thr3ads.net - nginx announce - [nginx-announce] nginx security advisory (CVE-2024-31079, CVE-2024-32760, CVE-2024-34161, CVE-2024-35200) [May 2024]

If this information is useful, please help other people find it:
Share via:

Sergey Kandaurov

2024-May-29 15:12 UTC

[nginx-announce] nginx security advisory (CVE-2024-31079, CVE-2024-32760, CVE-2024-34161, CVE-2024-35200)

Hello!

Four security issues were identified in nginx HTTP/3 implementation, which
might allow an attacker that uses a specially crafted QUIC session to cause
a worker process crash (CVE-2024-31079, CVE-2024-32760, CVE-2024-35200),
worker process memory disclosure on systems with MTU larger than 4096
bytes (CVE-2024-34161), or might have potential other impact (CVE-2024-31079,
CVE-2024-32760).

The issues affect nginx compiled with the experimental ngx_http_v3_module
(not compiled by default) if the "quic" option of the
"listen" directive
is used in a configuration file.

The issues affect nginx 1.25.0-1.25.5, 1.26.0.
The issues are fixed in nginx 1.27.0, 1.26.1.

Thanks to Nils Bars of CISPA.


-- 
Sergey Kandaurov

Reasonably Related Threads

Search for more apparently analagous threads

nginx announce - May 2024 - nginx security advisory (CVE-2024-31079, CVE-2024-32760, CVE-2024-34161, CVE-2024-35200)

[nginx-announce] nginx security advisory (CVE-2024-31079, CVE-2024-32760, CVE-2024-34161, CVE-2024-35200)

Reasonably Related Threads