ALAS-2018-1125


Amazon Linux AMI Security Advisory: ALAS-2018-1125
Advisory Release Date: 2018-12-14 01:03 Pacific
Severity: Medium

Issue Overview:

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file. (CVE-2018-16843 )

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file. (CVE-2018-16844 )


Affected Packages:

nginx


Issue Correction:
Run yum update nginx to update your system.

New Packages:
i686:
    nginx-mod-stream-1.14.1-2.34.amzn1.i686
    nginx-mod-http-geoip-1.14.1-2.34.amzn1.i686
    nginx-mod-http-xslt-filter-1.14.1-2.34.amzn1.i686
    nginx-debuginfo-1.14.1-2.34.amzn1.i686
    nginx-mod-http-perl-1.14.1-2.34.amzn1.i686
    nginx-mod-mail-1.14.1-2.34.amzn1.i686
    nginx-mod-http-image-filter-1.14.1-2.34.amzn1.i686
    nginx-all-modules-1.14.1-2.34.amzn1.i686
    nginx-1.14.1-2.34.amzn1.i686

src:
    nginx-1.14.1-2.34.amzn1.src

x86_64:
    nginx-all-modules-1.14.1-2.34.amzn1.x86_64
    nginx-mod-http-image-filter-1.14.1-2.34.amzn1.x86_64
    nginx-mod-http-perl-1.14.1-2.34.amzn1.x86_64
    nginx-debuginfo-1.14.1-2.34.amzn1.x86_64
    nginx-mod-http-geoip-1.14.1-2.34.amzn1.x86_64
    nginx-mod-mail-1.14.1-2.34.amzn1.x86_64
    nginx-1.14.1-2.34.amzn1.x86_64
    nginx-mod-stream-1.14.1-2.34.amzn1.x86_64
    nginx-mod-http-xslt-filter-1.14.1-2.34.amzn1.x86_64