Bug#935037: marked as done (nginx: CVE-2019-9511 CVE-2019-9513 CVE-2019-9516)
Your message dated Fri, 23 Aug 2019 07:57:04 + with message-id and subject line Bug#935037: fixed in nginx 1.14.2-2+deb10u1 has caused the Debian Bug report #935037, regarding nginx: CVE-2019-9511 CVE-2019-9513 CVE-2019-9516 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 935037: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935037 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: nginx Version: 1.14.2-2 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1.10.3-1+deb9u2 Control: found -1 1.10.3-1 Hi, The following vulnerabilities were published for nginx. CVE-2019-9511[0]: | Some HTTP/2 implementations are vulnerable to window size manipulation | and stream prioritization manipulation, potentially leading to a | denial of service. The attacker requests a large amount of data from a | specified resource over multiple streams. They manipulate window size | and stream priority to force the server to queue the data in 1-byte | chunks. Depending on how efficiently this data is queued, this can | consume excess CPU, memory, or both. CVE-2019-9513[1]: | Some HTTP/2 implementations are vulnerable to resource loops, | potentially leading to a denial of service. The attacker creates | multiple request streams and continually shuffles the priority of the | streams in a way that causes substantial churn to the priority tree. | This can consume excess CPU. CVE-2019-9516[2]: | Some HTTP/2 implementations are vulnerable to a header leak, | potentially leading to a denial of service. The attacker sends a | stream of headers with a 0-length header name and 0-length header | value, optionally Huffman encoded into 1-byte or greater headers. Some | implementations allocate memory for these headers and keep the | allocation alive until the session dies. This can consume excess | memory. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511 https://github.com/nginx/nginx/commit/a987f81dd19210bc30b62591db331e31d3d74089 [1] https://security-tracker.debian.org/tracker/CVE-2019-9513 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513 https://github.com/nginx/nginx/commit/5ae726912654da10a9a81b2c8436829f3e94f69f [2] https://security-tracker.debian.org/tracker/CVE-2019-9516 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516 https://github.com/nginx/nginx/commit/6dfbc8b1c2116f362bb871efebbf9df576738e89 [3] https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled --- End Message --- --- Begin Message --- Source: nginx Source-Version: 1.14.2-2+deb10u1 We believe that the bug you reported is fixed in the latest version of nginx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 935...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christos Trochalakis (supplier of updated nginx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 20 Aug 2019 11:22:25 EEST Source: nginx Architecture: source Version: 1.14.2-2+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian Nginx Maintainers Changed-By: Christos Trochalakis Closes: 935037 Changes: nginx (1.14.2-2+deb10u1) buster-security; urgency=high . * Backport upstream fixes for 3 CVEs (Closes: #935037) Those fixes affect Nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU
Bug#935037: marked as done (nginx: CVE-2019-9511 CVE-2019-9513 CVE-2019-9516)
Your message dated Fri, 23 Aug 2019 05:47:47 + with message-id and subject line Bug#935037: fixed in nginx 1.10.3-1+deb9u3 has caused the Debian Bug report #935037, regarding nginx: CVE-2019-9511 CVE-2019-9513 CVE-2019-9516 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 935037: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935037 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: nginx Version: 1.14.2-2 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1.10.3-1+deb9u2 Control: found -1 1.10.3-1 Hi, The following vulnerabilities were published for nginx. CVE-2019-9511[0]: | Some HTTP/2 implementations are vulnerable to window size manipulation | and stream prioritization manipulation, potentially leading to a | denial of service. The attacker requests a large amount of data from a | specified resource over multiple streams. They manipulate window size | and stream priority to force the server to queue the data in 1-byte | chunks. Depending on how efficiently this data is queued, this can | consume excess CPU, memory, or both. CVE-2019-9513[1]: | Some HTTP/2 implementations are vulnerable to resource loops, | potentially leading to a denial of service. The attacker creates | multiple request streams and continually shuffles the priority of the | streams in a way that causes substantial churn to the priority tree. | This can consume excess CPU. CVE-2019-9516[2]: | Some HTTP/2 implementations are vulnerable to a header leak, | potentially leading to a denial of service. The attacker sends a | stream of headers with a 0-length header name and 0-length header | value, optionally Huffman encoded into 1-byte or greater headers. Some | implementations allocate memory for these headers and keep the | allocation alive until the session dies. This can consume excess | memory. