CVE-2019-9516 log

Source
Severity Medium
Remote Yes
Type Denial of service
Description
An issue has been found in several HTTP/2 implementations, where the attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
Group Package Affected Fixed Severity Status Ticket
AVG-1023 nginx 1.16.0-1 1.16.1-1 Medium Fixed
AVG-1022 nginx-mainline 1.17.2-1 1.17.3-1 Medium Fixed
Date Advisory Group Package Severity Description
16 Aug 2019 ASA-201908-13 AVG-1023 nginx Medium denial of service
16 Aug 2019 ASA-201908-12 AVG-1022 nginx-mainline Medium denial of service
References
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://github.com/nginx/nginx/commit/6dfbc8b1c2116f362bb871efebbf9df576738e89