Discover Centmin Mod today
Register Now

Nginx [nginx-announce] nginx security advisory (CVE-2024-7347)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Aug 15, 2024.

  1. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    1:32 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    A security issue was identified in the ngx_http_mp4_module, which might allow an attacker to cause a worker process crash by using a specially crafted mp4 file (CVE-2024-7347). The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the “mp4” directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.

    The issue affects nginx 1.5.13+.
    The issue is fixed in 1.27.1, 1.26.2.


    Patch for the issue can be found here: https://nginx.org/download/patch.2024.mp4.txt

    Thanks to Nils Bars for the initial report.


    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    https://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,142
    12,108
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,643
    Local Time:
    1:32 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, Centmin Mod doesn't enable MP4 nginx module by default unless you specifically enabled it via persistent config file /etc/centminmod/custom_config.inc set variable options
    Code (Text):
    NGINX_MP4='y'
    

    or via enabling NGINX_VIDEO='y' variable which enables the following Nginx modules for NGINX_SLICE='y', NGINX_RTMP='y', NGINX_FLV='y', NGINX_MP4='y'
    Code (Text):
    NGINX_VIDEO='y'
    

    You can verify if Nginx has MP4 enabled via nginx -V command and grep filter for work mp4
    Code (Text):
    nginx -V 2>&1 | grep -o mp4
    

    if returns empty then MP4 nginx module not enabled, if returns mp4 then MP4 is enabled