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511 https://github.com/nginx/nginx/commit/a987f81dd19210bc30b62591db331e31d3d74089 [1] https://security-tracker.debian.org/tracker/CVE-2019-9513 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513 https://github.com/nginx/nginx/commit/5ae726912654da10a9a81b2c8436829f3e94f69f [2] https://security-tracker.debian.org/tracker/CVE-2019-9516 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516 https://github.com/nginx/nginx/commit/6dfbc8b1c2116f362bb871efebbf9df576738e89 [3] https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled --- End Message --- --- Begin Message --- Source: nginx Source-Version: 1.10.3-1+deb9u3 We believe that the bug you reported is fixed in the latest version of nginx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 935...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christos Trochalakis (supplier of updated nginx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 19 Aug 2019 12:31:19 +0300 Source: nginx Binary: nginx nginx-doc nginx-common nginx-full nginx-light nginx-extras libnginx-mod-http-geoip libnginx-mod-http-image-filter libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libnginx-mod-http-perl libnginx-mod-http-auth-pam libnginx-mod-http-lua libnginx-mod-http-ndk libnginx-mod-nchan libnginx-mod-http-echo libnginx-mod-http-upstream-fair libnginx-mod-http-headers-more-filter
Bug#935037: marked as done (nginx: CVE-2019-9511 CVE-2019-9513 CVE-2019-9516)
Your message dated Mon, 19 Aug 2019 11:10:42 + with message-id and subject line Bug#935037: fixed in nginx 1.14.2-3 has caused the Debian Bug report #935037, regarding nginx: CVE-2019-9511 CVE-2019-9513 CVE-2019-9516 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 935037: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935037 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: nginx Version: 1.14.2-2 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1.10.3-1+deb9u2 Control: found -1 1.10.3-1 Hi, The following vulnerabilities were published for nginx. CVE-2019-9511[0]: | Some HTTP/2 implementations are vulnerable to window size manipulation | and stream prioritization manipulation, potentially leading to a | denial of service. The attacker requests a large amount of data from a | specified resource over multiple streams. They manipulate window size | and stream priority to force the server to queue the data in 1-byte | chunks. Depending on how efficiently this data is queued, this can | consume excess CPU, memory, or both. CVE-2019-9513[1]: | Some HTTP/2 implementations are vulnerable to resource loops, | potentially leading to a denial of service. The attacker creates | multiple request streams and continually shuffles the priority of the | streams in a way that causes substantial churn to the priority tree. | This can consume excess CPU. CVE-2019-9516[2]: | Some HTTP/2 implementations are vulnerable to a header leak, | potentially leading to a denial of service. The attacker sends a | stream of headers with a 0-length header name and 0-length header | value, optionally Huffman encoded into 1-byte or greater headers. Some | implementations allocate memory for these headers and keep the | allocation alive until the session dies. This can consume excess | memory. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9511 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511 https://github.com/nginx/nginx/commit/a987f81dd19210bc30b62591db331e31d3d74089 [1] https://security-tracker.debian.org/tracker/CVE-2019-9513 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513 https://github.com/nginx/nginx/commit/5ae726912654da10a9a81b2c8436829f3e94f69f [2] https://security-tracker.debian.org/tracker/CVE-2019-9516 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516 https://github.com/nginx/nginx/commit/6dfbc8b1c2116f362bb871efebbf9df576738e89 [3] https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled --- End Message --- --- Begin Message --- Source: nginx Source-Version: 1.14.2-3 We believe that the bug you reported is fixed in the latest version of nginx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 935...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christos Trochalakis (supplier of updated nginx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 19 Aug 2019 11:30:08 +0300 Source: nginx Architecture: source Version: 1.14.2-3 Distribution: unstable Urgency: high Maintainer: Debian Nginx Maintainers Changed-By: Christos Trochalakis Closes: 935037 Changes: nginx (1.14.2-3) unstable; urgency=high . * Backport upstream fixes for 3 CVEs (Closes: #935037) Those fixes affect Nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU usage. (CVE-2019-9511, CVE-2019-9513,
