Release 1.10.3-1+deb9u4

Nginx before 1.17.7, with certain error_page configurations, allows HTTP
request smuggling, as demonstrated by the ability of an attacker to read
unauthorized web pages in environments where NGINX is being fronted by a
load balancer.

debian/changelog

@@ -1,3 +1,40 @@
+nginx (1.10.3-1+deb9u4) stretch-security; urgency=high
+
+  * Handle CVE-2019-20372, error page request smuggling
+    (Closes: #948579)
+
+ -- Christos Trochalakis <ctrochalakis@debian.org>  Sat, 11 Jan 2020 09:28:05 +0200
+
+nginx (1.10.3-1+deb9u3) stretch-security; urgency=high
+
+  * Backport upstream fixes for 3 CVEs (Closes: #935037)
+    Those fixes affect Nginx HTTP/2 implementation, which might cause
+    excessive memory consumption and CPU usage.
+    (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).
+
+ -- Christos Trochalakis <ctrochalakis@debian.org>  Mon, 19 Aug 2019 12:31:19 +0300
+
+nginx (1.10.3-1+deb9u2) stretch-security; urgency=high
+
+  * Backport http2_max_requests directive needed for
+    CVE-2018-16844 mitigation
+  * Backport upstream fixes for 3 CVEs (Closes: #913090)
+    + CVE-2018-16843 Excessive memory usage in HTTP/2
+    + CVE-2018-16844 Excessive CPU usage in HTTP/2
+      This change limits the maximum allowed number of idle state
+      switches to 10 * http2_max_requests (i.e., 10000 by default).
+      This limits possible CPU usage in one connection, and also
+      imposes a limit on the maximum lifetime of a connection
+    + CVE-2018-16845 Memory disclosure in the ngx_http_mp4_module
+
+ -- Christos Trochalakis <ctrochalakis@debian.org>  Wed, 07 Nov 2018 07:40:42 +0200
+
+nginx (1.10.3-1+deb9u1) stretch-security; urgency=high
+
+  * Handle CVE-2017-7529 Integer overflow in the range filter (Closes: #868109)
+
+ -- Christos Trochalakis <ctrochalakis@debian.org>  Wed, 12 Jul 2017 08:44:59 +0300
+
 nginx (1.10.3-1) unstable; urgency=medium
 
   * New upstream release. (Closes: #855113)

debian/gbp.conf

@@ -1,3 +1,5 @@
 [DEFAULT]
 pristine-tar = True
+dist=stretch
+debian-branch=stretch
 

debian/patches/CVE-2017-7529-Range-filter.patch

@@ -0,0 +1,46 @@
+From 455bd729517f770b2e70a5f51f27c713f2e3973e Mon Sep 17 00:00:00 2001
+From: Maxim Dounin <mdounin@mdounin.ru>
+Date: Tue, 11 Jul 2017 16:06:23 +0300
+Subject: [PATCH] Range filter: protect from total size overflows.
+
+The overflow can be used to circumvent the restriction on total size of
+ranges introduced in c2a91088b0c0 (1.1.2).  Additionally, overflow
+allows producing ranges with negative start (such ranges can be created
+by using a suffix, "bytes=-100"; normally this results in 200 due to
+the total size check).  These can result in the following errors in logs:
+
+[crit] ... pread() ... failed (22: Invalid argument)
+[alert] ... sendfile() failed (22: Invalid argument)
+
+When using cache, it can be also used to reveal cache file header.
+It is believed that there are no other negative effects, at least with
+standard nginx modules.
+
+In theory, this can also result in memory disclosure and/or segmentation
+faults if multiple ranges are allowed, and the response is returned in a
+single in-memory buffer.  This never happens with standard nginx modules
+though, as well as known 3rd party modules.
+
+Fix is to properly protect from possible overflow when incrementing size.
+---
+ src/http/modules/ngx_http_range_filter_module.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c
+index 951a00de..59d273b7 100644
+--- a/src/http/modules/ngx_http_range_filter_module.c
++++ b/src/http/modules/ngx_http_range_filter_module.c
+@@ -377,6 +377,10 @@ ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx,
+             range->start = start;
+             range->end = end;
+ 
++            if (size > NGX_MAX_OFF_T_VALUE - (end - start)) {
++                return NGX_HTTP_RANGE_NOT_SATISFIABLE;
++            }
++
+             size += end - start;
+ 
+             if (ranges-- == 0) {
+-- 
+2.13.2
+

