Package: nginx / 1.10.3-1+deb9u4

Metadata

Package Version Patches format
nginx 1.10.3-1+deb9u4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
perl use dpkg buildflags.patch | (download)

src/http/modules/perl/Makefile.PL | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 
 use linker flags from environment for perl (dpkg-buildflags).
 Necessary for hardening flags.
0002 Make sure signature stays the same in all nginx buil.patch | (download)

configure | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 
 make sure signature stays the same in all nginx builds

NGX_HTTP_HEADERS is part of nginx signature. When a dyn
modules is loaded the signature of the module is compared
to the one of the nginx binary.

dyn modules are build from nginx-full, so in order to make
them loadable in other flavors we need to make sure all the
binaries share the same signature.
0003 define_gnu_source on other glibc based platforms.patch | (download)

src/os/unix/ngx_posix_config.h | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 
 use _gnu_source on gnu/kfreebsd

Define _GNU_SOURCE not only on GNU/Hurd, but also other glibc-based
platforms including GNU/kFreeBSD.
0004 SSL error messages style.patch | (download)

src/event/ngx_event_openssl.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 
 ssl: error messages style.
0005 SSL style.patch | (download)

src/event/ngx_event_openssl.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 
 ssl: style.
0006 SSL support for multiple curves ticket 885.patch | (download)

src/event/ngx_event_openssl.c | 53 48 + 5 - 0 !
src/http/modules/ngx_http_ssl_module.c | 2 1 + 1 - 0 !
src/mail/ngx_mail_ssl_module.c | 2 1 + 1 - 0 !
src/stream/ngx_stream_ssl_module.c | 2 1 + 1 - 0 !
4 files changed, 51 insertions(+), 8 deletions(-)

 
 ssl: support for multiple curves (ticket #885).

OpenSSL 1.0.2+ allows configuring a curve list instead of a single curve
CVE 2017 7529 Range filter.patch | (download)

src/http/modules/ngx_http_range_filter_module.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 
 [patch] range filter: protect from total size overflows.

The overflow can be used to circumvent the restriction on total size of
ranges introduced in c2a91088b0c0 (1.1.2).  Additionally, overflow
allows producing ranges with negative start (such ranges can be created
by using a suffix, "bytes=-100"; normally this results in 200 due to
the total size check).  These can result in the following errors in logs:

[crit] ... pread() ... failed (22: Invalid argument)
[alert] ... sendfile() failed (22: Invalid argument)

When using cache, it can be also used to reveal cache file header.
It is believed that there are no other negative effects, at least with
standard nginx modules.

In theory, this can also result in memory disclosure and/or segmentation
faults if multiple ranges are allowed, and the response is returned in a
single in-memory buffer.  This never happens with standard nginx modules
though, as well as known 3rd party modules.

Fix is to properly protect from possible overflow when incrementing size.
CVE 2018 16843 0 HTTP 2 flood detection.patch | (download)

src/http/v2/ngx_http_v2.c | 12 11 + 1 - 0 !
src/http/v2/ngx_http_v2.h | 1 1 + 0 - 0 !
2 files changed, 12 insertions(+), 1 deletion(-)

 
 [patch 11/12] http/2: flood detection.

Fixed uncontrolled memory growth in case peer is flooding us with
some frames (e.g., SETTINGS and PING) and doesn't read data.  Fix
is to limit the number of allocated control frames.
CVE 2018 16843 1 Adapt HTTP 2 flood detection to nginx 1.10.3.patch | (download)

src/http/v2/ngx_http_v2.c | 11 10 + 1 - 0 !
1 file changed, 10 insertions(+), 1 deletion(-)

 
 [patch] adapt http/2 flood detection to nginx 1.10.3

To mitigate CVE-2018-16843 the allocated frames has to be checked in
ngx_http_v2_send_settings() as well since SETTINGS frames are handled
separately before 1.13.2 (http://hg.nginx.org/nginx/rev/79de0d2aa432)
Thanks to Nginx's Maxim Dounin for his help.
CVE 2018 16844 0 HTTP 2 limited maximum number of requests in connect.patch | (download)

src/http/v2/ngx_http_v2.c | 30 22 + 8 - 0 !
src/http/v2/ngx_http_v2_module.c | 9 9 + 0 - 0 !
src/http/v2/ngx_http_v2_module.h | 1 1 + 0 - 0 !
3 files changed, 32 insertions(+), 8 deletions(-)

 
 [patch 20/21] http/2: limited maximum number of requests in
 connection.

The new directive "http2_max_requests" is introduced.  From users point of
view it works quite similar to "keepalive_requests" but has significantly
bigger default value that is more suitable for HTTP/2.
CVE 2018 16844 1 HTTP 2 limit the number of idle state switches.patch | (download)

src/http/v2/ngx_http_v2.c | 13 10 + 3 - 0 !
src/http/v2/ngx_http_v2.h | 1 1 + 0 - 0 !
2 files changed, 11 insertions(+), 3 deletions(-)

 
 [patch 12/12] http/2: limit the number of idle state switches.

An attack that continuously switches HTTP/2 connection between
idle and active states can result in excessive CPU usage.
This is because when a connection switches to the idle state,
all of its memory pool caches are freed.

This change limits the maximum allowed number of idle state
switches to 10 * http2_max_requests (i.e., 10000 by default).
This limits possible CPU usage in one connection, and also
imposes a limit on the maximum lifetime of a connection.

Initially reported by Gal Goldshtein from F5 Networks.
CVE 2018 16845 Mp4 fixed reading 64 bit atoms.patch | (download)

src/http/modules/ngx_http_mp4_module.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 
 [patch 10/12] mp4: fixed reading 64-bit atoms.

Previously there was no validation for the size of a 64-bit atom
in an mp4 file.  This could lead to a CPU hog when the size is 0,
or various other problems due to integer underflow when calculating
atom data size, including segmentation fault or worker process
memory disclosure.
CVE 2019 9516.patch | (download)

src/http/v2/ngx_http_v2.c | 12 8 + 4 - 0 !
1 file changed, 8 insertions(+), 4 deletions(-)

 
 [patch 1/3] http/2: reject zero length headers with protocol_error.

Fixed uncontrolled memory growth if peer sends a stream of
headers with a 0-length header name and 0-length header value.
Fix is to reject headers with zero name length.
CVE 2019 9511.patch | (download)

src/http/v2/ngx_http_v2.c | 2 2 + 0 - 0 !
src/http/v2/ngx_http_v2.h | 2 2 + 0 - 0 !
src/http/v2/ngx_http_v2_filter_module.c | 22 17 + 5 - 0 !
3 files changed, 21 insertions(+), 5 deletions(-)

 
 [patch 2/3] http/2: limited number of data frames.

Fixed excessive memory growth and CPU usage if stream windows are
manipulated in a way that results in generating many small DATA frames.
Fix is to limit the number of simultaneously allocated DATA frames.
CVE 2019 9513.patch | (download)

src/http/v2/ngx_http_v2.c | 11 11 + 0 - 0 !
src/http/v2/ngx_http_v2.h | 1 1 + 0 - 0 !
2 files changed, 12 insertions(+)

 
 [patch 3/3] http/2: limited number of priority frames.

Fixed excessive CPU usage caused by a peer that continuously shuffles
priority of streams.  Fix is to limit the number of PRIORITY frames.

Backported for Nginx 1.10
CVE 2019 20372.patch | (download)

src/http/ngx_http_special_response.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 
 [patch] discard request body when redirecting to a url via
 error_page.

Reported by Bert JW Regeer and Francisco Oca Gonzalez.