USN-3812-1: nginx vulnerabilities
7 November 2018
Several security issues were fixed in nginx.
Releases
Packages
- nginx - small, powerful, scalable web/proxy server
Details
It was discovered that nginx incorrectly handled the HTTP/2 implementation.
A remote attacker could possibly use this issue to cause excessive memory
consumption, leading to a denial of service. This issue only affected
Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16843)
Gal Goldshtein discovered that nginx incorrectly handled the HTTP/2
implementation. A remote attacker could possibly use this issue to cause
excessive CPU usage, leading to a denial of service. This issue only
affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10.
(CVE-2018-16844)
It was discovered that nginx incorrectly handled the ngx_http_mp4_module
module. A remote attacker could possibly use this issue with a specially
crafted mp4 file to cause nginx to crash, stop responding, or access
arbitrary memory. (CVE-2018-16845)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 18.10
-
nginx-common
-
1.15.5-0ubuntu2.1
-
nginx-core
-
1.15.5-0ubuntu2.1
-
nginx-extras
-
1.15.5-0ubuntu2.1
-
nginx-full
-
1.15.5-0ubuntu2.1
-
nginx-light
-
1.15.5-0ubuntu2.1
Ubuntu 18.04
-
nginx-common
-
1.14.0-0ubuntu1.2
-
nginx-core
-
1.14.0-0ubuntu1.2
-
nginx-extras
-
1.14.0-0ubuntu1.2
-
nginx-full
-
1.14.0-0ubuntu1.2
-
nginx-light
-
1.14.0-0ubuntu1.2
Ubuntu 16.04
-
nginx-common
-
1.10.3-0ubuntu0.16.04.3
-
nginx-core
-
1.10.3-0ubuntu0.16.04.3
-
nginx-extras
-
1.10.3-0ubuntu0.16.04.3
-
nginx-full
-
1.10.3-0ubuntu0.16.04.3
-
nginx-light
-
1.10.3-0ubuntu0.16.04.3
Ubuntu 14.04
-
nginx-common
-
1.4.6-1ubuntu3.9
-
nginx-core
-
1.4.6-1ubuntu3.9
-
nginx-extras
-
1.4.6-1ubuntu3.9
-
nginx-full
-
1.4.6-1ubuntu3.9
-
nginx-light
-
1.4.6-1ubuntu3.9
In general, a standard system update will make all the necessary changes.