A release of the main branch nginx 1.23.2 has been formed, within which the development of new features continues, as well as the release of a parallel supported stable branch of nginx 1.22.1, in which only changes related to the elimination of serious errors and vulnerabilities are made.

The new versions fixed two vulnerabilities (CVE-2022-41741, CVE-2022-41742) in the ngx_http_mp4_module module used to organize streaming from H.264/AAC files. Vulnerabilities could lead to memory corruption or memory leaks when processing a specially crafted mp4 file. Crashes of the workflow are mentioned as consequences, but other manifestations are not excluded, such as the organization of code execution on the server.

Update nginx 1.22.1 and 1.23.2 with vulnerabilities fixed

It is noteworthy that a similar vulnerability was already fixed in the ngx_http_mp4_module in 2012. In addition, F5 has reported a similar vulnerability (CVE-2022-41743) in NGINX Plus that affects the ngx_http_hls_module, which provides support for the HLS (Apple HTTP Live Streaming) protocol.

I recommend reading about: Nginx Proxy Configuration

In addition to fixing vulnerabilities in nginx 1.23.2, the following changes are proposed:

  • Added support for the “$proxy_protocol_tlv_*” variables, which store the values ​​of the TLV (Type-Length-Value) fields that appear in the Type-Length-Value PROXY v2 protocol.
  • Provided automatic rotation of encryption keys for session TLS tickets, used when using shared memory in the ssl_session_cache directive.
  • The logging level for errors related to incorrect SSL record type has been downgraded from Critical to Informational.
  • The logging level for messages about the inability to allocate memory for a new session has been changed from alert to warn and is limited to outputting one record per second.
  • On the Windows platform, the assembly with OpenSSL 3.0 has been adjusted.
  • Improved reflection in the log of PROXY protocol errors.
  • Fixed an issue where the timeout specified in the “ssl_session_timeout” directive did not work when using TLSv1.3 based on OpenSSL or BoringSSL.
Source: https://losst.ru/. The article is distributed under the CC-BY-SA license

Leave a Reply