-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 22 Nov 2022 23:19:18 CET Source: nginx Architecture: source Version: 1.14.2-2+deb10u5 Distribution: buster-security Urgency: high Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net> Changed-By: Markus Koschany <apo@debian.org> Checksums-Sha1: b039a8d6227cc12de6cb2383a036ee09b95ab81d 4332 nginx_1.14.2-2+deb10u5.dsc bf5187c639761408b2d74587c1726a1eeab49b4c 935176 nginx_1.14.2-2+deb10u5.debian.tar.xz 670d0ee425ddcc823298e44fbc865812b7e15b48 23558 nginx_1.14.2-2+deb10u5_amd64.buildinfo Checksums-Sha256: 55105c6396ad17d125d8c49ae3731eb36d085933e77ddf3605d6dbba05df8ce9 4332 nginx_1.14.2-2+deb10u5.dsc 9456b8ab944a8dbfc2913f78a12caa77c65792042300e8a3917235652ad5bfe3 935176 nginx_1.14.2-2+deb10u5.debian.tar.xz b0a55b6903d0884cde65e0724f6be5a8d2fa75b03fd74a19dc5b02dd4f6b10ed 23558 nginx_1.14.2-2+deb10u5_amd64.buildinfo Changes: nginx (1.14.2-2+deb10u5) buster-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2021-3618: ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer. * Fix CVE-2022-41741 and CVE-2022-41742: It was discovered that parsing errors in the mp4 module of Nginx, a high-performance web and reverse proxy server, could result in denial of service, memory disclosure or potentially the execution of arbitrary code when processing a malformed mp4 file. Files: 12a93b31e488b799cbbcdc8ff2c37f96 4332 httpd optional nginx_1.14.2-2+deb10u5.dsc feaea4d7b8ffdfe703cddc59941a9076 935176 httpd optional nginx_1.14.2-2+deb10u5.debian.tar.xz bd9be01c24440d5d9597c38bce2efbb9 23558 httpd optional nginx_1.14.2-2+deb10u5_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmN9UA1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HklgMP/iLQEkMijoFGrWC+QcZ+1T1eTbqFPJ4XPlRy VHyuzBilKMIs2tntWsglsEm9t5Qep1u60pi3lJOgnHuZ1XLtpUc7VxnXNqOgbD9Q xwwqpf4pRDUhY6nGPfxXZcJL/tT3Zvh15Mo/wYPmrcadtHr+UHY87GqWHAXC62ZD HvsOWrqjPiHf/TRsV+X/ky1IoOegL6jsruKhDgUl++6BhNni7PqW/RKFVg2xxI8T rJO2pRWRUzD4VMo4ZmJXiL9jGX7tg5/cqgh2VlxTmZS/1pQ3pqDdIt7Jb4peouR5 Ppa+nATJc0ngCR2mqEyC8R/6of5NH3GIvTnGimoA+YItiFfEgj1A8gF2+wcuNbkM Z+ZDNVYT4xCVa+ykx9YaD0I/8m4rr1IezAeDAtItTxncBFOBOxwij8hhipRiqY+2 u2uVyukMvp06ci3eHEZVO2RapIgizBg3DjnphEHH1qjfimTNZtm04esHqkpNJTEo hycSDUj9wv6VvEx9hf7vw8JbJ2ah9I4tFhqN6VMvNBcIU2gnVktegFYOMZNQ/SCr 1G037gmzj+uuQSb5QQAiT1Effd5Fv8R//6hJfjT06PAX6TwYcAM/P/PpgB9DghLT /k37HFLJnfKT/aPnxoQIf3NMg5rrfXkKjnLxGTwxXNPqUvpZgwkaigjN1XJJ0Fq1 RsIzm3R1 =6bLE -----END PGP SIGNATURE-----
