2 min read

NGINX Extended Security Update →

NGINX Updates Mitigate the August 2019 HTTP/2 Vulnerabilities - NGINX
We have released updates to NGINX Open Source and NGINX Plus to fix vulnerabilities in the HTTP/2 protocol that were announced today (CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516). Upgrade as soon as possible to NGINX 1.17.3, NGINX 1.16.1, or NGINX Plus R18 P1.

There were three vulnerabilities discovered by Netflix in NGINX: CVE-2019-9511, CVE-2019-9513 and CVE-2019-9516. Both current stable[1] and mainline[2] were patched and point releases had been issued. As I mentioned in my NGINX Extended post I was not going to work on 1.14.x branch any more with the exception of security updates. Canonical backported patches to their nginx package[3] with the following changelog:

  • SECURITY UPDATE: HTTP/2 Data Dribble issue
    debian/patches/CVE-2019-9511.patch: limited number of DATA frames in src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h, src/http/v2/ngx_http_v2_filter_module.c.
  • SECURITY UPDATE: HTTP/2 Resource Loop / Priority Shuffling issue
    debian/patches/CVE-2019-9513.patch: limited number of PRIORITY frames in src/http/v2/ngx_http_v2.c, src/http/v2/ngx_http_v2.h.
  • SECURITY UPDATE: HTTP/2 0-Length Headers Leak issue
    debian/patches/CVE-2019-9516.patch: reject zero length headers with PROTOCOL_ERROR in src/http/v2/ngx_http_v2.c.

I also took these patches and rebuilt my NGINX Extended version.[4]

Having this opportunity I thought it's worth mentioning that there's also Docker container available with my NGINX version. Dockerfile is available on GitHub and image itself on Docker Hub. Internally it's also using my PPA to provide the package so it has exactly the same version as the one provided there.

  1. 1.16.x. ↩︎

  2. 1.17.x. ↩︎

  3. 1.14.0-0ubuntu1.4. ↩︎

  4. 1.14.2-4xenial0 and 1.14.2-4bionic0. ↩︎