CVE-2019-9511

Priority
Description
Some HTTP/2 implementations are vulnerable to window size manipulation and
stream prioritization manipulation, potentially leading to a denial of
service. The attacker requests a large amount of data from a specified
resource over multiple streams. They manipulate window size and stream
priority to force the server to queue the data in 1-byte chunks. Depending
on how efficiently this data is queued, this can consume excess CPU,
memory, or both.
Assigned-to
mdeslaur
Notes
sbeattienginx added http2 support in 1.9.5
nghttp2: nghttpd and nghttp are affected, libnghttp2 is not
mdeslaurnghttp2-server is in universe
Package
Upstream:released (1.39.2)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):not-affected (1.39.2-1)
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
Package
Source: nginx (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.10.3-0ubuntu0.16.04.4)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.14.0-0ubuntu1.4)
Ubuntu 19.04 (Disco Dingo):released (1.15.9-0ubuntu1.1)
Ubuntu 19.10 (Eoan):released (1.16.1-0ubuntu1)
Patches:
Upstream:https://github.com/nginx/nginx/commit/94c5eb142e58a86f81eb1369fa6fcb96c2f23d6b
More Information

Updated: 2019-10-18 02:48:38 UTC (commit cccfc4426d8c1fbf582a89d981fe7fc812124543)