CVE-2016-0747

Published: 26 January 2016

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution.

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
nginx
Launchpad, Ubuntu, Debian
Upstream
Released (1.9.10-1, 1.9.10, 1.8.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.9.10-0ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.4.6-1ubuntu3.4)
Patches:
Upstream: https://github.com/nginx/nginx/commit/fe89d99796d42b86816e17d9c87ab16964768024
Upstream: https://github.com/nginx/nginx/commit/4016e6b1da4fbf9c45963211791be124cd7ffb8f