-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-2e4858330c 2024-06-08 19:34:23.244978 --------------------------------------------------------------------------------
Name : nginx Product : Fedora 39 Version : 1.26.1 Release : 1.fc39 URL : https://nginx.org Summary : A high performance web server and reverse proxy server Description : Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage.
-------------------------------------------------------------------------------- Update Information:
*) Security: when using HTTP/3, processing of a specially crafted QUIC session might cause a worker process crash, worker process memory disclosure on systems with MTU larger than 4096 bytes, or might have potential other impact (CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161). Thanks to Nils Bars of CISPA. *) Bugfix: reduced memory consumption for long-lived requests if "gzip", "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used. *) Bugfix: nginx could not be built by gcc 14 if the --with-atomic option was used. Thanks to Edgar Bonet. *) Bugfix: in HTTP/3. -------------------------------------------------------------------------------- ChangeLog:
* Thu May 30 2024 Felix Kaechele felix@kaechele.ca - 1:1.26.1-1 - update to 1.26.1 - fixes CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161 * Wed May 22 2024 Lubo�� Uhliarik luhliari@redhat.com - 1:1.26.0-3 - Fix possible segfault introduced in patch which adds ssl-pass-phrase- dialog directive - Add back Maxim's PGP removed by mistake - Add actual fix of the patch * Wed May 22 2024 Lubo�� Uhliarik luhliari@redhat.com - 1:1.26.0-2 - Fix possible segfault introduced in patch which adds ssl-pass-phrase- dialog directive -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2283925 - CVE-2024-35200 nginx: undisclosed HTTP/3 requests can cause NGINX worker processes to terminate [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2283925 [ 2 ] Bug #2283932 - CVE-2024-34161 nginx: undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2283932 [ 3 ] Bug #2283939 - CVE-2024-32760 nginx: undisclosed HTTP/3 encoder instructions terminate or cause or other potential impact [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2283939 [ 4 ] Bug #2283946 - CVE-2024-31079 nginx: undisclosed HTTP/3 requests can cause NGINX worker processes to terminate [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2283946 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-2e4858330c' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------