Advisories » MGASA-2024-0286

Nginx has been updated to the latest stable release to fix CVE

Publication date: 10 Sep 2024
Modification date: 10 Sep 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-7347

Description

CVE-2024-7347: NGINX Open Source and NGINX Plus have a vulnerability in
the ngx_http_mp4_module, which might allow an attacker to over-read
NGINX worker memory resulting in its termination, using a specially
crafted mp4 file. The issue only affects NGINX if it is built with the
ngx_http_mp4_module and the mp4 directive is used in the configuration
file. Additionally, the attack is possible only if an attacker can
trigger the processing of a specially crafted mp4 file with the
ngx_http_mp4_module. Note: Software versions which have reached End of
Technical Support (EoTS) are not evaluated.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33509
• https://openwall.com/lists/oss-security/2024/08/14/4
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7347
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7347

SRPMS

9/core

• nginx-1.26.2-1.mga9