CVE-2018-16843:
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the
implementation of HTTP/2 that can allow for excessive memory consumption.
This issue affects nginx compiled with the ngx_http_v2_module
CVE-2018-16844:
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the
implementation of HTTP/2 that can allow for excessive CPU usage. This issue
affects nginx compiled with the ngx_http_v2_module
I believe this is the case for the nginx-extras deb package provided by the phusion-passenger repo :
from nginx -V I can see --with-http_v2_module in the configure arguments.
The above vulnerabilities don't manifest unless you use http2 in the listen directive but it's still something that ought to be looked at. Ubuntu have released updated packages in response.
CVE-2018-16843: nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module
CVE-2018-16844: nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module
I believe this is the case for the nginx-extras deb package provided by the phusion-passenger repo : from nginx -V I can see --with-http_v2_module in the configure arguments.
The above vulnerabilities don't manifest unless you use http2 in the listen directive but it's still something that ought to be looked at. Ubuntu have released updated packages in response.
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16843.html https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16844.html
Thanks!