Описание
Security update for nginx
This update for nginx fixes the following issues:
- CVE-2021-3618: Fixed the ALPACA attack limiting the number of errors after which the connection is closed (bsc#1187685).
Список пакетов
SUSE Linux Enterprise Module for Server Applications 15 SP3
nginx-1.19.8-150300.3.9.1
nginx-source-1.19.8-150300.3.9.1
openSUSE Leap 15.3
nginx-1.19.8-150300.3.9.1
nginx-source-1.19.8-150300.3.9.1
vim-plugin-nginx-1.19.8-150300.3.9.1
openSUSE Leap 15.4
vim-plugin-nginx-1.19.8-150300.3.9.1
Ссылки
- Link for SUSE-SU-2022:4201-1
- E-Mail link for SUSE-SU-2022:4201-1
- SUSE Security Ratings
- SUSE Bug 1187685
- SUSE CVE CVE-2021-3618 page
Описание
ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.
Затронутые продукты
SUSE Linux Enterprise Module for Server Applications 15 SP3:nginx-1.19.8-150300.3.9.1
SUSE Linux Enterprise Module for Server Applications 15 SP3:nginx-source-1.19.8-150300.3.9.1
openSUSE Leap 15.3:nginx-1.19.8-150300.3.9.1
openSUSE Leap 15.3:nginx-source-1.19.8-150300.3.9.1
Ссылки
- CVE-2021-3618
- SUSE Bug 1187678