debian/patches/CVE-2018-16843-0-HTTP-2-flood-detection.patch

@@ -0,0 +1,65 @@
+From 1ee3bc11f75cc079494635974f6fabb1e25380d1 Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru@nginx.com>
+Date: Tue, 6 Nov 2018 16:29:35 +0300
+Subject: [PATCH 11/12] HTTP/2: flood detection.
+
+Fixed uncontrolled memory growth in case peer is flooding us with
+some frames (e.g., SETTINGS and PING) and doesn't read data.  Fix
+is to limit the number of allocated control frames.
+---
+ src/http/v2/ngx_http_v2.c | 12 +++++++++++-
+ src/http/v2/ngx_http_v2.h |  1 +
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
+index 421ec6e9..334b558e 100644
+--- a/src/http/v2/ngx_http_v2.c
++++ b/src/http/v2/ngx_http_v2.c
+@@ -649,6 +649,7 @@ ngx_http_v2_handle_connection(ngx_http_v2_connection_t *h2c)
+ 
+     h2c->pool = NULL;
+     h2c->free_frames = NULL;
++    h2c->frames = 0;
+     h2c->free_fake_connections = NULL;
+ 
+ #if (NGX_HTTP_SSL)
+@@ -2620,7 +2621,7 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length,
+ 
+         frame->blocked = 0;
+ 
+-    } else {
++    } else if (h2c->frames < 10000) {
+         pool = h2c->pool ? h2c->pool : h2c->connection->pool;
+ 
+         frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t));
+@@ -2644,6 +2645,15 @@ ngx_http_v2_get_frame(ngx_http_v2_connection_t *h2c, size_t length,
+         frame->last = frame->first;
+ 
+         frame->handler = ngx_http_v2_frame_handler;
++
++        h2c->frames++;
++
++    } else {
++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                      "http2 flood detected");
++
++        h2c->connection->error = 1;
++        return NULL;
+     }
+ 
+ #if (NGX_DEBUG)
+diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
+index 2f519e18..2638bb5f 100644
+--- a/src/http/v2/ngx_http_v2.h
++++ b/src/http/v2/ngx_http_v2.h
+@@ -115,6 +115,7 @@ struct ngx_http_v2_connection_s {
+     ngx_http_connection_t           *http_connection;
+ 
+     ngx_uint_t                       processing;
++    ngx_uint_t                       frames;
+ 
+     size_t                           send_window;
+     size_t                           recv_window;
+-- 
+2.19.1
+

debian/patches/CVE-2018-16843-1-Adapt-HTTP-2-flood-detection-to-nginx-1.10.3.patch

