Bug 33509 - nginx new security issue CVE-2024-7347
Summary: nginx new security issue CVE-2024-7347
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-02 12:05 CEST by Nicolas Salguero
Modified: 2024-09-10 18:41 CEST (History)
6 users (show)

See Also:
Source RPM: nginx-1.24.0-2.mga9.src.rpm
CVE: CVE-2024-7347
Status comment:


Attachments

Description Nicolas Salguero 2024-09-02 12:05:44 CEST
CVE-2024-7347 was announced here:
https://openwall.com/lists/oss-security/2024/08/14/4

The fix is: https://nginx.org/download/patch.2024.mp4.txt
Nicolas Salguero 2024-09-02 12:05:57 CEST

Source RPM: (none) => nginx-1.24.0-2.mga9.src.rpm
CVE: (none) => CVE-2024-7347

Comment 1 Marja Van Waes 2024-09-04 08:26:25 CEST
No registered maintainer, so assigning to all.
CC'ing kekepower, who touched this package most often in recent years

CC: (none) => marja11, smelror
Assignee: bugsquad => pkg-bugs

Comment 2 Stig-Ørjan Smelror 2024-09-04 15:19:35 CEST
Advisory
========

Nginx has been updated to the latest stable release to fix CVE.

References
==========
https://openwall.com/lists/oss-security/2024/08/14/4


Files
=====

Uploaded to core/updates_testing

nginx-1.26.2-1.mga9

from nginx-1.26.2-1.mga9.src.rpm

Assignee: pkg-bugs => bugsquad

Stig-Ørjan Smelror 2024-09-04 15:21:11 CEST

Assignee: bugsquad => qa-bugs

Len Lawrence 2024-09-05 11:33:53 CEST

Keywords: (none) => advisory
CC: (none) => tarazed25

Comment 3 Stig-Ørjan Smelror 2024-09-05 16:29:24 CEST
Advisory
========

Nginx has been updated to the latest stable release to fix CVE-2024-7347.

CVE-2024-7347: NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

References
==========
https://openwall.com/lists/oss-security/2024/08/14/4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7347


Files
=====

Uploaded to core/updates_testing

nginx-1.26.2-1.mga9

from nginx-1.26.2-1.mga9.src.rpm
Comment 4 Len Lawrence 2024-09-05 19:00:42 CEST
Thanks Stig for the updated advisory.
Comment 5 Herman Viaene 2024-09-09 10:40:05 CEST
MGA9-64 server Plasma Wayland on HP-Pavillion
No installation issues.
Ref bug 30993 for testing.
# nginx 
Then point firefox to http://localhost/
and get page as answer with in the heading: "Welcome to nginx 1.26.2 on Mageia!"
Good enough for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 6 Thomas Andrews 2024-09-10 03:04:25 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Mageia Robot 2024-09-10 18:41:19 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0286.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.