Accepted nginx 1.14.2-2+deb10u5 (source) into oldstable
- To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
- Subject: Accepted nginx 1.14.2-2+deb10u5 (source) into oldstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Tue, 22 Nov 2022 23:00:19 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: nginx_1.14.2-2+deb10u5_source.changes
- Debian-source: nginx
- Debian-suite: oldstable
- Debian-version: 1.14.2-2+deb10u5
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=+gfkMRiKC0BZ9e2ir2DC4IN8IMrvLbl9mjGFi4+kV/w=; b=V7SpoRHmB3Mg5vQ7DlEO7No21E sAs5AzvtjTIwmrNbsZxjptB0QX8XvYbm8NvVwtFUrRW9oHYwidCGB5A3n+8S7qN807sv27G3kYvHs Ev1qlayrJ/vZdcy4Si8Bx5c1tPwnahJtx0w2V43wzJUoPGlyTxh1GaB2PQn/4e5vSpaAPej1g4aml fgjSqD2QZGcioRibMTlCi7arg+6PHZ6y+/4G33hbmM8xyumAhNov4VfgKfK+zDIIHaECWJrIxDNhF j7Q2PLH5FE6yYZIvL8f75OStJ8QTJnmNosD2+2d9Pm2lq0YcKtwQiGYAVI3j34tdDz4kGqOu1hjmb ezgDqIfA==;
- Mail-followup-to: debian-lts@lists.debian.org
- Message-id: <E1oxcFX-0087Cq-1A@seger.debian.org>
- Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 22 Nov 2022 23:19:18 CET
Source: nginx
Architecture: source
Version: 1.14.2-2+deb10u5
Distribution: buster-security
Urgency: high
Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
b039a8d6227cc12de6cb2383a036ee09b95ab81d 4332 nginx_1.14.2-2+deb10u5.dsc
bf5187c639761408b2d74587c1726a1eeab49b4c 935176 nginx_1.14.2-2+deb10u5.debian.tar.xz
670d0ee425ddcc823298e44fbc865812b7e15b48 23558 nginx_1.14.2-2+deb10u5_amd64.buildinfo
Checksums-Sha256:
55105c6396ad17d125d8c49ae3731eb36d085933e77ddf3605d6dbba05df8ce9 4332 nginx_1.14.2-2+deb10u5.dsc
9456b8ab944a8dbfc2913f78a12caa77c65792042300e8a3917235652ad5bfe3 935176 nginx_1.14.2-2+deb10u5.debian.tar.xz
b0a55b6903d0884cde65e0724f6be5a8d2fa75b03fd74a19dc5b02dd4f6b10ed 23558 nginx_1.14.2-2+deb10u5_amd64.buildinfo
Changes:
nginx (1.14.2-2+deb10u5) buster-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2021-3618:
ALPACA is an application layer protocol content confusion attack,
exploiting TLS servers implementing different protocols but using
compatible certificates, such as multi-domain or wildcard certificates. A
MiTM attacker having access to victim's traffic at the TCP/IP layer can
redirect traffic from one subdomain to another, resulting in a valid TLS
session. This breaks the authentication of TLS and cross-protocol attacks
may be possible where the behavior of one protocol service may compromise
the other at the application layer.
* Fix CVE-2022-41741 and CVE-2022-41742:
It was discovered that parsing errors in the mp4 module of Nginx, a
high-performance web and reverse proxy server, could result in denial of
service, memory disclosure or potentially the execution of arbitrary code
when processing a malformed mp4 file.
Files:
12a93b31e488b799cbbcdc8ff2c37f96 4332 httpd optional nginx_1.14.2-2+deb10u5.dsc
feaea4d7b8ffdfe703cddc59941a9076 935176 httpd optional nginx_1.14.2-2+deb10u5.debian.tar.xz
bd9be01c24440d5d9597c38bce2efbb9 23558 httpd optional nginx_1.14.2-2+deb10u5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmN9UA1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HklgMP/iLQEkMijoFGrWC+QcZ+1T1eTbqFPJ4XPlRy
VHyuzBilKMIs2tntWsglsEm9t5Qep1u60pi3lJOgnHuZ1XLtpUc7VxnXNqOgbD9Q
xwwqpf4pRDUhY6nGPfxXZcJL/tT3Zvh15Mo/wYPmrcadtHr+UHY87GqWHAXC62ZD
HvsOWrqjPiHf/TRsV+X/ky1IoOegL6jsruKhDgUl++6BhNni7PqW/RKFVg2xxI8T
rJO2pRWRUzD4VMo4ZmJXiL9jGX7tg5/cqgh2VlxTmZS/1pQ3pqDdIt7Jb4peouR5
Ppa+nATJc0ngCR2mqEyC8R/6of5NH3GIvTnGimoA+YItiFfEgj1A8gF2+wcuNbkM
Z+ZDNVYT4xCVa+ykx9YaD0I/8m4rr1IezAeDAtItTxncBFOBOxwij8hhipRiqY+2
u2uVyukMvp06ci3eHEZVO2RapIgizBg3DjnphEHH1qjfimTNZtm04esHqkpNJTEo
hycSDUj9wv6VvEx9hf7vw8JbJ2ah9I4tFhqN6VMvNBcIU2gnVktegFYOMZNQ/SCr
1G037gmzj+uuQSb5QQAiT1Effd5Fv8R//6hJfjT06PAX6TwYcAM/P/PpgB9DghLT
/k37HFLJnfKT/aPnxoQIf3NMg5rrfXkKjnLxGTwxXNPqUvpZgwkaigjN1XJJ0Fq1
RsIzm3R1
=6bLE
-----END PGP SIGNATURE-----