Security update for nginx SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0282-1 Final 1 1 2025-01-29T08:04:14Z current 2025-01-29T08:04:14Z 2025-01-29T08:04:14Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nginx This update for nginx fixes the following issues: - CVE-2023-44487: Mitigate HTTP/2 Rapid Reset Attack (bsc#1216171) - CVE-2024-7347: Fixed worker crashes on special crafted mp4 files containing invalid chunk information (bsc#1229155) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-282,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-282,SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-282,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-282,SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-282,SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-282,SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-282,SUSE-SLE-Product-SLES_SAP-15-SP4-2025-282,SUSE-SLE-Product-SLES_SAP-15-SP5-2025-282,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2025-282,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2025-282 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250282-1/ Link for SUSE-SU-2025:0282-1 https://lists.suse.com/pipermail/sle-security-updates/2025-January/020233.html E-Mail link for SUSE-SU-2025:0282-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1216171 SUSE Bug 1216171 https://bugzilla.suse.com/1229155 SUSE Bug 1229155 https://www.suse.com/security/cve/CVE-2023-44487/ SUSE CVE CVE-2023-44487 page https://www.suse.com/security/cve/CVE-2024-7347/ SUSE CVE CVE-2024-7347 page SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS SUSE Linux Enterprise Server 15 SP4-LTSS SUSE Linux Enterprise Server 15 SP5-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Manager Proxy 4.3 SUSE Manager Server 4.3 nginx-1.21.5-150400.3.6.1 nginx-source-1.21.5-150400.3.6.1 nginx-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS nginx-source-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS nginx-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS nginx-source-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS nginx-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS nginx-source-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS nginx-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS nginx-source-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS nginx-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS nginx-source-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise Server 15 SP4-LTSS nginx-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise Server 15 SP5-LTSS nginx-source-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise Server 15 SP5-LTSS nginx-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 nginx-source-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP4 nginx-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP5 nginx-source-1.21.5-150400.3.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP5 nginx-1.21.5-150400.3.6.1 as a component of SUSE Manager Proxy 4.3 nginx-source-1.21.5-150400.3.6.1 as a component of SUSE Manager Proxy 4.3 nginx-1.21.5-150400.3.6.1 as a component of SUSE Manager Server 4.3 nginx-source-1.21.5-150400.3.6.1 as a component of SUSE Manager Server 4.3 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:nginx-source-1.21.5-150400.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:nginx-source-1.21.5-150400.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:nginx-source-1.21.5-150400.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:nginx-source-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server 15 SP4-LTSS:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server 15 SP4-LTSS:nginx-source-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server 15 SP5-LTSS:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server 15 SP5-LTSS:nginx-source-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:nginx-source-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP5:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP5:nginx-source-1.21.5-150400.3.6.1 SUSE Manager Proxy 4.3:nginx-1.21.5-150400.3.6.1 SUSE Manager Proxy 4.3:nginx-source-1.21.5-150400.3.6.1 SUSE Manager Server 4.3:nginx-1.21.5-150400.3.6.1 SUSE Manager Server 4.3:nginx-source-1.21.5-150400.3.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250282-1/ https://www.suse.com/security/cve/CVE-2023-44487.html CVE-2023-44487 https://bugzilla.suse.com/1216109 SUSE Bug 1216109 https://bugzilla.suse.com/1216123 SUSE Bug 1216123 https://bugzilla.suse.com/1216169 SUSE Bug 1216169 https://bugzilla.suse.com/1216171 SUSE Bug 1216171 https://bugzilla.suse.com/1216174 SUSE Bug 1216174 https://bugzilla.suse.com/1216176 SUSE Bug 1216176 https://bugzilla.suse.com/1216181 SUSE Bug 1216181 https://bugzilla.suse.com/1216182 SUSE Bug 1216182 https://bugzilla.suse.com/1216190 SUSE Bug 1216190 NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. CVE-2024-7347 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:nginx-source-1.21.5-150400.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:nginx-source-1.21.5-150400.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:nginx-source-1.21.5-150400.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:nginx-source-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server 15 SP4-LTSS:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server 15 SP4-LTSS:nginx-source-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server 15 SP5-LTSS:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server 15 SP5-LTSS:nginx-source-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4:nginx-source-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP5:nginx-1.21.5-150400.3.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP5:nginx-source-1.21.5-150400.3.6.1 SUSE Manager Proxy 4.3:nginx-1.21.5-150400.3.6.1 SUSE Manager Proxy 4.3:nginx-source-1.21.5-150400.3.6.1 SUSE Manager Server 4.3:nginx-1.21.5-150400.3.6.1 SUSE Manager Server 4.3:nginx-source-1.21.5-150400.3.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250282-1/ https://www.suse.com/security/cve/CVE-2024-7347.html CVE-2024-7347 https://bugzilla.suse.com/1229155 SUSE Bug 1229155