Security update for nginx SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0283-1 Final 1 1 2025-01-29T12:33:28Z current 2025-01-29T12:33:28Z 2025-01-29T12:33:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nginx This update for nginx fixes the following issues: - CVE-2023-44487: Mitigate HTTP/2 Rapid Reset Attack (bsc#1216171) - CVE-2024-7347: Fixed worker crashes on special crafted mp4 files containing invalid chunk information (bsc#1229155) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/nginx:latest-2025-283,SUSE-2025-283,SUSE-SLE-Module-Server-Applications-15-SP6-2025-283,openSUSE-SLE-15.6-2025-283 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250283-1/ Link for SUSE-SU-2025:0283-1 https://lists.suse.com/pipermail/sle-security-updates/2025-January/020236.html E-Mail link for SUSE-SU-2025:0283-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1216171 SUSE Bug 1216171 https://bugzilla.suse.com/1229155 SUSE Bug 1229155 https://www.suse.com/security/cve/CVE-2023-44487/ SUSE CVE CVE-2023-44487 page https://www.suse.com/security/cve/CVE-2024-7347/ SUSE CVE CVE-2024-7347 page Container suse/nginx:latest SUSE Linux Enterprise Module for Server Applications 15 SP6 openSUSE Leap 15.6 nginx-1.21.5-150600.10.3.1 nginx-source-1.21.5-150600.10.3.1 nginx-1.21.5-150600.10.3.1 as a component of Container suse/nginx:latest nginx-1.21.5-150600.10.3.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 nginx-source-1.21.5-150600.10.3.1 as a component of SUSE Linux Enterprise Module for Server Applications 15 SP6 nginx-1.21.5-150600.10.3.1 as a component of openSUSE Leap 15.6 nginx-source-1.21.5-150600.10.3.1 as a component of openSUSE Leap 15.6 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487 Container suse/nginx:latest:nginx-1.21.5-150600.10.3.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:nginx-1.21.5-150600.10.3.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:nginx-source-1.21.5-150600.10.3.1 openSUSE Leap 15.6:nginx-1.21.5-150600.10.3.1 openSUSE Leap 15.6:nginx-source-1.21.5-150600.10.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250283-1/ https://www.suse.com/security/cve/CVE-2023-44487.html CVE-2023-44487 https://bugzilla.suse.com/1216109 SUSE Bug 1216109 https://bugzilla.suse.com/1216123 SUSE Bug 1216123 https://bugzilla.suse.com/1216169 SUSE Bug 1216169 https://bugzilla.suse.com/1216171 SUSE Bug 1216171 https://bugzilla.suse.com/1216174 SUSE Bug 1216174 https://bugzilla.suse.com/1216176 SUSE Bug 1216176 https://bugzilla.suse.com/1216181 SUSE Bug 1216181 https://bugzilla.suse.com/1216182 SUSE Bug 1216182 https://bugzilla.suse.com/1216190 SUSE Bug 1216190 NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. CVE-2024-7347 Container suse/nginx:latest:nginx-1.21.5-150600.10.3.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:nginx-1.21.5-150600.10.3.1 SUSE Linux Enterprise Module for Server Applications 15 SP6:nginx-source-1.21.5-150600.10.3.1 openSUSE Leap 15.6:nginx-1.21.5-150600.10.3.1 openSUSE Leap 15.6:nginx-source-1.21.5-150600.10.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250283-1/ https://www.suse.com/security/cve/CVE-2024-7347.html CVE-2024-7347 https://bugzilla.suse.com/1229155 SUSE Bug 1229155