[Pkg-nginx-maintainers] Bug#1078971: nginx: CVE-2024-7347
Salvatore Bonaccorso
carnil at debian.org
Sun Aug 18 13:24:39 BST 2024
Source: nginx
Version: 1.26.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for nginx.
CVE-2024-7347[0]:
| NGINX Open Source and NGINX Plus have a vulnerability in the
| ngx_http_mp4_module, which might allow an attacker to over-read
| NGINX worker memory resulting in its termination, using a specially
| crafted mp4 file. The issue only affects NGINX if it is built with
| the ngx_http_mp4_module and the mp4 directive is used in the
| configuration file. Additionally, the attack is possible only if an
| attacker can trigger the processing of a specially crafted mp4 file
| with the ngx_http_mp4_module. Note: Software versions which have
| reached End of Technical Support (EoTS) are not evaluated.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-7347
https://www.cve.org/CVERecord?id=CVE-2024-7347
[1] https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f
https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-nginx-maintainers
mailing list