nginx HTTP/2 vulnerability patches

igor.clark · 2019-08-14T02:21:36+00:00

need to see the code to understand the problemOn Monday, August 5, 2019 at 10:10:09 AM UTC+3, DevX wrote:Hi All,I'm using access_by_lua_file to perform s...

nginx HTTP/2 vulnerability patches

igor.clark

Hi all, hope all’s well,

I just saw https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ and wonder whether this will need a full version update in OpenResty or whether there might be a way to patch the existing 1.15.8.1 release?

I’m not in a position to do it myself, and I’m aware that it’ll probably take some time to do, so I’m just trying to work out if this is something we should be concerned about?

Thanks, as always,

Igor

thibaultcha

Hello,

Patches for this new set of CVEs are ready to be applied to OpenResty's
1.15.8 NGINX core:

    https://github.com/openresty/openresty/pull/515

We shall release 1.15.8.2 as soon as we are ready.

On 8/13/19 11:21 AM, Igor Clark wrote:
> Hi all, hope all’s well,
> 
> I just
> saw https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ and
> wonder whether this will need a full version update in OpenResty or
> whether there might be a way to patch the existing 1.15.8.1 release?
> 
> I’m not in a position to do it myself, and I’m aware that it’ll probably
> take some time to do, so I’m just trying to work out if this is
> something we should be concerned about?
> 
> Thanks, as always,
> Igo
> >.

igor.clark

Hey Thibault, that’s great news. Thank you!

> On 13 Aug 2019, at 20:51, Thibault Charbonnier <thiba...@fastmail.com> wrote:
> 
> Hello,
> 
> Patches for this new set of CVEs are ready to be applied to OpenResty's
> 1.15.8 NGINX core:
> 
>    https://github.com/openresty/openresty/pull/515
> 
> We shall release 1.15.8.2 as soon as we are ready.
> 
>> On 8/13/19 11:21 AM, Igor Clark wrote:
>> Hi all, hope all’s well,
>> 
>> I just
>> saw https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ and
>> wonder whether this will need a full version update in OpenResty or
>> whether there might be a way to patch the existing 1.15.8.1 release?
>> 
>> I’m not in a position to do it myself, and I’m aware that it’ll probably
>> take some time to do, so I’m just trying to work out if this is
>> something we should be concerned about?
>> 
>> Thanks, as always,
>> Igo .

rpaprocki

Hi all,

Any public update on when pre-built packages for this release will be available?

On Tuesday, August 13, 2019 at 11:21:39 AM UTC-7, Igor Clark wrote:

Hi all, hope all’s well,

I just saw https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ and wonder whether this will need a full version update in OpenResty or whether there might be a way to patch the existing 1.15.8.1 release?

I’m not in a position to do it myself, and I’m aware that it’ll probably take some time to do, so I’m just trying to work out if this is something we should be concerned about?

Thanks, as always,
Igor