Update Nginx 1.22.1 and 1.23.2 with elimination of vulnerability

Altus Intel
Altus Intel
  • Date Time

formed the production of the main branch nginx 1.23.2 , within which the development of new capabilities continues, as well as the release of a parallel supported stable branch nginx 1.22.1 , which only changes associated with the elimination of serious errors and vulnerabilities are made. 41741, CVE-2022-41742) in the module ngx_http_mp4_module used to organize streaming streams from files in format in format h. .264/AAC. Vulnerabilities can lead to damage to memory or leakage of memory contents when processing a specially designed file in MP4 format. An emergency completion of the work process is mentioned as consequences, but other manifestations, such as the organization of code execution on the server.

It is noteworthy that a similar vulnerability was already eliminated in the ngx_http_mp4_module module in 2012. In addition, F5 reported about similar vulnerability (CVE-2022-41743) in the product nginx plus, affecting the module $ proxy_protocol_tlv_*“, in which the values ​​of the fields of TLV (Type-LENGTH-VALUE) are recorded, figuring for Protocol type-leng-value proxy v2 . .

  • Automatic rotation of encryption keys for session tikets TLS, used when using the separated memory in the SSL_SESSION_CACHE Directive.
  • The level of login for errors associated with the incorrect type of SSL entries is reduced from critical to the information level.
  • The level of junction of the log for messages about the impossibility of highlighting memory for a new session is changed from Alert on Warn and is limited by the withdrawal of one entry in a second.
  • On the Windows platform, the assembly with Opensl 3.0.
  • The reflection in the log of the Protocol Protocol Proxy.
  • The problem has been eliminated, due to which, using TLSV1.3, on the basis of Opensl or Boringssl, the Timut specified in the “SSL_SESSION_TIMEOUT” Directive did not work.
    • /Media reports.

    © 2024 - Altus Intel