Three issues (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516) were identified in the nginx web server that caused excessive memory consumption when using the module ngx_http_v2_module and implemented from the HTTP/2 protocol. Versions from 1.9.5 to 1.17.2 are affected by the problem. Fixes are in nginx 1.16.1 (stable branch) and 1.17.3 (main branch). The issues were discovered by Jonathan Looney of Netflix.
Release 1.17.3 includes two more fixes:
- Bugfix: "zero size buf" messages might appear in logs when using compression; the bug appeared in 1.17.2.
- Bug Fix: A segmentation fault might occur in a worker process when using the resolver directive in an SMTP proxy.
Source: linux.org.ru