nginx-1.20.1-22.el9_6.2.ML.1
エラータID: AXSA:2025-10488:02
リリース日:
2025/07/16 Wednesday - 11:38
題名:
nginx-1.20.1-22.el9_6.2.ML.1
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- nginx の ngx_http_mp4_module には、メモリ破壊の問題があるため、
ローカルの攻撃者により、巧妙に細工されたメディアファイルを介して、
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2022-41741)
- nginx の ngx_http_mp4_module には、プロセスのクラッシュや情報
漏えいを引き起こす問題があるため、ローカルの攻撃者により、巧妙に
細工されたメディアファイルを介して、サービス拒否攻撃を可能とする
脆弱性が存在します。(CVE-2022-41742)
- NGINX の ngx_http_mp4_module モジュールには、ワーカーメモリを
必要以上に読み取ってしまう問題があるため、リモートの攻撃者により、
巧妙に細工された MP4 形式の動画ファイルの処理を介して、サービス
拒否攻撃を可能とする脆弱性が存在します。(CVE-2024-7347)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-41741
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
CVE-2022-41742
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
CVE-2024-7347
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
追加情報:
N/A
ダウンロード:
SRPMS
- nginx-1.20.1-22.el9_6.2.ML.1.src.rpm
MD5: 3aa1814613f17814ea8b2b80de3e1087
SHA-256: 1ad815d472060b335b78dc2a2e2ca1fc11d3d157da43a99356e2fbf83033be07
Size: 1.07 MB
Asianux Server 9 for x86_64
- nginx-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
MD5: 7a40ca935458c1645e9cb1a09e281313
SHA-256: 3ec9b1506a60db86810d8dd5cea294b2ac7fa527e0d5319e653ec505fec5c9b5
Size: 36.25 kB - nginx-all-modules-1.20.1-22.el9_6.2.ML.1.noarch.rpm
MD5: 39110b8c340711ce5421ab8d7980d0ca
SHA-256: e7750ef814440f7c83fe77f7a1190b5f3efc939f3d9cdb0a2ae9e06cba57adf6
Size: 7.95 kB - nginx-core-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
MD5: c101e90451c446282233a7a89e54cc76
SHA-256: c99884a875ef292fb90ec19e8def84d9a18f20ae40f9a6638ab84b02b92d915a
Size: 572.61 kB - nginx-filesystem-1.20.1-22.el9_6.2.ML.1.noarch.rpm
MD5: 21769014a5dcc0418ce987e968ace576
SHA-256: 6d38559971e8ca50dfe4c2f4355450ff0ba7987288e3950f40760e5910161523
Size: 9.51 kB - nginx-mod-devel-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
MD5: 887cdc8542fc28eeef1a63f9d86d8fa0
SHA-256: ee74ed981c791851406f97213d3b532ea28b0092196bb573c4811e21f539fe0e
Size: 834.85 kB - nginx-mod-http-image-filter-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
MD5: c610812a7457223c79e3723c6c6ff4ab
SHA-256: f615d280f9b1807676b8b8e3ab45181f69edef41528b023635f48599e7b7ed0f
Size: 19.72 kB - nginx-mod-http-perl-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
MD5: 2b05ee57e7783f8213af0741fc926858
SHA-256: c4daf97f297efada498facd0bd1c8d00afc1f6c80453c5fb75d8fbb2cb6b9b9c
Size: 31.31 kB - nginx-mod-http-xslt-filter-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
MD5: 4c8be93d1163fc85a8194c525a2cd9e9
SHA-256: ecb60a74f4c45c4c2a0dfca18f81e66b347608080340f251021fe95bc7228cf0
Size: 18.48 kB - nginx-mod-mail-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
MD5: fa1a593497650830ff2fafac288fa45f
SHA-256: d4a117a744baac13b066420c716571230b2e6ce6262f02ed97b8ff0b35b52eee
Size: 52.10 kB - nginx-mod-stream-1.20.1-22.el9_6.2.ML.1.x86_64.rpm
MD5: 34f683a06ac1ebd537fa4f7289244bae
SHA-256: 8ad51b7398a426e80e8184ccd296c405cfb8e9f0fcdc52e819e7e7f9462321b9
Size: 77.32 kB
English