Bug#1010963: bullseye-pu: package nginx/1.18.0-6.1

To: Jan Mojzis <jan.mojzis@gmail.com>, 1010963@bugs.debian.org
Subject: Bug#1010963: bullseye-pu: package nginx/1.18.0-6.1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 28 May 2022 20:01:30 +0100
Message-id: <[🔎] 25d6efb458e84c80d8856f3fee9a916fb8f3c5bd.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1010963@bugs.debian.org
In-reply-to: <[🔎] 165251227060.579279.6727397645903221441.reportbug@dev.h.mojzis.com>
References: <[🔎] 165251227060.579279.6727397645903221441.reportbug@dev.h.mojzis.com> <[🔎] 165251227060.579279.6727397645903221441.reportbug@dev.h.mojzis.com>

Control: tags -1 + confirmed

On Sat, 2022-05-14 at 09:11 +0200, Jan Mojzis wrote:
> fixes ALPACA attack CVE-2021-3618:
> ALPACA is an application layer protocol content confusion attack,
> exploiting TLS servers implementing different protocols but using
> compatible certificates, such as multi-domain or wildcard
> certificates.  A MiTM attacker having access to victim's traffic at
> the TCP/IP layer can redirect traffic from one subdomain to another,
> resulting in a valid TLS session. This breaks the authentication of
> TLS and cross-protocol attacks may be possible where the behavior of
> one protocol service may compromise the other at the application
> layer.
> 
> [ Impact ]
> 
> Similarly to smtpd_hard_error_limit in Postfix and
> smtp_max_unknown_commands
> in Exim, specifies the number of errors after which the connection is
> closed.
> 

Please go ahead.

Regards,

Adam

Reply to:

References:
- Bug#1010963: bullseye-pu: package nginx/1.18.0-6.1
  - From: Jan Mojzis <jan.mojzis@gmail.com>

Prev by Date: Processed: Re: Bug#1010963: bullseye-pu: package nginx/1.18.0-6.1
Next by Date: Bug#1011022: bullseye-pu: package htmldoc/1.9.11-4+deb11u3
Previous by thread: Processed: Re: Bug#1010963: bullseye-pu: package nginx/1.18.0-6.1
Next by thread: Bug#1010963: nginx 1.18.0-6.1+deb11u2 flagged for acceptance
Index(es):
- Date
- Thread