CVE-2019-9513

Priority
Description
Some HTTP/2 implementations are vulnerable to resource loops, potentially
leading to a denial of service. The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way that
causes substantial churn to the priority tree. This can consume excess CPU.
Assigned-to
mdeslaur
Notes
sbeattienginx added http2 support in 1.9.5
nghttp2: nghttpd and nghttp are affected, libnghttp2 is not
mdeslaurnghttp2-server is in universe
Package
Upstream:released (1.39.2)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):not-affected (1.39.2-1)
Binaries built from this source package are in universe and so are supported by the community. For more details see https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support
Package
Source: nginx (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.10.3-0ubuntu0.16.04.4)
Ubuntu 18.04 LTS (Bionic Beaver):released (1.14.0-0ubuntu1.4)
Ubuntu 19.04 (Disco Dingo):released (1.15.9-0ubuntu1.1)
Ubuntu 19.10 (Eoan):released (1.16.1-0ubuntu1)
Patches:
Upstream:https://github.com/nginx/nginx/commit/39bb3b9d4a33bd03c8ae0134dedc8a7700ae7b2b
More Information

Updated: 2019-10-18 02:48:38 UTC (commit cccfc4426d8c1fbf582a89d981fe7fc812124543)