Bugzilla – Bug 963775
VUL-1: CVE-2016-0747: nginx-1.0: Resource exhaustion through unlimited CNAME resolution
Last modified: 2019-02-06 15:46:08 UTC
CVE-2016-0747 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812806 CNAME resolution was insufficiently limited, allowing an attacker who is able to trigger arbitrary name resolution to cause excessive resource consumption in worker processes (CVE-2016-0747). The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive is used in a configuration file. The problems are fixed in nginx 1.9.10, 1.8.1. http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0747 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0747.html
bugbot adjusting priority
openSUSE update running
openSUSE-SU-2016:0371-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 963775,963778,963781 CVE References: CVE-2016-0742,CVE-2016-0746,CVE-2016-0747 Sources used: openSUSE Leap 42.1 (src): nginx-1.8.1-5.1
As Markus docu says: https://w3.suse.de/~meissner/SUSE-LunchAndLearn-SLE-Maintenance.pdf I have sent a reqeust to SUSE:Maintenance: https://build.suse.de/request/show/93470 I have tested this fix with WebYaST.
released
SUSE-SU-2016:1232-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 963775,963778,963781 CVE References: CVE-2016-0742,CVE-2016-0746,CVE-2016-0747 Sources used: SUSE Webyast 1.3 (src): GeoIP-1.4.7-2.10.1, nginx-1.0-1.0.15-0.29.2 SUSE Studio Onsite 1.3 (src): GeoIP-1.4.7-2.10.1, nginx-1.0-1.0.15-0.29.2 SUSE Lifecycle Management Server 1.3 (src): GeoIP-1.4.7-2.10.1, nginx-1.0-1.0.15-0.29.2