Bug 23821 - nginx new security issues CVE-2018-1684[3-5]
Summary: nginx new security issues CVE-2018-1684[3-5]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2018-11-08 18:21 CET by David Walser
Modified: 2018-11-17 23:24 CET (History)
6 users (show)

See Also:
Source RPM: nginx-1.10.3-1.1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-11-08 18:21:27 CET
Ubuntu has issued an advisory on November 7:
https://usn.ubuntu.com/3812-1/
Comment 1 Marja Van Waes 2018-11-08 22:59:43 CET
signing to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, mrambo

Comment 2 Mike Rambo 2018-11-15 16:45:51 CET
Patched package uploaded for Mageia 6.

Advisory:
========================

Patched nginx package fixes security vulnerabilities:

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption (CVE-2018-16843).

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage (CVE-2018-16844).

nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file (CVE-2018-16845).


References:
https://usn.ubuntu.com/3812-1/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16845
========================

Updated packages in core/updates_testing:
========================
nginx-1.10.3-1.2.mga6

from nginx-1.10.3-1.2.mga6.src.rpm


Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=18595#c4

Keywords: (none) => has_procedure
Assignee: pkg-bugs => qa-bugs

Comment 3 Len Lawrence 2018-11-16 12:45:37 CET
Mageia 6, x86_64

Replaced httpd.service with nginx and checked that the introductory page was presented at localhost.
Updated, restarted the service and pointed the browser at localhost.  Welcome page came up OK.  Normal browsing is working fine, including Youtube.

This looks OK for 64-bits.

CC: (none) => tarazed25

Len Lawrence 2018-11-16 12:45:57 CET

Whiteboard: (none) => MGA6-64-OK

Comment 4 Thomas Andrews 2018-11-16 15:52:57 CET
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Lewis Smith 2018-11-17 20:59:38 CET

CC: (none) => lewyssmith
Keywords: (none) => advisory

Comment 5 Mageia Robot 2018-11-17 23:24:37 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0459.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.