openSUSE Security Update: Security update for nginx
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2019:0195-1
Rating:             moderate
References:         #1115015 #1115022 #1115025 
Cross-References:   CVE-2018-16843 CVE-2018-16844 CVE-2018-16845
                   
Affected Products:
                    openSUSE Leap 42.3
                    openSUSE Leap 15.0
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   This update for nginx fixes the following issues:

   nginx was updated to 1.14.2:

   - Bugfix: nginx could not be built on Fedora 28 Linux.
   - Bugfix: in handling of client addresses when using unix domain listen
     sockets to work with datagrams on Linux.
   - Change: the logging level of the "http request", "https proxy request",
     "unsupported protocol", "version too low", "no suitable key share", and
     "no suitable signature algorithm" SSL errors has been lowered from
     "crit" to "info".
   - Bugfix: when using OpenSSL 1.1.0 or newer it was not possible to switch
     off "ssl_prefer_server_ciphers" in a virtual server if it was switched
     on in the default server.
   - Bugfix: nginx could not be built with LibreSSL 2.8.0.
   - Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
     1.1.1, the TLS 1.3 protocol was always enabled.
   - Bugfix: sending a disk-buffered request body to a gRPC backend might
     fail.
   - Bugfix: connections with some gRPC backends might not be cached when
     using the "keepalive" directive.
   - Bugfix: a segmentation fault might occur in a worker process if the
     ngx_http_mp4_module was used on 32-bit platforms.

   Changes with nginx 1.14.1:

   - Security: when using HTTP/2 a client might cause excessive memory
     consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).
   - Security: processing of a specially crafted mp4 file with the
     ngx_http_mp4_module might result in worker process memory disclosure
     (CVE-2018-16845).
   - Bugfix: working with gRPC backends might result in excessive memory
     consumption.

   Changes with nginx 1.13.12:

   - Bugfix: connections with gRPC backends might be closed unexpectedly when
     returning a large response.

   Changes with nginx 1.13.10

   - Feature: the "set" parameter of the "include" SSI directive now allows
     writing arbitrary responses to a variable; the
     "subrequest_output_buffer_size" directive defines maximum response size.
   - Feature: now nginx uses clock_gettime(CLOCK_MONOTONIC) if available, to
     avoid timeouts being incorrectly triggered on system time changes.
   - Feature: the "escape=none" parameter of the "log_format" directive.
     Thanks to Johannes Baiter and Calin Don.
   - Feature: the $ssl_preread_alpn_protocols variable in the
     ngx_stream_ssl_preread_module.
   - Feature: the ngx_http_grpc_module.
   - Bugfix: in memory allocation error handling in the "geo" directive.
   - Bugfix: when using variables in the "auth_basic_user_file" directive a
     null character might appear in logs. Thanks to Vadim Filimonov.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 42.3:

      zypper in -t patch openSUSE-2019-195=1

   - openSUSE Leap 15.0:

      zypper in -t patch openSUSE-2019-195=1



Package List:

   - openSUSE Leap 42.3 (i586 x86_64):

      nginx-1.14.2-2.7.1
      nginx-debuginfo-1.14.2-2.7.1
      nginx-debugsource-1.14.2-2.7.1

   - openSUSE Leap 42.3 (noarch):

      vim-plugin-nginx-1.14.2-2.7.1

   - openSUSE Leap 15.0 (x86_64):

      nginx-1.14.2-lp150.2.4.1
      nginx-debuginfo-1.14.2-lp150.2.4.1
      nginx-debugsource-1.14.2-lp150.2.4.1

   - openSUSE Leap 15.0 (noarch):

      vim-plugin-nginx-1.14.2-lp150.2.4.1


References:

   https://www.suse.com/security/cve/CVE-2018-16843.html
   https://www.suse.com/security/cve/CVE-2018-16844.html
   https://www.suse.com/security/cve/CVE-2018-16845.html
   https://bugzilla.suse.com/1115015
   https://bugzilla.suse.com/1115022
   https://bugzilla.suse.com/1115025

--

openSUSE: 2019:0195-1: moderate: nginx

February 18, 2019
An update that fixes three vulnerabilities is now available.

Description

This update for nginx fixes the following issues: nginx was updated to 1.14.2: - Bugfix: nginx could not be built on Fedora 28 Linux. - Bugfix: in handling of client addresses when using unix domain listen sockets to work with datagrams on Linux. - Change: the logging level of the "http request", "https proxy request", "unsupported protocol", "version too low", "no suitable key share", and "no suitable signature algorithm" SSL errors has been lowered from "crit" to "info". - Bugfix: when using OpenSSL 1.1.0 or newer it was not possible to switch off "ssl_prefer_server_ciphers" in a virtual server if it was switched on in the default server. - Bugfix: nginx could not be built with LibreSSL 2.8.0. - Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL 1.1.1, the TLS 1.3 protocol was always enabled. - Bugfix: sending a disk-buffered request body to a gRPC backend might fail. - Bugfix: connections with some gRPC backends might not be cached when using the "keepalive" directive. - Bugfix: a segmentation fault might occur in a worker process if the ngx_http_mp4_module was used on 32-bit platforms. Changes with nginx 1.14.1: - Security: when using HTTP/2 a client might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844). - Security: processing of a specially crafted mp4 file with the ngx_http_mp4_module might result in worker process memory disclosure (CVE-2018-16845). - Bugfix: working with gRPC backends might result in excessive memory consumption. Changes with nginx 1.13.12: - Bugfix: connections with gRPC backends might be closed unexpectedly when returning a large response. Changes with nginx 1.13.10 - Feature: the "set" parameter of the "include" SSI directive now allows writing arbitrary responses to a variable; the "subrequest_output_buffer_size" directive defines maximum response size. - Feature: now nginx uses clock_gettime(CLOCK_MONOTONIC) if available, to avoid timeouts being incorrectly triggered on system time changes. - Feature: the "escape=none" parameter of the "log_format" directive. Thanks to Johannes Baiter and Calin Don. - Feature: the $ssl_preread_alpn_protocols variable in the ngx_stream_ssl_preread_module. - Feature: the ngx_http_grpc_module. - Bugfix: in memory allocation error handling in the "geo" directive. - Bugfix: when using variables in the "auth_basic_user_file" directive a null character might appear in logs. Thanks to Vadim Filimonov.

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2019-195=1 - openSUSE Leap 15.0: zypper in -t patch openSUSE-2019-195=1


Package List

- openSUSE Leap 42.3 (i586 x86_64): nginx-1.14.2-2.7.1 nginx-debuginfo-1.14.2-2.7.1 nginx-debugsource-1.14.2-2.7.1 - openSUSE Leap 42.3 (noarch): vim-plugin-nginx-1.14.2-2.7.1 - openSUSE Leap 15.0 (x86_64): nginx-1.14.2-lp150.2.4.1 nginx-debuginfo-1.14.2-lp150.2.4.1 nginx-debugsource-1.14.2-lp150.2.4.1 - openSUSE Leap 15.0 (noarch): vim-plugin-nginx-1.14.2-lp150.2.4.1


References

https://www.suse.com/security/cve/CVE-2018-16843.html https://www.suse.com/security/cve/CVE-2018-16844.html https://www.suse.com/security/cve/CVE-2018-16845.html https://bugzilla.suse.com/1115015 https://bugzilla.suse.com/1115022 https://bugzilla.suse.com/1115025--


Severity
Announcement ID: openSUSE-SU-2019:0195-1
Rating: moderate
Affected Products: openSUSE Leap 42.3 openSUSE Leap 15.0

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved