Want to subscribe to topics you're interested in?
Become a Member

Nginx [nginx-announce] nginx security advisory (CVE-2021-23017)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, May 26, 2021.

  1. eva2000

    eva2000 Administrator Staff Member

    46,851
    10,627
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,493
    Local Time:
    7:33 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Hello!

    A security issue in nginx resolver was identified, which might allow an
    attacker to cause 1-byte memory overwrite by using a specially crafted
    DNS response, resulting in worker process crash or, potentially, in
    arbitrary code execution (CVE-2021-23017).

    The issue only affects nginx if the "resolver" directive is used in
    the configuration file. Further, the attack is only possible if an
    attacker is able to forge UDP packets from the DNS server.

    The issue affects nginx 0.6.18 - 1.20.0.
    The issue is fixed in nginx 1.21.0, 1.20.1.

    Patch for the issue can be found here:

    http://nginx.org/download/patch.2021.resolver.txt

    Thanks to Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH.


    --
    Maxim Dounin
    http://nginx.org/
    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...

     
  2. eva2000

    eva2000 Administrator Staff Member

    46,851
    10,627
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,493
    Local Time:
    7:33 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x