nginx-1.21.3-1.4 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11092 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z nginx-1.21.3-1.4 on GA media These are all security issues fixed in the nginx-1.21.3-1.4 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11092 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11092 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-7529/ SUSE CVE CVE-2017-7529 page https://www.suse.com/security/cve/CVE-2018-16843/ SUSE CVE CVE-2018-16843 page https://www.suse.com/security/cve/CVE-2018-16845/ SUSE CVE CVE-2018-16845 page https://www.suse.com/security/cve/CVE-2019-20372/ SUSE CVE CVE-2019-20372 page https://www.suse.com/security/cve/CVE-2019-9511/ SUSE CVE CVE-2019-9511 page https://www.suse.com/security/cve/CVE-2019-9516/ SUSE CVE CVE-2019-9516 page https://www.suse.com/security/cve/CVE-2021-23017/ SUSE CVE CVE-2021-23017 page openSUSE Tumbleweed nginx-1.21.3-1.4 nginx-source-1.21.3-1.4 vim-plugin-nginx-1.21.3-1.4 nginx-1.21.3-1.4 as a component of openSUSE Tumbleweed nginx-source-1.21.3-1.4 as a component of openSUSE Tumbleweed vim-plugin-nginx-1.21.3-1.4 as a component of openSUSE Tumbleweed Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request. CVE-2017-7529 openSUSE Tumbleweed:nginx-1.21.3-1.4 openSUSE Tumbleweed:nginx-source-1.21.3-1.4 openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7529.html CVE-2017-7529 https://bugzilla.suse.com/1048265 SUSE Bug 1048265 nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file. CVE-2018-16843 openSUSE Tumbleweed:nginx-1.21.3-1.4 openSUSE Tumbleweed:nginx-source-1.21.3-1.4 openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-16843.html CVE-2018-16843 https://bugzilla.suse.com/1115022 SUSE Bug 1115022 https://bugzilla.suse.com/1115025 SUSE Bug 1115025 nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module. CVE-2018-16845 openSUSE Tumbleweed:nginx-1.21.3-1.4 openSUSE Tumbleweed:nginx-source-1.21.3-1.4 openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-16845.html CVE-2018-16845 https://bugzilla.suse.com/1115015 SUSE Bug 1115015 NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. CVE-2019-20372 openSUSE Tumbleweed:nginx-1.21.3-1.4 openSUSE Tumbleweed:nginx-source-1.21.3-1.4 openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-20372.html CVE-2019-20372 https://bugzilla.suse.com/1160682 SUSE Bug 1160682 Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. CVE-2019-9511 openSUSE Tumbleweed:nginx-1.21.3-1.4 openSUSE Tumbleweed:nginx-source-1.21.3-1.4 openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9511.html CVE-2019-9511 https://bugzilla.suse.com/1145579 SUSE Bug 1145579 https://bugzilla.suse.com/1146091 SUSE Bug 1146091 https://bugzilla.suse.com/1146182 SUSE Bug 1146182 https://bugzilla.suse.com/1193427 SUSE Bug 1193427 https://bugzilla.suse.com/1202787 SUSE Bug 1202787 Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory. CVE-2019-9516 openSUSE Tumbleweed:nginx-1.21.3-1.4 openSUSE Tumbleweed:nginx-source-1.21.3-1.4 openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-9516.html CVE-2019-9516 https://bugzilla.suse.com/1145582 SUSE Bug 1145582 https://bugzilla.suse.com/1146090 SUSE Bug 1146090 https://bugzilla.suse.com/1193427 SUSE Bug 1193427 A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact. CVE-2021-23017 openSUSE Tumbleweed:nginx-1.21.3-1.4 openSUSE Tumbleweed:nginx-source-1.21.3-1.4 openSUSE Tumbleweed:vim-plugin-nginx-1.21.3-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-23017.html CVE-2021-23017 https://bugzilla.suse.com/1186126 SUSE Bug 1186126