Bug#913090: marked as done (nginx: CVE-2018-16843 CVE-2018-16844 CVE-2018-16845)

Sat, 10 Nov 2018 03:21:26 -0800 

Your message dated Sat, 10 Nov 2018 11:17:21 +0000
with message-id <e1glrgt-000cn9...@fasolo.debian.org>
and subject line Bug#913090: fixed in nginx 1.10.3-1+deb9u2
has caused the Debian Bug report #913090,
regarding nginx: CVE-2018-16843 CVE-2018-16844 CVE-2018-16845
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
913090: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913090
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: nginx
Version: 1.10.3-1
Severity: important
Tags: security upstream
Control: found -1 1.10.3-1+deb9u1
Control: found -1 1.14.0-1

Hi,

The following vulnerabilities were published for nginx.

CVE-2018-16843[0]:
Excessive memory usage in HTTP/2

CVE-2018-16844[1]:
Excessive CPU usage in HTTP/2

CVE-2018-16845[2]:
Memory disclosure in the ngx_http_mp4_module

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-16843
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16843
[1] https://security-tracker.debian.org/tracker/CVE-2018-16844
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16844
[2] https://security-tracker.debian.org/tracker/CVE-2018-16845
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16845

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: nginx
Source-Version: 1.10.3-1+deb9u2

