Bug 23821

Summary: nginx new security issues CVE-2018-1684[3-5]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, lewyssmith, marja11, mhrambo3501, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: nginx-1.10.3-1.1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-11-08 18:21:27 CET 
Ubuntu has issued an advisory on November 7:
https://usn.ubuntu.com/3812-1/
Comment 1 Marja Van Waes 2018-11-08 22:59:43 CET 
signing to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, mrambo

Comment 2 Mike Rambo 2018-11-15 16:45:51 CET 
Patched package uploaded for Mageia 6.

Advisory:
========================

Patched nginx package fixes security vulnerabilities:

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption (CVE-2018-16843).

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage (CVE-2018-16844).

nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file (CVE-2018-16845).


References:
https://usn.ubuntu.com/3812-1/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16845
========================

Updated packages in core/updates_testing:
========================
nginx-1.10.3-1.2.mga6

from nginx-1.10.3-1.2.mga6.src.rpm


Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=18595#c4

Keywords: (none) => has_procedure
Assignee: pkg-bugs => qa-bugs

Comment 3 Len Lawrence 2018-11-16 12:45:37 CET 
Mageia 6, x86_64

Replaced httpd.service with nginx and checked that the introductory page was presented at localhost.
Updated, restarted the service and pointed the browser at localhost.  Welcome page came up OK.  Normal browsing is working fine, including Youtube.

This looks OK for 64-bits.

CC: (none) => tarazed25

Len Lawrence 2018-11-16 12:45:57 CET

Whiteboard: (none) => MGA6-64-OK

Comment 4 Thomas Andrews 2018-11-16 15:52:57 CET 
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Lewis Smith 2018-11-17 20:59:38 CET

CC: (none) => lewyssmith
Keywords: (none) => advisory

Comment 5 Mageia Robot 2018-11-17 23:24:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0459.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED