1.14.2-3.dsc b252e5a20bfc89891814f9d98fe1654ebf19249e315f4b0bb4f8deb93aebd49b 930492 nginx_1.14.2-3.debian.tar.xz 36da7bab635e3b6ab095cfce2eed91d28998085c4444e2347697a8105e7e5c93 22111 nginx_1.14.2-3_amd64.buildinfo Files: e966afc7e9b96decdd00184d8ca61959 4149 httpd optional nginx_1.14.2-3.dsc 3d6aa011b541b79d828b71ce777693a7 930492 httpd optional nginx_1.14.2-3.debian.tar.xz e12318c452b9677ebe19fb502aac29d2 22111 httpd optional nginx_1.14.2-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEf2SPbCEjyY+zKcgrETYmAKdH7NkFAl1aYPcACgkQETYmAKdH 7NnU2Q//dGY+j/Vm1pJQkD7Swx17lmERzAiFImV2c6k/LJFO9cbbfjNUjtguf0Rv j9SwuXcqrO4PNI+spd7Ai1dWftUaRosA9CYvAQP+fdbiG9oDj77g0vQ7je+Pn7uA PfFKScAkiXoLanmqZlt+9v34pImX/UHo7Hau1hV3KyPIg5OHadbR0nwUeuC3ti+5 JQ3zmPmfhQIDWQgco764A7EX8Q1QTM0v4q63GncCCULlcWwfLhpA9a2nln+pEVVf V/QDcmnDx8QzWkSErl2T6q3f4x56bJlJpJO/T7yv6E3PX1f8xEVoJ+CBEW/3twC5 5pCS71TvEwMRv2hQs/KkroMxpIkfgf9fIW9ZroJjDY3P8J/SYMlebrDXQh81IJri C1J0bgCPUUHwpFblixRJgAs54cgT8fF6KVWWwiGOWcEqMAo44vPxkWS9LDo73TWp +QqOgc+QDv5BHlxSWlxx/LijjXZ6RZDuWgpddZGXyFFZ+YLAXM7fBPoUv4B6ABAL xJllP3suRg5gDi6efJ8s0Sbibbc2ALdXDPOCG4Z+dTI7GMs+hRxiOspE+xCiD/A0 eNmygh/zfPVBKB3W+sJfIJSP00cKGVC/h9Snzi9Da0I4HKQq9agUb+CuZdgGsa1l +ilEjh9oZUeJeBfw8R99aHnK4VS3JxLrPISyR0PABx+Q3pLRUWo= =r1D6 -----END PGP SIGNATURE-----
--- End Message ---
