Bug 30993

Summary: nginx new security issues CVE-2022-41741, CVE-2022-41742
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: nginx-1.18.0-5.2.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-10-20 14:04:05 CEST 
Nginx has issued an advisory on October 19:
https://mailman.nginx.org/archives/list/nginx-announce@nginx.org/message/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA/

The issues are fixed upstream in 1.22.1, and via a patch linked in the message above.
David Walser 2022-10-20 14:04:19 CEST

Status comment: (none) => Patch available from upstream

Comment 1 Nicolas Salguero 2022-10-21 15:00:38 CEST 
Suggested advisory:
========================

The updated package fixes security vulnerabilities:

Two security issues were identified in the ngx_http_mp4_module, which might allow an attacker to cause a worker process crash or worker process memory disclosure by using a specially crafted mp4 file, or might have potential other impact. (CVE-2022-41741, CVE-2022-41742)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41741
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41742
https://mailman.nginx.org/archives/list/nginx-announce@nginx.org/message/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA/
========================

Updated package in core/updates_testing:
========================
nginx-1.18.0-5.3.mga8

from SRPM:
nginx-1.18.0-5.3.mga8.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: smelror => qa-bugs
Status comment: Patch available from upstream => (none)

Comment 2 Herman Viaene 2022-10-24 16:17:35 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Ref bug 13044 for testing
# nginx 
point fitefox at http://localhost/
and get page as answer with in the heading: "Welcome to nginx 1.18.0 on Mageia!"
Looks OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2022-10-26 20:25:34 CEST 
Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-10-28 04:07:03 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2022-10-28 08:55:52 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0398.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED