diff options
author | Jochen Neumeister <joneum@FreeBSD.org> | 2018-11-06 16:34:09 +0000 |
---|---|---|
committer | Jochen Neumeister <joneum@FreeBSD.org> | 2018-11-06 16:34:09 +0000 |
commit | c8126c20109f6d064f442bc5996368f83a51b422 (patch) | |
tree | 2072454bf4c4af71f8d6b0b4aec4d508f2852cb4 | |
parent | 080bc4981f4da8e6ee19d901b58dc1d0590fdb66 (diff) | |
download | ports-c8126c20109f6d064f442bc5996368f83a51b422.tar.gz ports-c8126c20109f6d064f442bc5996368f83a51b422.zip |
Notes
-rw-r--r-- | security/vuxml/vuln.xml | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 7c546c268533..06825ab799bb 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,52 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="84ca56be-e1de-11e8-bcfd-00e04c1ea73d"> + <topic>NGINX -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>nginx</name> + <range><lt>1.14.1</lt></range> + </package> + <package> + <name>nginx-devel</name> + <range><lt>1.15.6</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>NGINX Team reports:</p> + <blockquote cite="http://nginx.org/en/security_advisories.html"> + <p>Two security issues were identified in nginx HTTP/2 implementation, + which might cause excessive memory consumption (CVE-2018-16843) + and CPU usage (CVE-2018-16844).</p> + <p>The issues affect nginx compiled with the ngx_http_v2_module (not + compiled by default) if the "http2" option of the "listen" directive is + used in a configuration file.</p> + <p>A security issue was identified in the ngx_http_mp4_module, which might + allow an attacker to cause infinite loop in a worker process, cause a + worker process crash, or might result in worker process memory + isclosure by using a specially crafted mp4 file (CVE-2018-16845).</p> + <p>The issue only affects nginx if it is built with the ngx_http_mp4_module + (the module is not built by default) and the "mp4" directive is used in + the configuration file. Further, the attack is only possible if an + attacker is able to trigger processing of a specially crafted mp4 file + with the ngx_http_mp4_module. </p> + </blockquote> + </body> + </description> + <references> + <url>http://nginx.org/en/security_advisories.html</url> + <cvename>CVE-2018-16843</cvename> + <cvename>CVE-2018-16844</cvename> + <cvename>CVE-2018-16845</cvename> + </references> + <dates> + <discovery>2018-11-06</discovery> + <entry>2018-11-06</entry> + </dates> + </vuln> + <vuln vid="deb4f633-de1d-11e8-a9fb-080027f43a02"> <topic>gitea -- remote code exeution</topic> <affects> |