PublicDateAtUSN: 2018-11-06
Candidate: CVE-2018-16845
PublicDate: 2018-11-07 14:29:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16845
 http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html
 https://ubuntu.com/security/notices/USN-3812-1
Description:
 nginx before versions 1.15.6, 1.14.1 has a vulnerability in the
 ngx_http_mp4_module, which might allow an attacker to cause infinite loop
 in a worker process, cause a worker process crash, or might result in
 worker process memory disclosure by using a specially crafted mp4 file. The
 issue only affects nginx if it is built with the ngx_http_mp4_module (the
 module is not built by default) and the .mp4. directive is used in the
 configuration file. Further, the attack is only possible if an attacker is
 able to trigger processing of a specially crafted mp4 file with the
 ngx_http_mp4_module.
Ubuntu-Description: 
Notes: 
 mdeslaur> module is built in the nginx-extras package
Bugs: 
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H [6.1 MEDIUM]
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H [6.1 MEDIUM]


Patches_nginx:
 upstream: http://hg.nginx.org/nginx/rev/e5069816039b
Tags_nginx: universe-binary
upstream_nginx: released (1.15.6)
precise/esm_nginx: DNE
trusty_nginx: released (1.4.6-1ubuntu3.9)
trusty/esm_nginx: released (1.4.6-1ubuntu3.9)
xenial_nginx: released (1.10.3-0ubuntu0.16.04.3)
esm-infra/xenial_nginx: released (1.10.3-0ubuntu0.16.04.3)
bionic_nginx: released (1.14.0-0ubuntu1.2)
cosmic_nginx: released (1.15.5-0ubuntu2.1)
devel_nginx: released (1.15.6-0ubuntu1)