Bug 239834

Summary: www/nginx www/nginx-devel security update
Product: Ports & Packages Reporter: Alexey <ucu8u1b-ol>
Component: Individual Port(s)Assignee: Sergey A. Osokin <osa>
Status: Closed FIXED    
Severity: Affects Many People CC: joneum
Priority: --- Flags: bugzilla: maintainer-feedback? (joneum)
Version: Latest   
Hardware: Any   
OS: Any   

Description Alexey 2019-08-13 22:48:35 UTC 
Hello!

Lot of security problems in HTTP/2 were discovered
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

some of them related to nginx implementation 

http://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html

------------
Several security issues were identified in nginx HTTP/2
implementation, which might cause excessive memory consumption
and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).

The issues affect nginx compiled with the ngx_http_v2_module (not
compiled by default) if the "http2" option of the "listen" directive
is used in a configuration file.

The issues affect nginx 1.9.5 - 1.17.2.
The issues are fixed in nginx 1.17.3, 1.16.1.

Thanks to Jonathan Looney from Netflix for discovering these issues.
------------
nginx released version 1.16.1
http://mailman.nginx.org/pipermail/nginx-announce/2019/000248.html

-------------
Changes with nginx 1.16.1                                        13 Aug 2019

    *) Security: when using HTTP/2 a client might cause excessive memory
       consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
       CVE-2019-9516).
--------------
and
dev version 1.17.3 (there are more fixes released also, not only HTTP2)
http://mailman.nginx.org/pipermail/nginx-announce/2019/000247.html
------------------
Changes with nginx 1.17.3                                        13 Aug 2019

    *) Security: when using HTTP/2 a client might cause excessive memory
       consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
       CVE-2019-9516).

    *) Bugfix: "zero size buf" alerts might appear in logs when using
       gzipping; the bug had appeared in 1.17.2.

    *) Bugfix: a segmentation fault might occur in a worker process if the
       "resolver" directive was used in SMTP proxy.
---------------

Security problems related to all users who had enable http2 at build time and added the http2 option to list directive in nginx configuration. HTTPv2 option is enabled in ports tree by default.

With best regards
/Alexey
Comment 1 Jochen Neumeister freebsd_committer freebsd_triage 2019-08-14 07:59:56 UTC 
www/nginx is landed in r508898

give ticket to osa
Comment 2 Jochen Neumeister freebsd_committer freebsd_triage 2019-08-14 08:00:55 UTC 
@osa: vuxml entry is done for both: https://svnweb.freebsd.org/changeset/ports/508895