CamJN
commented
5 years ago The preferred nginx was bumped to 1.15.7 in Passenger 6.
Closed grumbert closed 5 years ago
CamJN
commented
5 years ago The preferred nginx was bumped to 1.15.7 in Passenger 6.
CVE-2018-16843: nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module
CVE-2018-16844: nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module
I believe this is the case for the nginx-extras deb package provided by the phusion-passenger repo : from nginx -V I can see --with-http_v2_module in the configure arguments.
The above vulnerabilities don't manifest unless you use http2 in the listen directive but it's still something that ought to be looked at. Ubuntu have released updated packages in response.
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16843.html https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16844.html
Thanks!