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 913...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christos Trochalakis <ctrochala...@debian.org> (supplier of updated nginx 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 07 Nov 2018 07:40:42 +0200
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-light nginx-extras 
libnginx-mod-http-geoip libnginx-mod-http-image-filter 
libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream 
libnginx-mod-http-perl libnginx-mod-http-auth-pam libnginx-mod-http-lua 
libnginx-mod-http-ndk libnginx-mod-nchan libnginx-mod-http-echo 
libnginx-mod-http-upstream-fair libnginx-mod-http-headers-more-filter 
libnginx-mod-http-cache-purge libnginx-mod-http-fancyindex 
libnginx-mod-http-uploadprogress libnginx-mod-http-subs-filter 
libnginx-mod-http-dav-ext
Architecture: source
Version: 1.10.3-1+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Debian Nginx Maintainers 
<pkg-nginx-maintain...@lists.alioth.debian.org>
Changed-By: Christos Trochalakis <ctrochala...@debian.org>
Description:
 libnginx-mod-http-auth-pam - PAM authentication module for Nginx
 libnginx-mod-http-cache-purge - Purge content from Nginx caches
 libnginx-mod-http-dav-ext - WebDAV missing commands support for Nginx
 libnginx-mod-http-echo - Bring echo and more shell style goodies to Nginx
 libnginx-mod-http-fancyindex - Fancy indexes module for the Nginx
 libnginx-mod-http-geoip - GeoIP HTTP module for Nginx
 libnginx-mod-http-headers-more-filter - Set and clear input and output headers 
for Nginx
 libnginx-mod-http-image-filter - HTTP image filter module for Nginx
 libnginx-mod-http-lua - Lua module for Nginx
 libnginx-mod-http-ndk - Nginx Development Kit module
 libnginx-mod-http-perl - Perl module for Nginx
 libnginx-mod-http-subs-filter - Substitution filter module for Nginx
 libnginx-mod-http-uploadprogress - Upload progress system for Nginx
 libnginx-mod-http-upstream-fair - Nginx Upstream Fair Proxy Load Balancer
 libnginx-mod-http-xslt-filter - XSLT Transformation module for Nginx
 libnginx-mod-mail - Mail module for Nginx
 libnginx-mod-nchan - Fast, flexible pub/sub server for Nginx
 libnginx-mod-stream - Stream module for Nginx
 nginx      - small, powerful, scalable web/proxy server
 nginx-common - small, powerful, scalable web/proxy server - common files
 nginx-doc  - small, powerful, scalable web/proxy server - documentation
 nginx-extras - nginx web/proxy server (extended version)
 nginx-full - nginx web/proxy server (standard version)
 nginx-light - nginx web/proxy server (basic version)
Closes: 913090
Changes:
 nginx (1.10.3-1+deb9u2) stretch-security; urgency=high
 .
   * Backport http2_max_requests directive needed for
     CVE-2018-16844 mitigation
   * Backport upstream fixes for 3 CVEs (Closes: #913090)
     + CVE-2018-16843 Excessive memory usage in HTTP/2
     + CVE-2018-16844 Excessive CPU usage in HTTP/2
       This change limits the maximum allowed number of idle state
       switches to 10 * http2_max_requests (i.e., 10000 by default).
       This limits possible CPU usage in one connection, and also
       imposes a limit on the maximum lifetime of a connection
     + CVE-2018-16845 Memory disclosure in the ngx_http_mp4_module
Checksums-Sha1:
 d4eb4a8ee02083cf3d089b4fd1fe8190241ac2e9 4232 nginx_1.10.3-1+deb9u2.dsc
 6d1f0e634a679993357e7e689f617a3b66909521 847720 
nginx_1.10.3-1+deb9u2.debian.tar.xz
 2d4c4312bca4e1e4547a292fcd1041756540ffb4 22683 
nginx_1.10.3-1+deb9u2_amd64.buildinfo
Checksums-Sha256:
 9557cbc82c09ad8f7f5a3768d44fcf17597b26c815d0e01280f45b96435fb485 4232 
nginx_1.10.3-1+deb9u2.dsc
 df36d4a157e668a1836f40ac0e97239845b9dd43217cb912aeb1e1c3791fbbfa 847720 
nginx_1.10.3-1+deb9u2.debian.tar.xz
 68bf3c53c68d5ca5c1567ea7c390567e4140289295ce877dcaecad74e58c5ec8 22683 
nginx_1.10.3-1+deb9u2_amd64.buildinfo
Files:
 67917768f9376acbcad20a9dccd80642 4232 httpd optional nginx_1.10.3-1+deb9u2.dsc
 42abc6defd19be5e8d7f64a3dbf0908f 847720 httpd optional 
nginx_1.10.3-1+deb9u2.debian.tar.xz
 3604cdd4d8c8d400342b491bf7ce87d2 22683 httpd optional 
nginx_1.10.3-1+deb9u2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEf2SPbCEjyY+zKcgrETYmAKdH7NkFAlvkDa8ACgkQETYmAKdH
7NmPOw/+JzsjMY3Dj1TZ6qWmxnsgfgqo/u7Znxi06Tdt+mop2kqk+WX+SM5J3+g+
5klMXZ2WPJz0UPlLphK/koYWbmKMuEpV5iGlPXo02pQn5mxawUQSU/Sw3eo/mhd3
z8oPjiPFeth7ARfd0Hft9tbN8tKQ8hbfWyaLx7G+AZy+AVk8S/oaZrNytPke5/oI
tRVueG3Uij+mA8SUty2ax7ZdXKlVvmqXNJlbMO8lazTVxDbKgGmKgTcZ4rNVQXb9
mrtOVIEg+M9K3l86TIFSYig39ve+LEn86xMeI1myYcXb8WZ8M9U9XGxD6feVEeg/
taNfivj/q3QpsxTQipR7guRPsqvE9cFxqWk+SuBQXO+GxiRe824fa5lGB0s0Zq6g
iz4pjuwM+EvJjdhfLFuxZ9VfxyPVsXso4ED4gFefZmH0dm+S7cFOneB1/xX6Ofzl
DcDEr0bPWwDIh5H6o47aP4z0eJb4ud4SQOKbgzNqVky/c2opekfCDTe++AcIAacy
kroLyvUWVQEEj+LZP5AO2r6S+pMdhlwrc1wrgWmIo9np6n6VOUo/crMKXP+6A2Vo
OeDcMXt0nQtU5gdnq7bJwzJc6DYqBiBMQsATzFHLy+RNAz55zFuWizVao5jHFZ3N
HwzgOKfO5kpsUUAtyqRZDqvSK+29TZzB4cd0ko6lqmts6n/aeAI=
=SKqU
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to