Path: ...!newsreader4.netcologne.de!news.netcologne.de!fu-berlin.de!bofh.it!news.nic.it!robomod
From: Moritz Muehlenhoff <jmm@debian.org>
Newsgroups: linux.debian.announce.security
Subject: [SECURITY] [DSA 5281-1] nginx security update
Date: Tue, 15 Nov 2022 21:30:02 +0100
Message-ID: <FsaJc-3XRA-7@gated-at.bofh.it>
X-Original-To: debian-security-announce@lists.debian.org
X-Mailbox-Line: From debian-security-announce-request@lists.debian.org  Tue Nov 15 20:26:26 2022
Old-Return-Path: <jmm@seger.debian.org>
X-Amavis-Spam-Status: No, score=-114.005 tagged_above=-10000 required=5.3
	tests=[BAYES_00=-2, DIGITS_LETTERS=1, DKIMWL_WL_HIGH=-0.515,
	DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	DKIM_VALID_EF=-0.1, FVGT_m_MULTI_ODD=0.02, LDO_WHITELIST=-5,
	PGPSIGNATURE=-5, RCVD_IN_DNSWL_MED=-2.3,
	USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100]
	autolearn=ham autolearn_force=no
Old-Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org;
	s=smtpauto.seger; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date
	:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
	In-Reply-To:References; bh=SdkBjIeGal6iz+tajHZ/VwRMjNkFaY9EUGwi8lqwQJQ=; b=uq
	h/C98CXvWCgWQyrpFASGpUEnykwRr/5NAEc+NRv6wPtu7eqT6IlUzHbeV41WLz9SeCIkv5RQSMPbY
	HnZJozxUwX+kPXiWocPIIQL5alw3kaNbtWh0ZVU021NGdW9ETWUBpRZXfZQ6Ym9BMjfi/G+IbZYzV
	bWzkjf3+I0eqs+a73q1B3/GGESabnl16yhYZpgXRBMOYnZJmhU6+TqoHyvoja/XBsZrGI8BnaRdkO
	rDCxuk/Zk8UURfVags0WWJayQc0zv4vwepV29pye45pgX7rR9+j+Ha0w7hgU6b5hGd/6D1ulRbFtW
	bevrIJrgrYcSrS6gLWra7LrMq2yHIm4g==;
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Debian: PGP check passed for security officers
Priority: urgent
Reply-To: debian-security-announce-request@lists.debian.org
X-Mailing-List: <debian-security-announce@lists.debian.org> archive/latest/4180
List-ID: <debian-security-announce.lists.debian.org>
List-URL: <http://lists.debian.org/debian-security-announce/>
List-Archive: https://lists.debian.org/msgid-search/Y3P121EUTLIN0JCE@seger.debian.org
Approved: robomod@news.nic.it
Lines: 49
Organization: linux.* mail to news gateway
Sender: robomod@news.nic.it
X-Original-Date: Tue, 15 Nov 2022 20:26:03 +0000
X-Original-Message-ID: <Y3P121EUTLIN0JCE@seger.debian.org>
Bytes: 4594

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5281-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 15, 2022                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nginx
CVE ID         : CVE-2022-41741 CVE-2022-41742

It was discovered that parsing errors in the mp4 module of Nginx, a
high-performance web and reverse proxy server, could result in denial
of service, memory disclosure or potentially the execution of arbitrary
code when processing a malformed mp4 file.

This module is only enabled in the nginx-extras binary package.

For the stable distribution (bullseye), these problems have been fixed in
version 1.18.0-6.1+deb11u3.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nginx

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmNz9JcACgkQEMKTtsN8
Tjb4tg/7BRkAkF48UvvRjLolxVVuV1paSTRG8ArEeW3fHyA0fxs2UMuRL4ic1vqc
i3wxAAfHvYoOnk+QBY20Ly2MN7S7OukNovKE9AZCPulyYkVjtIWNSBeY0PzCU60y
RP/KCZAGoGEYi6s4SUrK194ved+7jIcybgLvvGA8FRKW3wTRvzRGMfR6NTLuP7B3
th0C5+KkapE8G5XlHWOIjv1h3Ok40cua7LtYx9RTITJ+wClvkJ6gPcCXXj/CnWWa
PUvuEBwyr0PEBXfL9v1P8Eq1MmN+mWU9KeLYxIC+vcJxtpsYL67tMHIGTlDUgDVE
FrXrDXi7XP/6hjl7t/J/cTPEwy/twX0emUQcUDlRNlOxh3skSmdPJP7DMu+t9UtQ
suepgZ+oHfHh3gs9EWz2zRqbsVO03NjhKo9ebIjhe3H0P39cX3NN5qlSJeNTY45k
VBDecnPQnhYqYuzqwXy5ZoUQDcU0Bo7zaUzeYhUsfXqrROV/tj+UTMrM2anHdQ4B
kAOrCBpmGP1lLvDs2PzBcWmBtII/5VTKZep05xH0L+dZWDV07j1ekCzv3/kuKiMl
GTJQ7yl3fgKjLdkjMFKQIfsm3xdYwzxjOmtEY86tUV0LjtdR2GlJtF4YdIQhA4b1
/R82ZisLfmZ4ElL+ua8iypLOe9reyO4EpVVDkeewFS64Ye1Wn3k=
=3mDY
-----END PGP SIGNATURE-----