SUSE-SU-2023:0212-1

Опубликовано: 30 янв. 2023

Источник: suse-cvrf

Описание

Security update for nginx

This update for nginx fixes the following issues:

CVE-2022-41741: Handle duplicated atoms in mp4 streams, to mitigate out-of-bound reads. (bsc#1204526)
CVE-2022-41742: Handle duplicated atoms in mp4 streams, to mitigate out-of-bound reads. (bsc#1204527)

Список пакетов

Container suse/nginx:latest

nginx-1.21.5-150400.3.3.1

Container suse/rmt-nginx:latest

nginx-1.21.5-150400.3.3.1

Image SLES15-SP4-SUSE-Rancher-Setup-BYOS

nginx-1.21.5-150400.3.3.1

Image SLES15-SP4-SUSE-Rancher-Setup-BYOS-EC2

nginx-1.21.5-150400.3.3.1

SUSE Linux Enterprise Module for Server Applications 15 SP4

nginx-1.21.5-150400.3.3.1

nginx-source-1.21.5-150400.3.3.1

openSUSE Leap 15.4

nginx-1.21.5-150400.3.3.1

nginx-source-1.21.5-150400.3.3.1

Ссылки

https://www.suse.com/support/update/announcement/2023/suse-su-20230212-1/
Link for SUSE-SU-2023:0212-1
https://lists.suse.com/pipermail/sle-security-updates/2023-January/013597.html
E-Mail link for SUSE-SU-2023:0212-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1204526
SUSE Bug 1204526
https://bugzilla.suse.com/1204527
SUSE Bug 1204527
https://www.suse.com/security/cve/CVE-2022-41741/
SUSE CVE CVE-2022-41741 page
https://www.suse.com/security/cve/CVE-2022-41742/
SUSE CVE CVE-2022-41742 page

Описание

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.

Затронутые продукты

Container suse/nginx:latest:nginx-1.21.5-150400.3.3.1

Container suse/rmt-nginx:latest:nginx-1.21.5-150400.3.3.1

Image SLES15-SP4-SUSE-Rancher-Setup-BYOS-EC2:nginx-1.21.5-150400.3.3.1

Image SLES15-SP4-SUSE-Rancher-Setup-BYOS:nginx-1.21.5-150400.3.3.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-41741.html
CVE-2022-41741
https://bugzilla.suse.com/1204526
SUSE Bug 1204526

Описание

NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.

Затронутые продукты

Container suse/nginx:latest:nginx-1.21.5-150400.3.3.1

Container suse/rmt-nginx:latest:nginx-1.21.5-150400.3.3.1

Image SLES15-SP4-SUSE-Rancher-Setup-BYOS-EC2:nginx-1.21.5-150400.3.3.1

Image SLES15-SP4-SUSE-Rancher-Setup-BYOS:nginx-1.21.5-150400.3.3.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-41742.html
CVE-2022-41742
https://bugzilla.suse.com/1204527
SUSE Bug 1204527

SUSE-SU-2023:0212-1

Описание

Список пакетов

Container suse/nginx:latest

Container suse/rmt-nginx:latest

Image SLES15-SP4-SUSE-Rancher-Setup-BYOS

Image SLES15-SP4-SUSE-Rancher-Setup-BYOS-EC2

SUSE Linux Enterprise Module for Server Applications 15 SP4

openSUSE Leap 15.4

Ссылки

Уязвимость: CVE-2022-41741

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2022-41742

Описание

Затронутые продукты

Ссылки