/ Register

Get the most out of your Centmin Mod LEMP stack
Become a Member

Nginx [nginx-announce] nginx security advisory (CVE-2024-31079, CVE-2024-32760, CVE-2024-34161,...

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, May 30, 2024.

Previous Thread Next Thread
Loading...
  1. May 30, 2024 #1
    eva2000

    eva2000 Administrator Staff Member

    58,905
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    4:51 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Hello!

    Four security issues were identified in nginx HTTP/3 implementation, which
    might allow an attacker that uses a specially crafted QUIC session to cause
    a worker process crash (CVE-2024-31079, CVE-2024-32760, CVE-2024-35200),
    worker process memory disclosure on systems with MTU larger than 4096
    bytes (CVE-2024-34161), or might have potential other impact (CVE-2024-31079,
    CVE-2024-32760).

    The issues affect nginx compiled with the experimental ngx_http_v3_module
    (not compiled by default) if the "quic" option of the "listen" directive
    is used in a configuration file.

    The issues affect nginx 1.25.0-1.25.5, 1.26.0.
    The issues are fixed in nginx 1.27.0, 1.26.1.

    Thanks to Nils Bars of CISPA.


    --
    Sergey Kandaurov
    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    https://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...
     
  2. Jun 6, 2024 #2
    eva2000

    eva2000 Administrator Staff Member

    58,905
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    4:51 AM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    FYI, Centmin Mod doesn't enable Nginx HTTP/3 QUIC support by default so this security issue wouldn't apply to Centmin Mod Nginx default out of the box installs :)
     
Previous Thread Next Thread
Loading...

.