rpm package

opensuse/nginx&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/nginx&distro=openSUSE%20Tumbleweed

Vulnerabilities (36)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2019-9516		—	< 1.21.3-1.4	1.21.3-1.4	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations a
CVE-2019-9511		—	< 1.21.3-1.4	1.21.3-1.4	Aug 13, 2019	Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and
CVE-2018-16845		—	< 1.21.3-1.4	1.21.3-1.4	Nov 7, 2018	nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file.
CVE-2018-16843		—	< 1.21.3-1.4	1.21.3-1.4	Nov 7, 2018	nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is
CVE-2017-7529	Hig	7.5	< 1.21.3-1.4	1.21.3-1.4	Jul 13, 2017	Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
CVE-2016-4450	Hig	7.5	< 1.11.4-2.5	1.11.4-2.5	Jun 7, 2016	os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file.
CVE-2016-0747	Med	5.3	< 1.11.4-2.5	1.11.4-2.5	Feb 15, 2016	The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution.
CVE-2016-0746	Cri	9.8	< 1.11.4-2.5	1.11.4-2.5	Feb 15, 2016	Use-after-free vulnerability in the resolver in nginx 0.6.18 through 1.8.0 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (worker process crash) or possibly have unspecified other impact via a crafted DNS response related to CNAME response processing
CVE-2016-0742	Hig	7.5	< 1.11.4-2.5	1.11.4-2.5	Feb 15, 2016	The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid pointer dereference and worker process crash) via a crafted UDP DNS response.
CVE-2014-3556		—	< 1.11.4-2.5	1.11.4-2.5	Dec 29, 2014	The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending
CVE-2014-3616		—	< 1.11.4-2.5	1.11.4-2.5	Dec 8, 2014	nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks.
CVE-2014-0133		—	< 1.11.4-2.5	1.11.4-2.5	Mar 28, 2014	Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request.
CVE-2013-4547		—	< 1.11.4-2.5	1.11.4-2.5	Nov 23, 2013	nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.
CVE-2013-2070		—	< 1.11.4-2.5	1.11.4-2.5	Jul 20, 2013	http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted p
CVE-2012-2089		—	< 1.11.4-2.5	1.11.4-2.5	Apr 17, 2012	Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4 directive is used, allows remote attackers to cause a denial of service (memory overwrite) or possibly execute arbitrary code via a craf
CVE-2011-4315		—	< 1.11.4-2.5	1.11.4-2.5	Dec 8, 2011	Heap-based buffer overflow in compression-pointer processing in core/ngx_resolver.c in nginx before 1.0.10 allows remote resolvers to cause a denial of service (daemon crash) or possibly have unspecified other impact via a long response.

CVE-2019-9516Aug 13, 2019
affected < 1.21.3-1.4fixed 1.21.3-1.4
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations a
CVE-2019-9511Aug 13, 2019
affected < 1.21.3-1.4fixed 1.21.3-1.4
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and
CVE-2018-16845Nov 7, 2018
affected < 1.21.3-1.4fixed 1.21.3-1.4
nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file.
CVE-2018-16843Nov 7, 2018
affected < 1.21.3-1.4fixed 1.21.3-1.4
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is
CVE-2017-7529HigJul 13, 2017
affected < 1.21.3-1.4fixed 1.21.3-1.4
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
CVE-2016-4450HigJun 7, 2016
affected < 1.11.4-2.5fixed 1.11.4-2.5
os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file.
CVE-2016-0747MedFeb 15, 2016
affected < 1.11.4-2.5fixed 1.11.4-2.5
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution.
CVE-2016-0746CriFeb 15, 2016
affected < 1.11.4-2.5fixed 1.11.4-2.5
Use-after-free vulnerability in the resolver in nginx 0.6.18 through 1.8.0 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (worker process crash) or possibly have unspecified other impact via a crafted DNS response related to CNAME response processing
CVE-2016-0742HigFeb 15, 2016
affected < 1.11.4-2.5fixed 1.11.4-2.5
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid pointer dereference and worker process crash) via a crafted UDP DNS response.
CVE-2014-3556Dec 29, 2014
affected < 1.11.4-2.5fixed 1.11.4-2.5
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending
CVE-2014-3616Dec 8, 2014
affected < 1.11.4-2.5fixed 1.11.4-2.5
nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks.
CVE-2014-0133Mar 28, 2014
affected < 1.11.4-2.5fixed 1.11.4-2.5
Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request.
CVE-2013-4547Nov 23, 2013
affected < 1.11.4-2.5fixed 1.11.4-2.5
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.
CVE-2013-2070Jul 20, 2013
affected < 1.11.4-2.5fixed 1.11.4-2.5
http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted p
CVE-2012-2089Apr 17, 2012
affected < 1.11.4-2.5fixed 1.11.4-2.5
Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4 directive is used, allows remote attackers to cause a denial of service (memory overwrite) or possibly execute arbitrary code via a craf
CVE-2011-4315Dec 8, 2011
affected < 1.11.4-2.5fixed 1.11.4-2.5
Heap-based buffer overflow in compression-pointer processing in core/ngx_resolver.c in nginx before 1.0.10 allows remote resolvers to cause a denial of service (daemon crash) or possibly have unspecified other impact via a long response.

Page 2 of 2