Source: nginx Version: 1.26.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for nginx. CVE-2024-7347[0]: | NGINX Open Source and NGINX Plus have a vulnerability in the | ngx_http_mp4_module, which might allow an attacker to over-read | NGINX worker memory resulting in its termination, using a specially | crafted mp4 file. The issue only affects NGINX if it is built with | the ngx_http_mp4_module and the mp4 directive is used in the | configuration file. Additionally, the attack is possible only if an | attacker can trigger the processing of a specially crafted mp4 file | with the ngx_http_mp4_module. Note: Software versions which have | reached End of Technical Support (EoTS) are not evaluated. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-7347 https://www.cve.org/CVERecord?id=CVE-2024-7347 [1] https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
