Debian 10261 Published by

Updated Nginx packages has been released for both Debian GNU/Linux 8 LTS and 9:

DLA 1572-1: nginx security update
DSA 4335-1: nginx security update



DLA 1572-1: nginx security update




Package : nginx
Version : 1.6.2-5+deb8u6
CVE ID : CVE-2018-16845
Debian Bug : #913090

It was discovered that there was a denial of service (DoS) vulnerability
in the nginx web/proxy server.

As there was no validation for the size of a 64-bit atom in an MP4 file,
this could have led to a CPU hog when the size was 0, or various other
problems due to integer underflow when the calculating atom data size,
including segmentation faults or even worker-process memory disclosure.

For Debian 8 "Jessie", this issue has been fixed in nginx version
1.6.2-5+deb8u6.

We recommend that you upgrade your nginx packages.




DSA 4335-1: nginx security update




- -------------------------------------------------------------------------
Debian Security Advisory DSA-4335-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 08, 2018 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : nginx
CVE ID : CVE-2018-16843 CVE-2018-16844 CVE-2018-16845

Three vulnerabilities were discovered in Nginx, a high-performance web
and reverse proxy server, which could in denial of service in processing
HTTP/2 (via excessive memory/CPU usage) or server memory disclosure in
the ngx_http_mp4_module module (used for server-side MP4 streaming).

For the stable distribution (stretch), these problems have been fixed in
version 1.10.3-1+deb9u2.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nginx

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/