Received: by 2002:a05:6500:1b8f:b0:1fa:5c73:8e2d with SMTP id df15csp1350585lqb; Thu, 30 May 2024 07:50:46 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUdxsTkwtj3wsrbv90r4uqxfmaE+O28iqoTcQbV561AW/eg+ViJ1A/b+yOx0NSGY5KDGKOS9svtQu/7HesYFRIK35n6jxF8IKtaIl+b8g== X-Google-Smtp-Source: AGHT+IGXR/thnwK7Zqr6mgH+gnvu7cZe9oJ9OJYjb6GDipGyW9MY2Y0vbbFvtZDln3qwn/QtjxDw X-Received: by 2002:a17:906:d1c4:b0:a66:7b79:3573 with SMTP id a640c23a62f3a-a667b7936cbmr112493666b.25.1717080646439; Thu, 30 May 2024 07:50:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1717080646; cv=none; d=google.com; s=arc-20160816; b=RzHpX/5V9/SNdqp5tdJMbCPl2rpHkLzL3nXkcjMqaDPhcDQvotAJrzic9DMk8//bu1 VYz3nSz42Buv+sappAWjf/xrQ5LtESUd7LTCijbNGPooG9ctWzv+cZX90oHHLWz0utFg HTXUvJjz3nT+Pa4TkqNKLa6kjp55VZ2gJqffkmlDaQbucVx0hh2z1evLgui1yIzOk9wS YbT40V2tma6e1oJClstKYeKZ88IzY8qWXr+qa4z2XtXqyXPtWNCCyuSG5faBPEoMWedi zlZqodi4ctEZb/reG8pSIX2Npf0dZQVUKNStyE6IEuzmyryQOk5h1OSD+VwlZVLA4nmm 4m3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:user-agent:content-disposition:mime-version:message-id:to :from:date:delivered-to:delivered-to:reply-to:list-id:list-subscribe :list-unsubscribe:list-help:list-post:precedence:mailing-list; bh=l81lS5FhtvPkj1RwJsf9SoJs3nJ5Cd9PJk/gCJqgjGw=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=okkyHnKGoE2uybrJEFwp59nB+pIT87nkTaDbsMI8duF6VoU8QILSgcaU6krSiIzBkz ChcyRaq6qOtnNkGGczQFhGU6lwMSA2qmL7fBBw6xZA0Q37HXwg9heQMr0Pt1AmWV+WAE K3kS73pLKFs5BIun9zNFBRZzeI4Ii+VrBoYCrYDsb+aNODt6zv+nSMYQcONp2zc294zt NdgS7l42uaGftmp49aP6+ew7BlcBn94zGzeSvWUd0Z/KsQNsKr5hKtIP82491PNwPunf yZEDz+/kizKKqBWFGDuACD3I6kBSSjo09MPA2MYrcMQISObrl/ZGFaeuzAXKIZOHZABG X1Tg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of oss-security-return-30177-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30177-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id a640c23a62f3a-a65f8959297si66316866b.111.2024.05.30.07.50.46 for ; Thu, 30 May 2024 07:50:46 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30177-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; spf=pass (google.com: domain of oss-security-return-30177-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30177-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 3401 invoked by uid 550); 30 May 2024 14:50:29 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 1340 invoked from network); 30 May 2024 14:49:43 -0000 Date: Thu, 30 May 2024 16:49:35 +0200 From: Solar Designer To: oss-security@lists.openwall.com Message-ID: <20240530144935.GA745@openwall.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i Subject: [oss-security] nginx HTTP/3 security issues/fixes Hi, This was on the nginx-announce list yesterday: https://mailman.nginx.org/pipermail/nginx-announce/2024/GMY32CSHFH6VFTN76HJNX7WNEX4RLHF6.html --- [nginx-announce] nginx security advisory (CVE-2024-31079, CVE-2024-32760, CVE-2024-34161, CVE-2024-35200) Sergey Kandaurov pluknet at nginx.com Wed May 29 15:12:07 UTC 2024 Hello! Four security issues were identified in nginx HTTP/3 implementation, which might allow an attacker that uses a specially crafted QUIC session to cause a worker process crash (CVE-2024-31079, CVE-2024-32760, CVE-2024-35200), worker process memory disclosure on systems with MTU larger than 4096 bytes (CVE-2024-34161), or might have potential other impact (CVE-2024-31079, CVE-2024-32760). The issues affect nginx compiled with the experimental ngx_http_v3_module (not compiled by default) if the "quic" option of the "listen" directive is used in a configuration file. The issues affect nginx 1.25.0-1.25.5, 1.26.0. The issues are fixed in nginx 1.27.0, 1.26.1. Thanks to Nils Bars of CISPA. --- and another one in February: https://mailman.nginx.org/pipermail/nginx-announce/2024/NW6MNW34VZ6HDIHH5YFBIJYZJN7FGNAV.html --- [nginx-announce] nginx security advisory (CVE-2024-24989, CVE-2024-24990) Sergey Kandaurov pluknet at nginx.com Wed Feb 14 17:00:05 UTC 2024 Two security issues were identified in nginx HTTP/3 implementation, which might allow an attacker that uses a specially crafted QUIC session to cause a worker process crash (CVE-2024-24989, CVE-2024-24990) or might have potential other impact (CVE-2024-24990). The issues affect nginx compiled with the ngx_http_v3_module (not compiled by default) if the "quic" option of the "listen" directive is used in a configuration file. The issue affects nginx 1.25.0 - 1.25.3. The issue is fixed in nginx 1.25.4. --- Alexander