Mercurial > hg > nginx-site

changeset 2416:eecb26e2c4ab

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx-1.17.3, nginx-1.16.1
author Maxim Dounin <mdounin@mdounin.ru>
date Tue, 13 Aug 2019 20:00:02 +0300
parents f5f0d3fe3608
children e35ed485070d
files text/en/CHANGES text/en/CHANGES-1.16 text/ru/CHANGES.ru text/ru/CHANGES.ru-1.16 xml/en/security_advisories.xml xml/index.xml xml/versions.xml
diffstat 7 files changed, 75 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/text/en/CHANGES	Tue Aug 13 19:01:32 2019 +0300
+++ b/text/en/CHANGES	Tue Aug 13 20:00:02 2019 +0300
@@ -1,4 +1,17 @@
 
+Changes with nginx 1.17.3                                        13 Aug 2019
+
+    *) Security: when using HTTP/2 a client might cause excessive memory
+       consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
+       CVE-2019-9516).
+
+    *) Bugfix: "zero size buf" alerts might appear in logs when using
+       gzipping; the bug had appeared in 1.17.2.
+
+    *) Bugfix: a segmentation fault might occur in a worker process if the
+       "resolver" directive was used in SMTP proxy.
+
+
 Changes with nginx 1.17.2                                        23 Jul 2019
 
     *) Change: minimum supported zlib version is 1.2.0.4.
--- a/text/en/CHANGES-1.16	Tue Aug 13 19:01:32 2019 +0300
+++ b/text/en/CHANGES-1.16	Tue Aug 13 20:00:02 2019 +0300
@@ -1,4 +1,11 @@
 
+Changes with nginx 1.16.1                                        13 Aug 2019
+
+    *) Security: when using HTTP/2 a client might cause excessive memory
+       consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
+       CVE-2019-9516).
+
+
 Changes with nginx 1.16.0                                        23 Apr 2019
 
     *) 1.16.x stable branch.
--- a/text/ru/CHANGES.ru	Tue Aug 13 19:01:32 2019 +0300
+++ b/text/ru/CHANGES.ru	Tue Aug 13 20:00:02 2019 +0300
@@ -1,4 +1,17 @@
 
+Изменения в nginx 1.17.3                                          13.08.2019
+
+    *) Безопасность: при использовании HTTP/2 клиент мог вызвать чрезмерное
+       потребление памяти и ресурсов процессора (CVE-2019-9511,
+       CVE-2019-9513, CVE-2019-9516).
+
+    *) Исправление: при использовании сжатия в логах могли появляться
+       сообщения "zero size buf"; ошибка появилась в 1.17.2.
+
+    *) Исправление: при использовании директивы resolver в SMTP
+       прокси-сервере в рабочем процессе мог произойти segmentation fault.
+
+
 Изменения в nginx 1.17.2                                          23.07.2019
 
     *) Изменение: минимальная поддерживаемая версия zlib - 1.2.0.4.
--- a/text/ru/CHANGES.ru-1.16	Tue Aug 13 19:01:32 2019 +0300
+++ b/text/ru/CHANGES.ru-1.16	Tue Aug 13 20:00:02 2019 +0300
@@ -1,4 +1,11 @@
 
+Изменения в nginx 1.16.1                                          13.08.2019
+
+    *) Безопасность: при использовании HTTP/2 клиент мог вызвать чрезмерное
+       потребление памяти и ресурсов процессора (CVE-2019-9511,
+       CVE-2019-9513, CVE-2019-9516).
+
+
 Изменения в nginx 1.16.0                                          23.04.2019
 
     *) Стабильная ветка 1.16.x.
--- a/xml/en/security_advisories.xml	Tue Aug 13 19:01:32 2019 +0300
+++ b/xml/en/security_advisories.xml	Tue Aug 13 20:00:02 2019 +0300
@@ -24,6 +24,27 @@
 
 <security>
 
+<item name="Excessive CPU usage in HTTP/2 with small window updates"
+      severity="medium"
+      cve="2019-9511"
+      good="1.17.3+, 1.16.1+"
+      vulnerable="1.9.5-1.17.2">
+</item>
+
+<item name="Excessive CPU usage in HTTP/2 with priority changes"
+      severity="low"
+      cve="2019-9513"
+      good="1.17.3+, 1.16.1+"
+      vulnerable="1.9.5-1.17.2">
+</item>
+
+<item name="Excessive memory usage in HTTP/2 with zero length headers"
+      severity="low"
+      cve="2019-9516"
+      good="1.17.3+, 1.16.1+"
+      vulnerable="1.9.5-1.17.2">
+</item>
+
 <item name="Excessive memory usage in HTTP/2"
       severity="low"
       advisory="http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html"
--- a/xml/index.xml	Tue Aug 13 19:01:32 2019 +0300
+++ b/xml/index.xml	Tue Aug 13 20:00:02 2019 +0300
@@ -9,6 +9,18 @@
 
 <event date="2019-08-13">
 <para>
+<link doc="en/download.xml">nginx-1.16.1</link>
+stable and
+<link doc="en/download.xml">nginx-1.17.3</link>
+mainline versions have been released,
+with fixes for
+<link doc="en/security_advisories.xml">vulnerabilities in HTTP/2</link>
+(CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).
+</para>
+</event>
+
+<event date="2019-08-13">
+<para>
 <link doc="en/docs/njs/index.xml">njs-0.3.4</link>
 version has been released, featuring
 getter/setter literals support
--- a/xml/versions.xml	Tue Aug 13 19:01:32 2019 +0300
+++ b/xml/versions.xml	Tue Aug 13 20:00:02 2019 +0300
@@ -9,6 +9,7 @@
 
 <download tag="mainline" changes="">
 
+<item ver="1.17.3" />
 <item ver="1.17.2" />
 <item ver="1.17.1" />
 <item ver="1.17.0" />
@@ -18,6 +19,7 @@
 
 <download tag="stable" changes="1.16">
 
+<item ver="1.16.1" />
 <item ver="1.16.0" />
 <item ver="1.15.12" />
 <item ver="1.15.11" />