1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1100336: bookworm-pu: package nginx/1.22.1-9+deb12u2

    From Andrej Shadura@21:1/5 to All on Wed Mar 12 19:20:01 2025
    XPost: linux.debian.devel.release

    This is a multi-part MIME message sent by reportbug.


    UGFja2FnZTogcmVsZWFzZS5kZWJpYW4ub3JnClNldmVyaXR5OiBub3JtYWwKVGFnczogYm9va3dv cm0KWC1EZWJidWdzLUNjOiBuZ2lueEBwYWNrYWdlcy5kZWJpYW4ub3JnLCBKYW4gTW9qxb7DrcWh IDxqYW4ubW9qemlzQGdtYWlsLmNvbT4KQ29udHJvbDogYWZmZWN0cyAtMSArIHNyYzpuZ2lueApV c2VyOiByZWxlYXNlLmRlYmlhbi5vcmdAcGFja2FnZXMuZGViaWFuLm9yZwpVc2VydGFnczogcHUK CkhpLAoKSeKAmWQgbGlrZSB0byB1cGxvYWQgYSBiYWNrcG9ydCBvZiBwYXRjaGVzIGZpeGluZyBm b3IgQ1ZFLTIwMjQtNzM0Ny4KVGhpcyBpc3N1ZSBoYXMgYmVlbiBmaXhlZCBpbiB0aGUgbmdpbngg dmVyc2lvbiBjdXJyZW50bHkgaW4gdHJpeGllL3Vuc3RhYmxlLgpJIGFsc28gcGxhbiB0byB1cGxv YWQgYSBzaW1pbGFyIGZpeCB0byB0aGUgbmdpbnggdmVyc2lvbiBpbiBidWxsc2V5ZSwgc28gdG8K ZW5zdXJlIHVzZXJzIGRvbuKAmXQgdXBkYXRlIGZyb20gbmdpbnggd2l0aCB0aGlzIGJ1ZyBmaXhl ZCB0byBvbmUgdGhhdOKAmXMKc3RpbGwgdnVsbmVyYWJsZSwgSeKAmWQgbGlrZSB0byBmaXggaXQg aW4gYnVsbHN3b3JtIGFzIHdlbGwuCgpbIFJlYXNvbiBdCgpOZ2lueCBoYXMgYSB2dWxuZXJhYmls aXR5IGluIHRoZSBuZ3hfaHR0cF9tcDRfbW9kdWxlLCB3aGljaCBtaWdodCBhbGxvdwphbiBhdHRh Y2tlciB0byBvdmVyLXJlYWQgbmdpbnggd29ya2VyIG1lbW9yeSByZXN1bHRpbmcgaW4gaXRzIHRl cm1pbmF0aW9uCnVzaW5nIGEgc3BlY2lhbGx5IGNyYWZ0ZWQgbXA0IGZpbGUuIFRoZSBpc3N1ZSBv bmx5IGFmZmVjdHMgbmdpbnggaWYgaXQKaXMgYnVpbHQgd2l0aCB0aGUgbmd4X2h0dHBfbXA0X21v ZHVsZSBhbmQgdGhlIG1wNCBkaXJlY3RpdmUgaXMgdXNlZCBpbgp0aGUgY29uZmlndXJhdGlvbiBm aWxlLiBBZGRpdGlvbmFsbHksIHRoZSBhdHRhY2sgaXMgcG9zc2libGUgb25seSBpZiBhbgphdHRh Y2tlciBjYW4gdHJpZ2dlciB0aGUgcHJvY2Vzc2luZyBvZiBhIHNwZWNpYWxseSBjcmFmdGVkIG1w NCBmaWxlIHdpdGgKdGhlIG5neF9odHRwX21wNF9tb2R1bGUuCgpbIEltcGFjdCBdCgpTaW5jZSB0 aGlzIGJ1ZyBpcyBnb2luZyB0byBiZSBmaXhlZCBpbiBidWxsc2V5ZSwgdXNlcnMgbWF5IGhpdCB0 aGUKdnVsbmVyYWJpbGl0eSBvbmNlIHRoZXkgdXBncmFkZSB0byBib29rc3dvcm0uCgpbIFRlc3Rz IF0KCkkgcmFuIHRoZSBhdXRvbWF0ZWQgdGVzdHMgKGF1dG9wa2d0ZXN0cykgaW5jbHVkZWQgaW4g dGhlIHBhY2thZ2UuCgpbIFJpc2tzIF0KClRoaXMgY2hhbmdlIGlzIHRyaXZpYWwuCgpbIENoZWNr bGlzdCBdCiAgW3hdICphbGwqIGNoYW5nZXMgYXJlIGRvY3VtZW50ZWQgaW4gdGhlIGQvY2hhbmdl bG9nCiAgW3hdIEkgcmV2aWV3ZWQgYWxsIGNoYW5nZXMgYW5kIEkgYXBwcm92ZSB0aGVtCiAgW3hd IGF0dGFjaCBkZWJkaWZmIGFnYWluc3QgdGhlIHBhY2thZ2UgaW4gKG9sZClzdGFibGUKICBbeF0g dGhlIGlzc3VlIGlzIHZlcmlmaWVkIGFzIGZpeGVkIGluIHVuc3RhYmxlCgpbIENoYW5nZXMgXQoK VGhpcyBpcyBhIHRyaXZpYWwgY2hlcnJ5LXBpY2sgb2YgdGhlIHVwc3RyZWFtIGNvbW1pdHMKNzM2 MmQwMTY1OGIgYW5kIDg4OTU1YjEwNDRlIHdpdGhvdXQgYW55IG1hbnVhbCBmaXh1cHMuCgpUaGFu a3MuCgotLSAKQ2hlZXJzLAogIEFuZHJlago=

