CVE-2018-16843

Published: 6 November 2018

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.

Priority

CVSS 3 base score: 7.5

Status

Package	Release	Status
nginx Launchpad, Ubuntu, Debian	bionic	Released (1.14.0-0ubuntu1.2)
	cosmic	Released (1.15.5-0ubuntu2.1)
	precise	Does not exist
	trusty	Not vulnerable (code not present)
	upstream	Released (1.15.6)
	xenial	Released (1.10.3-0ubuntu0.16.04.3)
	Patches: upstream: http://hg.nginx.org/nginx/rev/d4448892a294

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16843
http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html
https://ubuntu.com/security/notices/USN-3812-1
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›