CVE-2019-9511

Priority
Description
Some HTTP/2 implementations are vulnerable to window size manipulation and
stream prioritization manipulation, potentially leading to a denial of
service. The attacker requests a large amount of data from a specified
resource over multiple streams. They manipulate window size and stream
priority to force the server to queue the data in 1-byte chunks. Depending
on how efficiently this data is queued, this can consume excess CPU,
memory, or both.
Notes
 sbeattie> nginx added http2 support in 1.9.5
 sbeattie> nghttp2: nghttpd and nghttp are affected, libnghttp2 is not
 mdeslaur> nghttp2-server is in universe
Assigned-to
mdeslaur
Package
Upstream:released (1.39.2)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):pending (1.39.2-1)
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
Package
Source: nginx (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.10.3-0ubuntu0.16.04.4)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.14.0-0ubuntu1.4)
Ubuntu 19.04 (Disco Dingo):released (1.15.9-0ubuntu1.1)
Ubuntu 19.10 (Eoan):released (1.16.1-0ubuntu1)
Patches:
Upstream:https://github.com/nginx/nginx/commit/94c5eb142e58a86f81eb1369fa6fcb96c2f23d6b
More Information

Updated: 2019-09-19 14:55:14 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)