Security update for nginx

Announcement ID:	SUSE-SU-2019:2309-1
Rating:	important
References:	bsc#1115015 bsc#1115022 bsc#1115025 bsc#1145579 bsc#1145580 bsc#1145582
Cross-References:	CVE-2018-16843 CVE-2018-16844 CVE-2018-16845 CVE-2019-9511 CVE-2019-9513 CVE-2019-9516
CVSS scores:	CVE-2018-16843 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2018-16843 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-16843 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-16844 ( SUSE ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2018-16844 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-16844 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-16845 ( SUSE ): 8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVE-2018-16845 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H CVE-2018-16845 ( NVD ): 6.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H CVE-2019-9511 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9511 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9511 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9513 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9513 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9513 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9516 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-9516 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2019-9516 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:	Server Applications Module 15-SP1 SUSE Linux Enterprise High Performance Computing 15 SP1 SUSE Linux Enterprise Real Time 15 SP1 SUSE Linux Enterprise Server 15 SP1 SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 SUSE Manager Proxy 4.0 SUSE Manager Retail Branch Server 4.0 SUSE Manager Server 4.0

An update that solves six vulnerabilities can now be installed.

Description:

This update for nginx fixes the following issues:

Security issues fixed:

• CVE-2019-9511: Fixed a denial of service by manipulating the window size and stream prioritization (bsc#1145579).
• CVE-2019-9513: Fixed a denial of service caused by resource loops (bsc#1145580).
• CVE-2019-9516: Fixed a denial of service caused by header leaks (bsc#1145582).
• CVE-2018-16845: Fixed denial of service and memory disclosure via mp4 module (bsc#1115015).
• CVE-2018-16843: Fixed excessive memory consumption in HTTP/2 implementation (bsc#1115022).
• CVE-2018-16844: Fixed excessive CPU usage via flaw in HTTP/2 implementation (bsc#1115025).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Server Applications Module 15-SP1
  zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2019-2309=1

Package List:

• Server Applications Module 15-SP1 (aarch64 ppc64le s390x x86_64)
  • nginx-debugsource-1.14.2-6.3.1
  • nginx-debuginfo-1.14.2-6.3.1
  • nginx-1.14.2-6.3.1
• Server Applications Module 15-SP1 (noarch)
  • nginx-source-1.14.2-6.3.1

References:

• https://www.suse.com/security/cve/CVE-2018-16843.html
• https://www.suse.com/security/cve/CVE-2018-16844.html
• https://www.suse.com/security/cve/CVE-2018-16845.html
• https://www.suse.com/security/cve/CVE-2019-9511.html
• https://www.suse.com/security/cve/CVE-2019-9513.html
• https://www.suse.com/security/cve/CVE-2019-9516.html
• https://bugzilla.suse.com/show_bug.cgi?id=1115015
• https://bugzilla.suse.com/show_bug.cgi?id=1115022
• https://bugzilla.suse.com/show_bug.cgi?id=1115025
• https://bugzilla.suse.com/show_bug.cgi?id=1145579
• https://bugzilla.suse.com/show_bug.cgi?id=1145580
• https://bugzilla.suse.com/show_bug.cgi?id=1145582