Bug 239834 - www/nginx www/nginx-devel security update
Summary: www/nginx www/nginx-devel security update
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Sergey A. Osokin
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-13 22:48 UTC by Alexey
Modified: 2019-08-14 08:34 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (joneum)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey 2019-08-13 22:48:35 UTC
Hello!

Lot of security problems in HTTP/2 were discovered
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

some of them related to nginx implementation 

http://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html

------------
Several security issues were identified in nginx HTTP/2
implementation, which might cause excessive memory consumption
and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).

The issues affect nginx compiled with the ngx_http_v2_module (not
compiled by default) if the "http2" option of the "listen" directive
is used in a configuration file.

The issues affect nginx 1.9.5 - 1.17.2.
The issues are fixed in nginx 1.17.3, 1.16.1.

Thanks to Jonathan Looney from Netflix for discovering these issues.
------------
nginx released version 1.16.1
http://mailman.nginx.org/pipermail/nginx-announce/2019/000248.html

-------------
Changes with nginx 1.16.1                                        13 Aug 2019

    *) Security: when using HTTP/2 a client might cause excessive memory
       consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
       CVE-2019-9516).
--------------
and
dev version 1.17.3 (there are more fixes released also, not only HTTP2)
http://mailman.nginx.org/pipermail/nginx-announce/2019/000247.html
------------------
Changes with nginx 1.17.3                                        13 Aug 2019

    *) Security: when using HTTP/2 a client might cause excessive memory
       consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
       CVE-2019-9516).

    *) Bugfix: "zero size buf" alerts might appear in logs when using
       gzipping; the bug had appeared in 1.17.2.

    *) Bugfix: a segmentation fault might occur in a worker process if the
       "resolver" directive was used in SMTP proxy.
---------------

Security problems related to all users who had enable http2 at build time and added the http2 option to list directive in nginx configuration. HTTPv2 option is enabled in ports tree by default.

With best regards
/Alexey
Comment 1 Jochen Neumeister freebsd_committer 2019-08-14 07:59:56 UTC
www/nginx is landed in r508898

give ticket to osa
Comment 2 Jochen Neumeister freebsd_committer 2019-08-14 08:00:55 UTC
@osa: vuxml entry is done for both: https://svnweb.freebsd.org/changeset/ports/508895