@@ -0,0 +1,45 @@
+From 1e4a302630aeb7367ba0e31dc469f6919e766e5d Mon Sep 17 00:00:00 2001
+From: Christos Trochalakis <yatiohi@ideopolis.gr>
+Date: Wed, 7 Nov 2018 14:48:22 +0200
+Subject: [PATCH] Adapt HTTP/2 flood detection to nginx 1.10.3
+
+To mitigate CVE-2018-16843 the allocated frames has to be checked in
+ngx_http_v2_send_settings() as well since SETTINGS frames are handled
+separately before 1.13.2 (http://hg.nginx.org/nginx/rev/79de0d2aa432)
+Thanks to Nginx's Maxim Dounin for his help.
+---
+ src/http/v2/ngx_http_v2.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
+index 1d28fd6b..c8769e39 100644
+--- a/src/http/v2/ngx_http_v2.c
++++ b/src/http/v2/ngx_http_v2.c
+@@ -1969,7 +1969,9 @@ ngx_http_v2_state_settings(ngx_http_v2_connection_t *h2c, u_char *pos,
+         return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR);
+     }
+ 
+-    ngx_http_v2_send_settings(h2c, 1);
++    if (ngx_http_v2_send_settings(h2c, 1) == NGX_ERROR) {
++        return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
++    }
+ 
+     return ngx_http_v2_state_settings_params(h2c, pos, end);
+ }
+@@ -2453,6 +2455,13 @@ ngx_http_v2_send_settings(ngx_http_v2_connection_t *h2c, ngx_uint_t ack)
+     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0,
+                    "http2 send SETTINGS frame ack:%ui", ack);
+ 
++    if (h2c->frames++ > 10000) {
++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                     "http2 flood detected");
++        h2c->connection->error = 1;
++        return NGX_ERROR;
++    }
++
+     frame = ngx_palloc(h2c->pool, sizeof(ngx_http_v2_out_frame_t));
+     if (frame == NULL) {
+         return NGX_ERROR;
+-- 
+2.19.1
+

debian/patches/CVE-2018-16844-0-HTTP-2-limited-maximum-number-of-requests-in-connect.patch

