| Package | nginx |
|---|---|
| Version | 1.6.2-5+deb8u10 (jessie), 1.10.3-1+deb9u8 (stretch) |
| Related CVEs | CVE-2021-3618 CVE-2022-41741 CVE-2022-41742 |
It was discovered that parsing errors in the mp4 module of Nginx, a high-performance web and reverse proxy server, could result in denial of service, memory disclosure or potentially the execution of arbitrary code when processing a malformed mp4 file.
This module is only enabled in the nginx-extras binary package.
In addition the following vulnerability has been fixed.
CVE-2021-3618
ALPACA is an application layer protocol content confusion attack,
exploiting TLS servers implementing different protocols but using
compatible certificates, such as multi-domain or wildcard certificates.
A MiTM attacker having access to victim's traffic at the TCP/IP layer can
redirect traffic from one subdomain to another, resulting in a valid TLS
session. This breaks the authentication of TLS and cross-protocol attacks
may be possible where the behavior of one protocol service may compromise
For Debian 8 jessie, these problems have been fixed in version 1.6.2-5+deb8u10.
For Debian 9 stretch, these problems have been fixed in version 1.10.3-1+deb9u8.
We recommend that you upgrade your nginx packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.