FEDORA-2018-aa3752ac3c created by luhliarik 2 years ago for Fedora 28
obsolete

Security fix for CVE-2018-16843, CVE-2018-16844, CVE-2018-16845 + nginx rebase to 1.14.1.

Logout Required
After installing this update it is required that you logout of your current user session and log back in to ensure the changes supplied by this update are applied properly.

This update has been submitted for testing by luhliarik.

2 years ago

This update has been pushed to testing.

2 years ago

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

2 years ago
User Icon anonymous commented & provided feedback 2 years ago

Newer upstream nginx 1.14.2 was released with Fedora-specific fix. Changes include:

*) Bugfix: nginx could not be built by gcc 8.1.

*) Bugfix: nginx could not be built on Fedora 28 Linux.

*) Bugfix: in handling of client addresses when using unix domain listen
   sockets to work with datagrams on Linux.

*) Change: the logging level of the "http request", "https proxy
   request", "unsupported protocol", "version too low", "no suitable key
   share", and "no suitable signature algorithm" SSL errors has been
   lowered from "crit" to "info".

*) Bugfix: when using OpenSSL 1.1.0 or newer it was not possible to
   switch off "ssl_prefer_server_ciphers" in a virtual server if it was
   switched on in the default server.

*) Bugfix: nginx could not be built with LibreSSL 2.8.0.

*) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
   1.1.1, the TLS 1.3 protocol was always enabled.

*) Bugfix: sending a disk-buffered request body to a gRPC backend might
   fail.

*) Bugfix: connections with some gRPC backends might not be cached when
   using the "keepalive" directive.

*) Bugfix: a segmentation fault might occur in a worker process if the
   ngx_http_mp4_module was used on 32-bit platforms.
User Icon szydell provided feedback 2 years ago
karma
BZ#1584426 Upstream Nginx 1.14.0 is now available
User Icon szydell commented & provided feedback 2 years ago
karma

Looks ok.

BZ#1584426 Upstream Nginx 1.14.0 is now available

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago
BZ#1584426 Upstream Nginx 1.14.0 is now available
0
1
BZ#1647255 CVE-2018-16845 nginx: Denial of service and memory disclosure via mp4 module [fedora-all]
0
0
BZ#1647258 CVE-2018-16844 nginx: Excessive CPU usage via flaw in HTTP/2 implementation [fedora-all]
0
0
BZ#1647259 CVE-2018-16843 nginx: Excessive memory consumption via flaw in HTTP/2 implementation [fedora-all]
0
0

Automated Test Results