[SECURITY] [DLA 4091-1] nginx security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4091-1] nginx security update
From: Andrej Shadura <andrewsh@debian.org>
Date: Tue, 25 Mar 2025 12:18:13 +0100
Message-id: <[🔎] 20250325111815.2517866-1-andrewsh@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4091-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                       Andrej Shadura
March 25, 2025                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : nginx
Version        : 1.18.0-6.1+deb11u4
CVE ID         : CVE-2024-7347 CVE-2025-23419

This upload fixes two security issues in the version of nginx shipped
in bullseye.

CVE-2024-7347

    Nginx has a vulnerability in the ngx_http_mp4_module, which might
    allow an attacker to over-read nginx worker memory resulting in
    its termination using a specially crafted mp4 file. The issue only
    affects nginx if it is built with the ngx_http_mp4_module and the
    mp4 directive is used in the configuration file. Additionally, the
    attack is possible only if an attacker can trigger the processing
    of a specially crafted mp4 file with the ngx_http_mp4_module.

CVE-2025-23419

    When multiple server blocks are configured to share the same
    IP address and port, an attacker can use session resumption
    to bypass client certificate authentication requirements on
    these servers. This vulnerability arises when TLS Session Tickets
    are used and/or the SSL session cache
    are used in the default server and the default server is performing
    client certificate authentication.
    This issue did not affect ngx_stream_ssl_module in bullseye since
    the stream virtual servers funcionality was added in a later
    release.

For Debian 11 bullseye, these problems have been fixed in version
1.18.0-6.1+deb11u4.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nginx

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCZ+KQ4AAKCRDoRGtKyMdy
YdaiAQDJ2Ml1ras+MD+kP8evDkPNr8HsmDXPrA/hUPBS/1If2wD/UKSqLgf4XjCM
NmmQsot4prRBMGsKVHYtPScZL4Gk0wI=
=aYcn
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4090-1] ruby-rack security update
Next by Date: [SECURITY] [DLA 4092-1] libcap2 security update
Previous by thread: [SECURITY] [DLA 4090-1] ruby-rack security update
Next by thread: [SECURITY] [DLA 4092-1] libcap2 security update
Index(es):
- Date
- Thread