Bug 25303 - nginx security issues CVE-2019-9511, CVE-2019-9513, CVE-2019-9516
Summary: nginx security issues CVE-2019-9511, CVE-2019-9513, CVE-2019-9516
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-14 07:26 CEST by Stig-Ørjan Smelror
Modified: 2019-11-30 14:07 CET (History)
5 users (show)

See Also:
Source RPM: nginx-1.16.0-1.mga7.src.rpm
CVE: CVE-2019-9511, CVE-2019-9513, CVE-2019-9516
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Stig-Ørjan Smelror 2019-08-14 07:26:49 CEST 
Upstream has fixed 3 issues

https://nginx.org/en/CHANGES-1.16
https://nginx.org/en/CHANGES
Stig-Ørjan Smelror 2019-08-14 07:27:16 CEST

CVE: (none) => CVE-2019-9511, CVE-2019-9513, CVE-2019-9516
Whiteboard: (none) => MGA7TOO

Comment 1 Stig-Ørjan Smelror 2019-08-14 07:36:40 CEST 
Nginx updated to 1.17.3 for Cauldron

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Source RPM: nginx-1.17.2-1.mga8.src.rpm => nginx-1.16.0-1.mga7.src.rpm

Comment 2 Stig-Ørjan Smelror 2019-08-14 07:39:45 CEST 
Advisory
========

When using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).


References
==========
https://nginx.org/en/CHANGES-1.16


Files
=====

Uploaded to core/updates_testing

nginx-1.16.1-1.mga7

from nginx-1.16.1-1.mga7.src.rpm

Assignee: smelror => qa-bugs

Comment 3 David Walser 2019-08-16 20:10:56 CEST 
Ubuntu has issued an advisory for this on August 15:
https://usn.ubuntu.com/4099-1/

Mageia 6 is also affected.

CC: (none) => qa-bugs
Whiteboard: (none) => MGA6TOO
Assignee: qa-bugs => smelror

David Walser 2019-08-16 20:11:05 CEST

Severity: normal => major

Comment 4 David Walser 2019-08-28 22:15:33 CEST 
Debian has issued an advisory for this on August 22:
https://www.debian.org/security/2019/dsa-4505
David Walser 2019-11-26 22:51:17 CET

Assignee: smelror => qa-bugs
CC: qa-bugs => smelror
Whiteboard: MGA6TOO => (none)

Comment 5 Herman Viaene 2019-11-28 13:52:14 CET 
MGA7-64 Plasma on Lenovo B50 
No installation issues
Followed procedure as per bug 13044:
# systemctl stop httpd
# nginx 
then point browser at http://localhost/ 
and get in  the page: "Welcome to nginx 1.6.2 on Mageia!"

OK for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2019-11-29 01:09:31 CET 
Valdating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-11-30 12:03:57 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Mageia Robot 2019-11-30 14:07:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0342.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.