@@ -0,0 +1,114 @@
+From 7b96e3b569b1b8ab0939c61c834d23caba21d4fb Mon Sep 17 00:00:00 2001
+From: Valentin Bartenev <vbart@nginx.com>
+Date: Mon, 31 Oct 2016 16:33:02 +0300
+Subject: [PATCH 20/21] HTTP/2: limited maximum number of requests in
+ connection.
+
+The new directive "http2_max_requests" is introduced.  From users point of
+view it works quite similar to "keepalive_requests" but has significantly
+bigger default value that is more suitable for HTTP/2.
+---
+ src/http/v2/ngx_http_v2.c        | 30 ++++++++++++++++++++++--------
+ src/http/v2/ngx_http_v2_module.c |  9 +++++++++
+ src/http/v2/ngx_http_v2_module.h |  1 +
+ 3 files changed, 32 insertions(+), 8 deletions(-)
+
+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
+index 70b6c607..1d28fd6b 100644
+--- a/src/http/v2/ngx_http_v2.c
++++ b/src/http/v2/ngx_http_v2.c
+@@ -325,16 +325,21 @@ ngx_http_v2_read_handler(ngx_event_t *rev)
+ 
+     if (c->close) {
+         c->close = 0;
+-        h2c->goaway = 1;
+ 
+-        if (ngx_http_v2_send_goaway(h2c, NGX_HTTP_V2_NO_ERROR) == NGX_ERROR) {
+-            ngx_http_v2_finalize_connection(h2c, 0);
+-            return;
+-        }
++        if (!h2c->goaway) {
++            h2c->goaway = 1;
+ 
+-        if (ngx_http_v2_send_output_queue(h2c) == NGX_ERROR) {
+-            ngx_http_v2_finalize_connection(h2c, 0);
+-            return;
++            if (ngx_http_v2_send_goaway(h2c, NGX_HTTP_V2_NO_ERROR)
++                == NGX_ERROR)
++            {
++                ngx_http_v2_finalize_connection(h2c, 0);
++                return;
++            }
++
++            if (ngx_http_v2_send_output_queue(h2c) == NGX_ERROR) {
++                ngx_http_v2_finalize_connection(h2c, 0);
++                return;
++            }
+         }
+ 
+         h2c->blocked = 0;
+@@ -1155,6 +1160,15 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
+         ngx_http_v2_set_dependency(h2c, node, depend, excl);
+     }
+ 
++    if (h2c->connection->requests >= h2scf->max_requests) {
++        h2c->goaway = 1;
++
++        if (ngx_http_v2_send_goaway(h2c, NGX_HTTP_V2_NO_ERROR) == NGX_ERROR) {
++            return ngx_http_v2_connection_error(h2c,
++                                                NGX_HTTP_V2_INTERNAL_ERROR);
++        }
++    }
++
+     return ngx_http_v2_state_header_block(h2c, pos, end);
+ 
+ rst_stream:
+diff --git a/src/http/v2/ngx_http_v2_module.c b/src/http/v2/ngx_http_v2_module.c
+index b7d99e05..032abcb6 100644
+--- a/src/http/v2/ngx_http_v2_module.c
++++ b/src/http/v2/ngx_http_v2_module.c
+@@ -73,6 +73,13 @@ static ngx_command_t  ngx_http_v2_commands[] = {
+       offsetof(ngx_http_v2_srv_conf_t, concurrent_streams),
+       NULL },
+ 
++    { ngx_string("http2_max_requests"),
++      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
++      ngx_conf_set_num_slot,
++      NGX_HTTP_SRV_CONF_OFFSET,
++      offsetof(ngx_http_v2_srv_conf_t, max_requests),
++      NULL },
++
+     { ngx_string("http2_max_field_size"),
+       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+       ngx_conf_set_size_slot,
+@@ -322,6 +329,7 @@ ngx_http_v2_create_srv_conf(ngx_conf_t *cf)
+     h2scf->pool_size = NGX_CONF_UNSET_SIZE;
+ 
+     h2scf->concurrent_streams = NGX_CONF_UNSET_UINT;
++    h2scf->max_requests = NGX_CONF_UNSET_UINT;
+ 
+     h2scf->max_field_size = NGX_CONF_UNSET_SIZE;
+     h2scf->max_header_size = NGX_CONF_UNSET_SIZE;
+@@ -347,6 +355,7 @@ ngx_http_v2_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+ 
+     ngx_conf_merge_uint_value(conf->concurrent_streams,
+                               prev->concurrent_streams, 128);
++    ngx_conf_merge_uint_value(conf->max_requests, prev->max_requests, 1000);
+ 
+     ngx_conf_merge_size_value(conf->max_field_size, prev->max_field_size,
+                               4096);
+diff --git a/src/http/v2/ngx_http_v2_module.h b/src/http/v2/ngx_http_v2_module.h
+index 91f97c25..540f8267 100644
+--- a/src/http/v2/ngx_http_v2_module.h
++++ b/src/http/v2/ngx_http_v2_module.h
+@@ -23,6 +23,7 @@ typedef struct {
+ typedef struct {
+     size_t                          pool_size;
+     ngx_uint_t                      concurrent_streams;
++    ngx_uint_t                      max_requests;
+     size_t                          max_field_size;
+     size_t                          max_header_size;
+     size_t                          preread_size;
+-- 
+2.19.1
+

debian/patches/CVE-2018-16844-1-HTTP-2-limit-the-number-of-idle-state-switches.patch

