nginx 1.14.1

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

nginx 1.14.1

Landry Breuil-5
Hi,

here's an untested diff for 1.14.1, for:

    *) Security: when using HTTP/2 a client might cause excessive memory
       consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).

    *) Security: processing of a specially crafted mp4 file with the
       ngx_http_mp4_module might result in worker process memory
disclosure
       (CVE-2018-16845).

    *) Bugfix: working with gRPC backends might result in excessive memory
       consumption.

still have to build it locally but it seems ruby passenger pkgs are not
available on the mirrors right now.

Landry

nginx-141.diff (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: nginx 1.14.1

Stuart Henderson
On 2018/11/09 08:52, Landry Breuil wrote:

> Hi,
>
> here's an untested diff for 1.14.1, for:
>
>     *) Security: when using HTTP/2 a client might cause excessive memory
>        consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).
>
>     *) Security: processing of a specially crafted mp4 file with the
>        ngx_http_mp4_module might result in worker process memory
> disclosure
>        (CVE-2018-16845).
>
>     *) Bugfix: working with gRPC backends might result in excessive memory
>        consumption.

OK with me.

> still have to build it locally but it seems ruby passenger pkgs are not
> available on the mirrors right now.

That's fixed in -current (incompatible change in the curl update).

Reply | Threaded
Open this post in threaded view
|

Re: nginx 1.14.1

Robert Nagy
In reply to this post by Landry Breuil-5

ok