Hello! Lot of security problems in HTTP/2 were discovered https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md some of them related to nginx implementation http://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html ------------ Several security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the "http2" option of the "listen" directive is used in a configuration file. The issues affect nginx 1.9.5 - 1.17.2. The issues are fixed in nginx 1.17.3, 1.16.1. Thanks to Jonathan Looney from Netflix for discovering these issues. ------------ nginx released version 1.16.1 http://mailman.nginx.org/pipermail/nginx-announce/2019/000248.html ------------- Changes with nginx 1.16.1 13 Aug 2019 *) Security: when using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). -------------- and dev version 1.17.3 (there are more fixes released also, not only HTTP2) http://mailman.nginx.org/pipermail/nginx-announce/2019/000247.html ------------------ Changes with nginx 1.17.3 13 Aug 2019 *) Security: when using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). *) Bugfix: "zero size buf" alerts might appear in logs when using gzipping; the bug had appeared in 1.17.2. *) Bugfix: a segmentation fault might occur in a worker process if the "resolver" directive was used in SMTP proxy. --------------- Security problems related to all users who had enable http2 at build time and added the http2 option to list directive in nginx configuration. HTTPv2 option is enabled in ports tree by default. With best regards /Alexey
www/nginx is landed in r508898 give ticket to osa
@osa: vuxml entry is done for both: https://svnweb.freebsd.org/changeset/ports/508895