@@ -0,0 +1,63 @@
+From 175adc8124e3e1992d8bb85aef071f43535c09bc Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru@nginx.com>
+Date: Tue, 6 Nov 2018 16:29:49 +0300
+Subject: [PATCH 12/12] HTTP/2: limit the number of idle state switches.
+
+An attack that continuously switches HTTP/2 connection between
+idle and active states can result in excessive CPU usage.
+This is because when a connection switches to the idle state,
+all of its memory pool caches are freed.
+
+This change limits the maximum allowed number of idle state
+switches to 10 * http2_max_requests (i.e., 10000 by default).
+This limits possible CPU usage in one connection, and also
+imposes a limit on the maximum lifetime of a connection.
+
+Initially reported by Gal Goldshtein from F5 Networks.
+---
+ src/http/v2/ngx_http_v2.c | 13 ++++++++++---
+ src/http/v2/ngx_http_v2.h |  1 +
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
+index 334b558e..70b6c607 100644
+--- a/src/http/v2/ngx_http_v2.c
++++ b/src/http/v2/ngx_http_v2.c
+@@ -4181,12 +4181,19 @@ ngx_http_v2_idle_handler(ngx_event_t *rev)
+ 
+ #endif
+ 
+-    c->destroyed = 0;
+-    ngx_reusable_connection(c, 0);
+-
+     h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx,
+                                          ngx_http_v2_module);
+ 
++    if (h2c->idle++ > 10 * h2scf->max_requests) {
++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                      "http2 flood detected");
++        ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_NO_ERROR);
++        return;
++    }
++
++    c->destroyed = 0;
++    ngx_reusable_connection(c, 0);
++
+     h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);
+     if (h2c->pool == NULL) {
+         ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
+diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
+index 2638bb5f..c22991f3 100644
+--- a/src/http/v2/ngx_http_v2.h
++++ b/src/http/v2/ngx_http_v2.h
+@@ -116,6 +116,7 @@ struct ngx_http_v2_connection_s {
+ 
+     ngx_uint_t                       processing;
+     ngx_uint_t                       frames;
++    ngx_uint_t                       idle;
+ 
+     size_t                           send_window;
+     size_t                           recv_window;
+-- 
+2.19.1
+

debian/patches/CVE-2018-16845-Mp4-fixed-reading-64-bit-atoms.patch

@@ -0,0 +1,35 @@
+From 88be1860f976962c23e300ba616fe491b60b36d7 Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Tue, 6 Nov 2018 16:29:18 +0300
+Subject: [PATCH 10/12] Mp4: fixed reading 64-bit atoms.
+
+Previously there was no validation for the size of a 64-bit atom
+in an mp4 file.  This could lead to a CPU hog when the size is 0,
+or various other problems due to integer underflow when calculating
+atom data size, including segmentation fault or worker process
+memory disclosure.
+---
+ src/http/modules/ngx_http_mp4_module.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index 16ef83cf..c1d36879 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -896,6 +896,13 @@ ngx_http_mp4_read_atom(ngx_http_mp4_file_t *mp4,
+                 atom_size = ngx_mp4_get_64value(atom_header + 8);
+                 atom_header_size = sizeof(ngx_mp4_atom_header64_t);
+ 
++                if (atom_size < sizeof(ngx_mp4_atom_header64_t)) {
++                    ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                                  "\"%s\" mp4 atom is too small:%uL",
++                                  mp4->file.name.data, atom_size);
++                    return NGX_ERROR;
++                }
++
+             } else {
+                 ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                               "\"%s\" mp4 atom is too small:%uL",
+-- 
+2.19.1
+

debian/patches/CVE-2019-20372.patch

@@ -0,0 +1,31 @@
+From 8bffc01d084b4881e3eed2052c115b8f04268cb9 Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru@nginx.com>
+Date: Mon, 23 Dec 2019 15:45:46 +0300
+Subject: [PATCH] Discard request body when redirecting to a URL via
+ error_page.
+
+Reported by Bert JW Regeer and Francisco Oca Gonzalez.
+---
+ src/http/ngx_http_special_response.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c
+index 2c1ff174..e2a5e9dc 100644
+--- a/src/http/ngx_http_special_response.c
++++ b/src/http/ngx_http_special_response.c
+@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page)
+         return ngx_http_named_location(r, &uri);
+     }
+ 
++    r->expect_tested = 1;
++
++    if (ngx_http_discard_request_body(r) != NGX_OK) {
++        r->keepalive = 0;
++    }
++
+     location = ngx_list_push(&r->headers_out.headers);
+ 
+     if (location == NULL) {
+-- 
+2.23.0
+

