security update in Fedora 28 for nginx

Status: obsolete

Security fix for CVE-2018-16843, CVE-2018-16844, CVE-2018-16845 + nginx rebase to 1.14.1.

Logout Required

After installing this update it is required that you logout of your current user session and log back in to ensure the changes supplied by this update are applied properly.

Comments 6

This update has been submitted for testing by luhliarik.

This update has been pushed to testing.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

Newer upstream nginx 1.14.2 was released with Fedora-specific fix. Changes include:

*) Bugfix: nginx could not be built by gcc 8.1.

*) Bugfix: nginx could not be built on Fedora 28 Linux.

*) Bugfix: in handling of client addresses when using unix domain listen
   sockets to work with datagrams on Linux.

*) Change: the logging level of the "http request", "https proxy
   request", "unsupported protocol", "version too low", "no suitable key
   share", and "no suitable signature algorithm" SSL errors has been
   lowered from "crit" to "info".

*) Bugfix: when using OpenSSL 1.1.0 or newer it was not possible to
   switch off "ssl_prefer_server_ciphers" in a virtual server if it was
   switched on in the default server.

*) Bugfix: nginx could not be built with LibreSSL 2.8.0.

*) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL
   1.1.1, the TLS 1.3 protocol was always enabled.

*) Bugfix: sending a disk-buffered request body to a gRPC backend might

*) Bugfix: connections with some gRPC backends might not be cached when
   using the "keepalive" directive.

*) Bugfix: a segmentation fault might occur in a worker process if the
   ngx_http_mp4_module was used on 32-bit platforms.

Looks ok.

karma: +1 #1584426: +1

Add Comment & Feedback

Please login to add feedback.

Content Type
Test Gating
Submitted by
Update Type
Update Severity
stable threshold: 3
unstable threshold: -3
Autopush (karma)
Autopush (time)
submitted 11 months ago
in testing 11 months ago

Related Bugs 4

0+1 #1584426 Upstream Nginx 1.14.0 is now available
00 #1647255 CVE-2018-16845 nginx: Denial of service and memory disclosure via mp4 module [fedora-all]
00 #1647258 CVE-2018-16844 nginx: Excessive CPU usage via flaw in HTTP/2 implementation [fedora-all]
00 #1647259 CVE-2018-16843 nginx: Excessive memory consumption via flaw in HTTP/2 implementation [fedora-all]

Automated Test Results