Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 670496 (CVE-2018-16843, CVE-2018-16844, CVE-2018-16845)

Summary: <www-servers/nginx-{1.14.1,1.15.6}: multiple vulnerabilities (CVE-2018-{16843,16844,16845})
Product: Gentoo Security Reporter: Vlad K. <vk-gentoo-bugs>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: dev-zero, whissi
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
www-servers/nginx-1.14.1
Runtime testing required: ---

Description Vlad K. 2018-11-06 15:39:46 UTC
Multiple issues have been found in nginx. The issues are fixed in nginx 1.15.6, 1.14.1.


* CVE-2018-16843
  CVE-2018-16844

  http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html

  Two security issues were identified in nginx HTTP/2 implementation, which
  might cause excessive memory consumption (CVE-2018-16843) and CPU usage
  (CVE-2018-16844).

  The issues affect nginx compiled with the ngx_http_v2_module (not compiled by
  default) if the "http2" option of the "listen" directive is used in a
  configuration file.


* CVE-2018-16845

  http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html

  A security issue was identified in the ngx_http_mp4_module, which might allow
  an attacker to cause infinite loop in a worker process, cause a worker
  process crash, or might result in worker process memory disclosure by using a
  specially crafted mp4 file.

--
Gentoo Security Scout
Vladimir Krstulja
Comment 1 Larry the Git Cow gentoo-dev 2018-11-06 16:04:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=931ea67612c9eb3f435cdf42b3401181e40e6bce

commit 931ea67612c9eb3f435cdf42b3401181e40e6bce
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-11-06 16:03:49 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-11-06 16:04:06 +0000

    www-servers/nginx: bump to v1.14.1 stable
    
    - nginScript module bumped to v0.2.5
    
    - HTTP VHost Traffic Status module bumped to commit 46d85558e344dfe
    
    - brotli module bumped to commit 8104036af9cff
    
    Bug: https://bugs.gentoo.org/670496
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-servers/nginx/Manifest            |    1 +
 www-servers/nginx/nginx-1.14.1.ebuild | 1081 +++++++++++++++++++++++++++++++++
 2 files changed, 1082 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=395959f0a2392993b260566a518de96f16d66daf

commit 395959f0a2392993b260566a518de96f16d66daf
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-11-06 15:58:12 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-11-06 16:04:04 +0000

    www-servers/nginx: bump to v1.15.6 mainline
    
    - nginScript module bumped to v0.2.5
    
    - brotli module bumped to commit 8104036af9cff
    
    Bug: https://bugs.gentoo.org/670496
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-servers/nginx/Manifest                         |    3 +
 .../nginx/files/http_brotli-detect-brotli-r2.patch |   30 +
 www-servers/nginx/nginx-1.15.6.ebuild              | 1081 ++++++++++++++++++++
 3 files changed, 1114 insertions(+)
Comment 2 Thomas Deutschmann gentoo-dev Security 2018-11-06 16:09:24 UTC
Note that comment #0 is a copy from upstream advisories. Gentoo has set USE=+http2 by default for example.


@ Arches,

please test and mark stable: =www-servers/nginx-1.14.1
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-11-06 21:33:59 UTC
amd64 stable
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-11-07 23:45:36 UTC
x86 stable
Comment 5 Thomas Deutschmann gentoo-dev Security 2018-11-11 22:48:27 UTC
GLSA Vote: No!

Repository is clean, all done.