debian/patches/CVE-2019-9511.patch

@@ -0,0 +1,88 @@
+From 28cb833d0db4d899e486991bda31dcffb2960592 Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru@nginx.com>
+Date: Tue, 13 Aug 2019 15:43:36 +0300
+Subject: [PATCH 2/3] HTTP/2: limited number of DATA frames.
+
+Fixed excessive memory growth and CPU usage if stream windows are
+manipulated in a way that results in generating many small DATA frames.
+Fix is to limit the number of simultaneously allocated DATA frames.
+---
+ src/http/v2/ngx_http_v2.c               |  2 ++
+ src/http/v2/ngx_http_v2.h               |  2 ++
+ src/http/v2/ngx_http_v2_filter_module.c | 22 +++++++++++++++++-----
+ 3 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
+index 9b1fbd7d..838d1b4f 100644
+--- a/src/http/v2/ngx_http_v2.c
++++ b/src/http/v2/ngx_http_v2.c
+@@ -4072,6 +4072,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc)
+      */
+     pool = stream->pool;
+ 
++    h2c->frames -= stream->frames;
++
+     ngx_http_free_request(stream->request, rc);
+ 
+     if (pool != h2c->state.pool) {
+diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
+index c22991f3..792c0a3a 100644
+--- a/src/http/v2/ngx_http_v2.h
++++ b/src/http/v2/ngx_http_v2.h
+@@ -181,6 +181,8 @@ struct ngx_http_v2_stream_s {
+ 
+     ngx_buf_t                       *preread;
+ 
++    ngx_uint_t                       frames;
++
+     ngx_http_v2_out_frame_t         *free_frames;
+     ngx_chain_t                     *free_frame_headers;
+     ngx_chain_t                     *free_bufs;
+diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
+index fa53070c..8eed4456 100644
+--- a/src/http/v2/ngx_http_v2_filter_module.c
++++ b/src/http/v2/ngx_http_v2_filter_module.c
+@@ -999,23 +999,35 @@ static ngx_http_v2_out_frame_t *
+ ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream,
+     size_t len, ngx_chain_t *first, ngx_chain_t *last)
+ {
+-    u_char                      flags;
+-    ngx_buf_t                  *buf;
+-    ngx_chain_t                *cl;
+-    ngx_http_v2_out_frame_t  *frame;
++    u_char                     flags;
++    ngx_buf_t                 *buf;
++    ngx_chain_t               *cl;
++    ngx_http_v2_out_frame_t   *frame;
++    ngx_http_v2_connection_t  *h2c;
+ 
+ 
+     frame = stream->free_frames;
++    h2c = stream->connection;
+ 
+     if (frame) {
+         stream->free_frames = frame->next;
+ 
+-    } else {
++    } else if (h2c->frames < 10000) {
+         frame = ngx_palloc(stream->request->pool,
+                            sizeof(ngx_http_v2_out_frame_t));
+         if (frame == NULL) {
+             return NULL;
+         }
++
++        stream->frames++;
++        h2c->frames++;
++
++    } else {
++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                      "http2 flood detected");
++
++        h2c->connection->error = 1;
++        return NULL;
+     }
+ 
+     flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0;
+-- 
+2.20.1
+

