nginx-1.11.4-2.5 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10044 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z nginx-1.11.4-2.5 on GA media These are all security issues fixed in the nginx-1.11.4-2.5 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10044 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10044 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2011-4315/ SUSE CVE CVE-2011-4315 page https://www.suse.com/security/cve/CVE-2012-2089/ SUSE CVE CVE-2012-2089 page https://www.suse.com/security/cve/CVE-2013-2070/ SUSE CVE CVE-2013-2070 page https://www.suse.com/security/cve/CVE-2013-4547/ SUSE CVE CVE-2013-4547 page https://www.suse.com/security/cve/CVE-2014-0133/ SUSE CVE CVE-2014-0133 page https://www.suse.com/security/cve/CVE-2014-3556/ SUSE CVE CVE-2014-3556 page https://www.suse.com/security/cve/CVE-2014-3616/ SUSE CVE CVE-2014-3616 page https://www.suse.com/security/cve/CVE-2016-0742/ SUSE CVE CVE-2016-0742 page https://www.suse.com/security/cve/CVE-2016-0746/ SUSE CVE CVE-2016-0746 page https://www.suse.com/security/cve/CVE-2016-0747/ SUSE CVE CVE-2016-0747 page https://www.suse.com/security/cve/CVE-2016-4450/ SUSE CVE CVE-2016-4450 page openSUSE Tumbleweed nginx-1.11.4-2.5 vim-plugin-nginx-1.11.4-2.5 nginx-1.11.4-2.5 as a component of openSUSE Tumbleweed vim-plugin-nginx-1.11.4-2.5 as a component of openSUSE Tumbleweed Heap-based buffer overflow in compression-pointer processing in core/ngx_resolver.c in nginx before 1.0.10 allows remote resolvers to cause a denial of service (daemon crash) or possibly have unspecified other impact via a long response. CVE-2011-4315 openSUSE Tumbleweed:nginx-1.11.4-2.5 openSUSE Tumbleweed:vim-plugin-nginx-1.11.4-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-4315.html CVE-2011-4315 https://bugzilla.suse.com/731084 SUSE Bug 731084 Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4 directive is used, allows remote attackers to cause a denial of service (memory overwrite) or possibly execute arbitrary code via a crafted MP4 file. CVE-2012-2089 openSUSE Tumbleweed:nginx-1.11.4-2.5 openSUSE Tumbleweed:vim-plugin-nginx-1.11.4-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-2089.html CVE-2012-2089 https://bugzilla.suse.com/757057 SUSE Bug 757057 http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028. CVE-2013-2070 openSUSE Tumbleweed:nginx-1.11.4-2.5 openSUSE Tumbleweed:vim-plugin-nginx-1.11.4-2.5 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-2070.html CVE-2013-2070 https://bugzilla.suse.com/821184 SUSE Bug 821184 nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI. CVE-2013-4547 openSUSE Tumbleweed:nginx-1.11.4-2.5 openSUSE Tumbleweed:vim-plugin-nginx-1.11.4-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-4547.html CVE-2013-4547 https://bugzilla.suse.com/851295 SUSE Bug 851295 Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request. CVE-2014-0133 openSUSE Tumbleweed:nginx-1.11.4-2.5 openSUSE Tumbleweed:vim-plugin-nginx-1.11.4-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-0133.html CVE-2014-0133 https://bugzilla.suse.com/869076 SUSE Bug 869076 The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. CVE-2014-3556 openSUSE Tumbleweed:nginx-1.11.4-2.5 openSUSE Tumbleweed:vim-plugin-nginx-1.11.4-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3556.html CVE-2014-3556 https://bugzilla.suse.com/890428 SUSE Bug 890428 nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks. CVE-2014-3616 openSUSE Tumbleweed:nginx-1.11.4-2.5 openSUSE Tumbleweed:vim-plugin-nginx-1.11.4-2.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3616.html CVE-2014-3616 https://bugzilla.suse.com/897029 SUSE Bug 897029 https://bugzilla.suse.com/901519 SUSE Bug 901519 The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid pointer dereference and worker process crash) via a crafted UDP DNS response. CVE-2016-0742 openSUSE Tumbleweed:nginx-1.11.4-2.5 openSUSE Tumbleweed:vim-plugin-nginx-1.11.4-2.5 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-0742.html CVE-2016-0742 https://bugzilla.suse.com/963781 SUSE Bug 963781 Use-after-free vulnerability in the resolver in nginx 0.6.18 through 1.8.0 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (worker process crash) or possibly have unspecified other impact via a crafted DNS response related to CNAME response processing. CVE-2016-0746 openSUSE Tumbleweed:nginx-1.11.4-2.5 openSUSE Tumbleweed:vim-plugin-nginx-1.11.4-2.5 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-0746.html CVE-2016-0746 https://bugzilla.suse.com/963778 SUSE Bug 963778 The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution. CVE-2016-0747 openSUSE Tumbleweed:nginx-1.11.4-2.5 openSUSE Tumbleweed:vim-plugin-nginx-1.11.4-2.5 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-0747.html CVE-2016-0747 https://bugzilla.suse.com/963775 SUSE Bug 963775 os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file. CVE-2016-4450 openSUSE Tumbleweed:nginx-1.11.4-2.5 openSUSE Tumbleweed:vim-plugin-nginx-1.11.4-2.5 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4450.html CVE-2016-4450 https://bugzilla.suse.com/982484 SUSE Bug 982484 https://bugzilla.suse.com/982505 SUSE Bug 982505 https://bugzilla.suse.com/982507 SUSE Bug 982507