    diff -Nru nginx-1.22.1/debian/changelog nginx-1.22.1/debian/changelog
    --- nginx-1.22.1/debian/changelog 2025-02-17 20:40:29.000000000 +0100
    +++ nginx-1.22.1/debian/changelog 2025-03-12 18:55:08.000000000 +0100
    @@ -1,3 +1,12 @@
    +nginx (1.22.1-9+deb12u2) bookworm; urgency=medium
    +
    + * Non-maintainer upload by the LTS Team.
    + * Add upstream patches for CVE-2024-7347:
    + - mp4: fix buffer underread while updating stsz atom
    + - mp4: reject unordered chunks in stsc atom
    +
    + -- Andrej Shadura <andrewsh@debian.org> Wed, 12 Mar 2025 18:55:08 +0100
    +
    nginx (1.22.1-9+deb12u1) bookworm; urgency=medium

    * d/p/CVE-2025-23419.patch add, backport CVE-2025-23419 fix.
    diff -Nru nginx-1.22.1/debian/patches/CVE-2024-7347-1.patch nginx-1.22.1/debian/patches/CVE-2024-7347-1.patch
    --- nginx-1.22.1/debian/patches/CVE-2024-7347-1.patch 1970-01-01 01:00:00.000000000 +0100
    +++ nginx-1.22.1/debian/patches/CVE-2024-7347-1.patch 2025-03-12 18:54:39.000000000 +0100
    @@ -0,0 +1,49 @@
    +From: Roman Arutyunyan <arut@nginx.com>
    +Date: Mon, 12 Aug 2024 18:20:43 +0400
    +Subject: Mp4:
  • From Jonathan Wiltshire@21:1/5 to All on Thu Mar 27 12:00:01 2025
    XPost: linux.debian.devel.release

    Control: tag -1 moreinfo

    Hi,

    Is this fixed in unstable yet? It's a bit hard to tell without any bug tracking. If so please go ahead and remove moreinfo from this request.

    Thanks,

    --
    Jonathan Wiltshire jmw@debian.org
    Debian Developer http://people.debian.org/~jmw

    4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jonathan Wiltshire@21:1/5 to Andrej Shadura on Mon Apr 14 21:40:01 2025
    XPost: linux.debian.devel.release

    Control: tag -1 confirmed

    On Mon, Mar 31, 2025 at 05:22:43PM +0200, Andrej Shadura wrote:
    Hi,

    On Thu, 27 Mar 2025 10:47:03 +0000 Jonathan Wiltshire <jmw@debian.org>
    wrote:
    Is this fixed in unstable yet? It's a bit hard to tell without any bug tracking. If so please go ahead and remove moreinfo from this request.

    Yes, it’s been fixed in unstable in one of the previous uploads.

    Please go ahead.

    Thanks,
    --
    Jonathan Wiltshire jmw@debian.org
    Debian Developer http://people.debian.org/~jmw

    4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jonathan Wiltshire@21:1/5 to All on Mon Apr 14 22:10:01 2025
    XPost: linux.debian.devel.release

    package release.debian.org
    tags 1100336 = bookworm pending
    thanks

    Hi,

    The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

    Thanks for your contribution!

    Upload details
    ==============

    Package: nginx
    Version: 1.22.1-9+deb12u2

    Explanation: fix buffer underread and unordered chunk vulnerabilities in mp4 [CVE-2024-7347]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)