[3.7] nginx: Multiple vulnerabilities (CVE-2018-16843, CVE-2018-16844, CVE-2018-16845)
CVE-2018-16843: Excessive memory consumption via flaw in HTTP/2 implementation
Affected Versions:
nginx 1.9.5 - 1.15.5.
Fixed In Version:
nginx 1.15.6, nginx 1.14.1
Reference:
http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html
Patch:
http://hg.nginx.org/nginx/rev/1c6b6163c039
CVE-2018-16844: Excessive CPU usage via flaw in HTTP/2 implementation
Affected Versions:
nginx 1.9.5 - 1.15.5.
Fixed In Version:
nginx 1.15.6, nginx 1.14.1
Reference:
http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html
Patch:
http://hg.nginx.org/nginx/rev/9200b41db765
CVE-2018-16845: Denial of service and memory disclosure via mp4 module
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the mp4
module that allows
for denial of service or worker process memory disclosure.
Fixed In Version:
nginx 1.15.6, nginx 1.14.1
Reference:
http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html
Patch:
http://nginx.org/download/patch.2018.mp4.txt
(from redmine: issue id 9660, created on 2018-11-21, closed on 2018-11-22)
- Relations:
- parent #9659 (closed)