debian/patches/CVE-2019-9513.patch

@@ -0,0 +1,65 @@
+From 52c85196438b1a893fc3180d29dc5c5ced55b3bc Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru@nginx.com>
+Date: Tue, 13 Aug 2019 15:43:40 +0300
+Subject: [PATCH 3/3] HTTP/2: limited number of PRIORITY frames.
+
+Fixed excessive CPU usage caused by a peer that continuously shuffles
+priority of streams.  Fix is to limit the number of PRIORITY frames.
+
+Backported for Nginx 1.10
+---
+ src/http/v2/ngx_http_v2.c | 11 +++++++++++
+ src/http/v2/ngx_http_v2.h |  1 +
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
+index 838d1b4f..547864a6 100644
+--- a/src/http/v2/ngx_http_v2.c
++++ b/src/http/v2/ngx_http_v2.c
+@@ -247,6 +247,8 @@ ngx_http_v2_init(ngx_event_t *rev)
+ 
+     h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module);
+ 
++    h2c->priority_limit = h2scf->concurrent_streams;
++
+     h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);
+     if (h2c->pool == NULL) {
+         ngx_http_close_connection(c);
+@@ -1790,6 +1792,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos,
+         return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR);
+     }
+ 
++    if (--h2c->priority_limit == 0) {
++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                      "client sent too many PRIORITY frames");
++
++        return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM);
++    }
++
+     if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) {
+         return ngx_http_v2_state_save(h2c, pos, end,
+                                       ngx_http_v2_state_priority);
+@@ -2857,6 +2866,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c)
+ 
+     h2c->processing++;
+ 
++    h2c->priority_limit += h2scf->concurrent_streams;
++
+     return stream;
+ }
+ 
+diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
+index 792c0a3a..1fba1b20 100644
+--- a/src/http/v2/ngx_http_v2.h
++++ b/src/http/v2/ngx_http_v2.h
+@@ -117,6 +117,7 @@ struct ngx_http_v2_connection_s {
+     ngx_uint_t                       processing;
+     ngx_uint_t                       frames;
+     ngx_uint_t                       idle;
++    ngx_uint_t                       priority_limit;
+ 
+     size_t                           send_window;
+     size_t                           recv_window;
+-- 
+2.20.1
+

debian/patches/CVE-2019-9516.patch

@@ -0,0 +1,45 @@
+From 6d953dc78fdc445acc00e02540bded7c3b3af921 Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Tue, 13 Aug 2019 15:43:32 +0300
+Subject: [PATCH 1/3] HTTP/2: reject zero length headers with PROTOCOL_ERROR.
+
+Fixed uncontrolled memory growth if peer sends a stream of
+headers with a 0-length header name and 0-length header value.
+Fix is to reject headers with zero name length.
+---
+ src/http/v2/ngx_http_v2.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
+index c8769e39..9b1fbd7d 100644
+--- a/src/http/v2/ngx_http_v2.c
++++ b/src/http/v2/ngx_http_v2.c
+@@ -1533,6 +1533,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
+         header->name.len = h2c->state.field_end - h2c->state.field_start;
+         header->name.data = h2c->state.field_start;
+ 
++        if (header->name.len == 0) {
++            ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                          "client sent zero header name length");
++
++            return ngx_http_v2_connection_error(h2c,
++                                                NGX_HTTP_V2_PROTOCOL_ERROR);
++        }
++
+         return ngx_http_v2_state_field_len(h2c, pos, end);
+     }
+ 
+@@ -2986,10 +2994,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
+     ngx_uint_t                 i;
+     ngx_http_core_srv_conf_t  *cscf;
+ 
+-    if (header->name.len == 0) {
+-        return NGX_ERROR;
+-    }
+-
+     r->invalid_header = 0;
+ 
+     cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
+-- 
+2.20.1
+

debian/patches/series

@@ -4,3 +4,13 @@ perl-use-dpkg-buildflags.patch
 0004-SSL-error-messages-style.patch
 0005-SSL-style.patch
 0006-SSL-support-for-multiple-curves-ticket-885.patch
+CVE-2017-7529-Range-filter.patch
+CVE-2018-16843-0-HTTP-2-flood-detection.patch
+CVE-2018-16843-1-Adapt-HTTP-2-flood-detection-to-nginx-1.10.3.patch
+CVE-2018-16844-0-HTTP-2-limited-maximum-number-of-requests-in-connect.patch
+CVE-2018-16844-1-HTTP-2-limit-the-number-of-idle-state-switches.patch
+CVE-2018-16845-Mp4-fixed-reading-64-bit-atoms.patch
+CVE-2019-9516.patch
+CVE-2019-9511.patch
+CVE-2019-9513.patch
+CVE-2019-20372.patch