Amazon Linux 1 Security Advisory: ALAS-2018-1125
Advisory Release Date: 2018-12-13 17:27 Pacific
Advisory Updated Date: 2018-12-14 01:03 Pacific
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file. (CVE-2018-16843)
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file. (CVE-2018-16844)
Affected Packages:
nginx
Issue Correction:
Run yum update nginx to update your system.
i686:
nginx-mod-stream-1.14.1-2.34.amzn1.i686
nginx-mod-http-geoip-1.14.1-2.34.amzn1.i686
nginx-mod-http-xslt-filter-1.14.1-2.34.amzn1.i686
nginx-debuginfo-1.14.1-2.34.amzn1.i686
nginx-mod-http-perl-1.14.1-2.34.amzn1.i686
nginx-mod-mail-1.14.1-2.34.amzn1.i686
nginx-mod-http-image-filter-1.14.1-2.34.amzn1.i686
nginx-all-modules-1.14.1-2.34.amzn1.i686
nginx-1.14.1-2.34.amzn1.i686
src:
nginx-1.14.1-2.34.amzn1.src
x86_64:
nginx-all-modules-1.14.1-2.34.amzn1.x86_64
nginx-mod-http-image-filter-1.14.1-2.34.amzn1.x86_64
nginx-mod-http-perl-1.14.1-2.34.amzn1.x86_64
nginx-debuginfo-1.14.1-2.34.amzn1.x86_64
nginx-mod-http-geoip-1.14.1-2.34.amzn1.x86_64
nginx-mod-mail-1.14.1-2.34.amzn1.x86_64
nginx-1.14.1-2.34.amzn1.x86_64
nginx-mod-stream-1.14.1-2.34.amzn1.x86_64
nginx-mod-http-xslt-filter-1.14.1-2.34.amzn1.x86_64