CVE-2019-9513

Priority
Description
Some HTTP/2 implementations are vulnerable to resource loops, potentially
leading to a denial of service. The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way that
causes substantial churn to the priority tree. This can consume excess CPU.
Notes
 sbeattie> nginx added http2 support in 1.9.5
 sbeattie> nghttp2: nghttpd and nghttp are affected, libnghttp2 is not
 mdeslaur> nghttp2-server is in universe
Assigned-to
mdeslaur
Package
Upstream:released (1.39.2)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):pending (1.39.2-1)
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
Package
Source: nginx (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.10.3-0ubuntu0.16.04.4)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.14.0-0ubuntu1.4)
Ubuntu 19.04 (Disco Dingo):released (1.15.9-0ubuntu1.1)
Ubuntu 19.10 (Eoan):released (1.16.1-0ubuntu1)
Patches:
Upstream:https://github.com/nginx/nginx/commit/39bb3b9d4a33bd03c8ae0134dedc8a7700ae7b2b
More Information

Updated: 2019-09-19 14:55:14 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)