nginx-1.20.1-22.el9_6.2.ML.1

エラータID: AXSA:2025-10488:02

Release date: 
Wednesday, July 16, 2025 - 11:38
Subject: 
nginx-1.20.1-22.el9_6.2.ML.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage.

Security Fix(es):

* nginx: Memory corruption in the ngx_http_mp4_module (CVE-2022-41741)
* nginx: Memory disclosure in the ngx_http_mp4_module (CVE-2022-41742)
* nginx: specially crafted MP4 file may cause denial of service (CVE-2024-7347)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-41741
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
CVE-2022-41742
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
CVE-2024-7347
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Solution: 

Update packages.

CVEs: 
CVE-2022-41741
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
CVE-2022-41742
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
CVE-2024-7347
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Additional Info: 

N/A

Download: 

SRPMS
  1. nginx-1.20.1-22.el9_6.2.ML.1.src.rpm
    MD5: 3aa1814613f17814ea8b2b80de3e1087
    SHA-256: 1ad815d472060b335b78dc2a2e2ca1fc11d3d157da43a99356e2fbf83033be07
    Size: 1.07 MB

Asianux Server 9 for x86_64
  1. nginx-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
    MD5: 7a40ca935458c1645e9cb1a09e281313
    SHA-256: 3ec9b1506a60db86810d8dd5cea294b2ac7fa527e0d5319e653ec505fec5c9b5
    Size: 36.25 kB
  2. nginx-all-modules-1.20.1-22.el9_6.2.ML.1.noarch.rpm
    MD5: 39110b8c340711ce5421ab8d7980d0ca
    SHA-256: e7750ef814440f7c83fe77f7a1190b5f3efc939f3d9cdb0a2ae9e06cba57adf6
    Size: 7.95 kB
  3. nginx-core-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
    MD5: c101e90451c446282233a7a89e54cc76
    SHA-256: c99884a875ef292fb90ec19e8def84d9a18f20ae40f9a6638ab84b02b92d915a
    Size: 572.61 kB
  4. nginx-filesystem-1.20.1-22.el9_6.2.ML.1.noarch.rpm
    MD5: 21769014a5dcc0418ce987e968ace576
    SHA-256: 6d38559971e8ca50dfe4c2f4355450ff0ba7987288e3950f40760e5910161523
    Size: 9.51 kB
  5. nginx-mod-devel-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
    MD5: 887cdc8542fc28eeef1a63f9d86d8fa0
    SHA-256: ee74ed981c791851406f97213d3b532ea28b0092196bb573c4811e21f539fe0e
    Size: 834.85 kB
  6. nginx-mod-http-image-filter-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
    MD5: c610812a7457223c79e3723c6c6ff4ab
    SHA-256: f615d280f9b1807676b8b8e3ab45181f69edef41528b023635f48599e7b7ed0f
    Size: 19.72 kB
  7. nginx-mod-http-perl-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
    MD5: 2b05ee57e7783f8213af0741fc926858
    SHA-256: c4daf97f297efada498facd0bd1c8d00afc1f6c80453c5fb75d8fbb2cb6b9b9c
    Size: 31.31 kB
  8. nginx-mod-http-xslt-filter-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
    MD5: 4c8be93d1163fc85a8194c525a2cd9e9
    SHA-256: ecb60a74f4c45c4c2a0dfca18f81e66b347608080340f251021fe95bc7228cf0
    Size: 18.48 kB
  9. nginx-mod-mail-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
    MD5: fa1a593497650830ff2fafac288fa45f
    SHA-256: d4a117a744baac13b066420c716571230b2e6ce6262f02ed97b8ff0b35b52eee
    Size: 52.10 kB
  10. nginx-mod-stream-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
    MD5: 34f683a06ac1ebd537fa4f7289244bae
    SHA-256: 8ad51b7398a426e80e8184ccd296c405cfb8e9f0fcdc52e819e7e7f9462321b9
    Size: 77.32 kB