ALT-BU-2016-3004-1
Branch c7 update bulletin.
Closed vulnerabilities
BDU:2015-00638
Уязвимость программного обеспечения nginx, позволяющая удаленному злоумышленнику нарушить конфиденциальность защищаемой информации
BDU:2016-00707
Уязвимость прокси-сервера nginx, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2021-05139
Уязвимость компонента os/unix/ngx_files.c платформы мониторинга и управления приложениями NGINX, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2014-3556
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
- [nginx-announce] 20140805 nginx security advisory (CVE-2014-3556)
- [nginx-announce] 20140805 nginx security advisory (CVE-2014-3556)
- HPSBOV03227
- HPSBOV03227
- http://nginx.org/download/patch.2014.starttls.txt
- http://nginx.org/download/patch.2014.starttls.txt
- https://bugzilla.redhat.com/show_bug.cgi?id=1126891
- https://bugzilla.redhat.com/show_bug.cgi?id=1126891
Modified: 2024-11-21
CVE-2014-3616
nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks.
Modified: 2024-11-21
CVE-2016-0742
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid pointer dereference and worker process crash) via a crafted UDP DNS response.
- openSUSE-SU-2016:0371
- openSUSE-SU-2016:0371
- [nginx] 20160126 nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)
- [nginx] 20160126 nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)
- 20210921 APPLE-SA-2021-09-20-4 Xcode 13
- 20210921 APPLE-SA-2021-09-20-4 Xcode 13
- DSA-3473
- DSA-3473
- 1034869
- 1034869
- USN-2892-1
- USN-2892-1
- RHSA-2016:1425
- RHSA-2016:1425
- https://bto.bluecoat.com/security-advisory/sa115
- https://bto.bluecoat.com/security-advisory/sa115
- https://bugzilla.redhat.com/show_bug.cgi?id=1302587
- https://bugzilla.redhat.com/show_bug.cgi?id=1302587
- GLSA-201606-06
- GLSA-201606-06
- https://support.apple.com/kb/HT212818
- https://support.apple.com/kb/HT212818
Modified: 2024-11-21
CVE-2016-0746
Use-after-free vulnerability in the resolver in nginx 0.6.18 through 1.8.0 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (worker process crash) or possibly have unspecified other impact via a crafted DNS response related to CNAME response processing.
- openSUSE-SU-2016:0371
- openSUSE-SU-2016:0371
- [nginx] 20160126 nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)
- [nginx] 20160126 nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)
- 20210921 APPLE-SA-2021-09-20-4 Xcode 13
- 20210921 APPLE-SA-2021-09-20-4 Xcode 13
- DSA-3473
- DSA-3473
- 1034869
- 1034869
- USN-2892-1
- USN-2892-1
- RHSA-2016:1425
- RHSA-2016:1425
- https://bto.bluecoat.com/security-advisory/sa115
- https://bto.bluecoat.com/security-advisory/sa115
- https://bugzilla.redhat.com/show_bug.cgi?id=1302588
- https://bugzilla.redhat.com/show_bug.cgi?id=1302588
- GLSA-201606-06
- GLSA-201606-06
- https://support.apple.com/kb/HT212818
- https://support.apple.com/kb/HT212818
Modified: 2024-11-21
CVE-2016-0747
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution.
- openSUSE-SU-2016:0371
- openSUSE-SU-2016:0371
- [nginx] 20160126 nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)
- [nginx] 20160126 nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)
- 20210921 APPLE-SA-2021-09-20-4 Xcode 13
- 20210921 APPLE-SA-2021-09-20-4 Xcode 13
- DSA-3473
- DSA-3473
- 1034869
- 1034869
- USN-2892-1
- USN-2892-1
- RHSA-2016:1425
- RHSA-2016:1425
- https://bto.bluecoat.com/security-advisory/sa115
- https://bto.bluecoat.com/security-advisory/sa115
- https://bugzilla.redhat.com/show_bug.cgi?id=1302589
- https://bugzilla.redhat.com/show_bug.cgi?id=1302589
- GLSA-201606-06
- GLSA-201606-06
- https://support.apple.com/kb/HT212818
- https://support.apple.com/kb/HT212818
Modified: 2024-11-21
CVE-2016-4450
os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file.
Closed bugs
Пытаются переоткрыться логи не запущенного сервера
Неработоспособен из коробки