Your message dated Tue, 20 Aug 2024 15:03:30 +0000
with message-id <[email protected]>
and subject line Bug#1078971: fixed in nginx 1.26.0-2
has caused the Debian Bug report #1078971,
regarding nginx: CVE-2024-7347
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1078971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078971
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nginx
Version: 1.26.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for nginx.
CVE-2024-7347[0]:
| NGINX Open Source and NGINX Plus have a vulnerability in the
| ngx_http_mp4_module, which might allow an attacker to over-read
| NGINX worker memory resulting in its termination, using a specially
| crafted mp4 file. The issue only affects NGINX if it is built with
| the ngx_http_mp4_module and the mp4 directive is used in the
| configuration file. Additionally, the attack is possible only if an
| attacker can trigger the processing of a specially crafted mp4 file
| with the ngx_http_mp4_module. Note: Software versions which have
| reached End of Technical Support (EoTS) are not evaluated.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-7347
https://www.cve.org/CVERecord?id=CVE-2024-7347
[1]
https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f
https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.26.0-2
Done: Jan Mojžíš <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Mojžíš <[email protected]> (supplier of updated nginx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 19 Aug 2024 18:46:30 +0200
Source: nginx
Architecture: source
Version: 1.26.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Nginx Maintainers
<[email protected]>
Changed-By: Jan Mojžíš <[email protected]>
Closes: 1070488 1078971
Changes:
nginx (1.26.0-2) unstable; urgency=medium
.
[ Jan Mojžíš ]
* d/rules: enable QUIC and HTTP/3 module (Closes: 1070488)
* d/control: bump Standards-Version: 4.7.0, no changes
* d/p/nginx-1.26.1.patch add, backport changes from the nginx 1.26.1 and fix
CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161
* d/p/CVE-2024-7347.patch add, backport CVE-2024-7347 fix (Closes: 1078971)
* d/libnginx-mod.abisubstvars updated comment when ABI needs to be changed
.
[ Thomas Ward ]
* d/conf/nginx.conf: Update default options for current security
practices and standards. SSL protos, disable prefer server
ciphers, hide server tokens/versions in responses.
Checksums-Sha1:
a1f537a03ce8f64734fb9622d6b43c00f657f2c6 3554 nginx_1.26.0-2.dsc
6c657915ec55b8c6543cb5bfb3acd1ed2acfdead 77660 nginx_1.26.0-2.debian.tar.xz
75d2498f4f5243c95292f329b6c15029ff4d4c37 9016 nginx_1.26.0-2_source.buildinfo
Checksums-Sha256:
be536b17fd73c3443582c6dae1230f708cd203d9bd78dae1b49111a263766786 3554
nginx_1.26.0-2.dsc
9c14c4a283eaa75d61d27216a6faa04b5dbe54c2000012418ce35bf69502cb5d 77660
nginx_1.26.0-2.debian.tar.xz
b0fefcdc90a9097a4c7eade060eb22f1999e8423be99d3ad66744bcf44d9e6d1 9016
nginx_1.26.0-2_source.buildinfo
Files:
afc4d667701ce1d1775757780a0f6438 3554 httpd optional nginx_1.26.0-2.dsc
8862e11d3bf907306923a0b6579f99cc 77660 httpd optional
nginx_1.26.0-2.debian.tar.xz
b9cda3dda1ce82fd8e14a85e322a6460 9016 httpd optional
nginx_1.26.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEE0Aiwwj2EeeRrn8uQRdpRdJaTn/kFAmbEoz4VHGphbi5tb2p6
aXNAZ21haWwuY29tAAoJEEXaUXSWk5/53ikQAJ6T6jTtUFOqNT2rHZgSYKs4Zlq9
doTQV6WaZfPJ2tP9MNARV/4cPYK5usAbA6BspiQiRx5LW+0wnsOMzUPeipTKRMQu
EQ8+bBRSK3zfCJZtjAAj+m0zFdOwhDKuS5iN74ETEfPWnXifx6iQ9cw17IzPdcgl
ZVJjhocMln8Ginch8kcaaOWoQIBgVPhJygTBSRc3BdIVEYMq0Gzh7lTrLrdPH++m
025RAlw3VEEFDjVbtdoDk+5uHW73R04cVCAyOBKohUbGCbMoL2rQ04OSVmYyI3NE
Cszl3GBcIKjvzfoZv4U2r8lZ7CmJ/F2WnI+l/MYEFYanz7GgRuTKYiOAN3Y5Ub91
BfP/0Ln45HyytXkWjfjf7JGxM+5/84tmyfNWfunLddk61C1HagXi6ZwQo8qVsoyC
M3HKvOREI6DUhEFx7lgi770ILrw2LiTk/nm4MoJWoXPpCev5vV3CmJzGjaSn4dCp
LDpLEU8GwuNUJpC2qDfpwJCVwkksuXWYZBGPDIUS72qRtRzoCdvkyLPHbQoPk9ar
fGZH44t2dErfHplRlfKrBvXxkNSdmDvdpVZDV4eBV7GIt2jnWPUNuurECIE/bMda
cYZVM57XmoqtP9fNO1xSGqSSqruUfM3LZNY7cGA6sz8G1SQXxbw+llJt6nicJY1P
NzJmtQP0PnCSiLZa
=ngk0
-----END PGP SIGNATURE-----
pgpdx1wn2gXqU.pgp
Description: PGP signature
--- End Message ---
