Welcome to Centmin Mod Community
Become a Member

Security Nginx 1.25.3 Release for HTTP/2 Rapid Reset DDOS Attack Vulnerability CVE-2023-44487

Discussion in 'Centmin Mod News' started by eva2000, Oct 25, 2023.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    54,361
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Nginx folks have officially released Nginx 1.25.3 mainline version with patch fix for additional mitigations against HTTP/2 Rapid Reset DDOS Attack Vulnerability CVE-2023-44487. Existing Centmin Mod users can just run the command, cmupdate and then run centmin.sh menu option 4 to recompile/update to 1.25.3 version.

    Centmin Mod 130.00beta01 has already been updated to install Nginx 1.25.3 by default. However, Centmin Mod 124.00stable still uses Nginx 1.24.0 stable version branch out of the box but users can also use centmin.sh menu option 4 to recompile/update to 1.25.3 version as well.

    Nginx folks don't consider Nginx vulnerable to HTTP/2 Rapid Reset DDOS Attack vulnerability in default configuration settings for Nginx they provide. Hence, why Nginx 1.24 stable branch is still on Nginx 1.24.0 and no Nginx 1.24.1 has been released for this. But Nginx did add a patch for additional mitigations against it in Nginx 1.25.2 mainline, which is now available in the official Nginx 1.25.3 mainline release.

    https://nginx.org/en/CHANGES

    Running centmin.sh menu option 4 to recompile/update to 1.25.3 version. In below example, my current version was running previous Nginx master branch's 1.25.3 :)

    Code (Text):
    --------------------------------------------------------
         Centmin Mod Menu 130.00beta01 centminmod.com    
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  Option Being Revised (TBA)
    7).  Option Being Revised (TBA)
    8).  Option Being Revised (TBA)
    9).  Option Being Revised (TBA)
    10). Memcached Server Re-install
    11). MariaDB MySQL Upgrade & Management
    12). Zend OpCache Install/Re-install
    13). Install/Reinstall Redis PHP Extension
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: zstd,pigz,pbzip2,lbzip2
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Install/Re-Install
    21). Data Transfer (TBA)
    22). Add Wordpress Nginx vhost + Cache Plugin
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 4
    --------------------------------------------------------
    

    Code (Text):
    Nginx Upgrade - Would you like to continue? [y/n] y
    
    Current Nginx Version: 1.25.3 (241023-013128-almalinux9-6fcdada-br-a71f931)
    
    Install which version of Nginx? (version i.e. type 1.25.3): 1.25.3
    
    Do you still want to continue? [y/n] y
    

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,361
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    12:24 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Example Centmin Mod Nginx 1.25.3 configurations

    On AlmaLinux 8, using private EL8 beta installer for Nginx 1.25.3 built with HTTP/3 QUIC support via QuicTLS OpenSSL 1.1.1w fork and GCC 12
    On AlmaLinux 9, using private EL8 beta installer for Nginx 1.25.3 built with BoringSSL support and GCC 12

    On AlmaLinux 8, using private EL8 beta installer for Nginx 1.25.3 built with default OpenSSL 1.1.1w support and GCC 11 default on KVM VPS

    On CentOS 7, using public 130.00beta01 beta installer for Nginx 1.25.3 built with OpenSSL 1.1.1 default and GCC 11 on KVM VPS

     
Thread Status:
Not open for further replies.