thr3ads.net - nginx announce - [nginx-announce] nginx security advisory (CVE-2024-24989, CVE-2024-24990) [Feb 2024]

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Sergey Kandaurov

2024-Feb-14 17:00 UTC

[nginx-announce] nginx security advisory (CVE-2024-24989, CVE-2024-24990)

Two security issues were identified in nginx HTTP/3 implementation,
which might allow an attacker that uses a specially crafted QUIC session
to cause a worker process crash (CVE-2024-24989, CVE-2024-24990) or
might have potential other impact (CVE-2024-24990).

The issues affect nginx compiled with the ngx_http_v3_module (not
compiled by default) if the "quic" option of the "listen"
directive
is used in a configuration file.

The issue affects nginx 1.25.0 - 1.25.3.
The issue is fixed in nginx 1.25.4.


-- 
Sergey Kandaurov

nginx announce - Feb 2024 - nginx security advisory (CVE-2024-24989, CVE-2024-24990)

[nginx-announce] nginx security advisory (CVE-2024-24989, CVE-2024-24990)