http://nginx.org/en/CHANGES Changes with nginx 1.25.4 14 Feb 2024 *) Security: when using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session (CVE-2024-24989, CVE-2024-24990).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c67aacaa0cdf0181c71042f49dce7dc8b23c2e08 commit c67aacaa0cdf0181c71042f49dce7dc8b23c2e08 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2024-02-15 04:03:04 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-02-15 13:17:10 +0000 www-servers/nginx: add 1.25.4 Bug: https://bugs.gentoo.org/924619 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-servers/nginx/Manifest | 1 + www-servers/nginx/nginx-1.25.4.ebuild | 1112 +++++++++++++++++++++++++++++++++ 2 files changed, 1113 insertions(+)
Please stabilize when ready, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf4dd40ab44f6407164eeee7d5189602b7f295be commit cf4dd40ab44f6407164eeee7d5189602b7f295be Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2024-04-24 12:38:37 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2024-04-24 12:41:47 +0000 www-servers/nginx: drop 1.25.3, 1.25.3-r1 Bug: https://bugs.gentoo.org/924619 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> www-servers/nginx/Manifest | 1 - www-servers/nginx/nginx-1.25.3-r1.ebuild | 1112 ------------------------------ www-servers/nginx/nginx-1.25.3.ebuild | 1078 ----------------------------- 3 files changed, 2191 deletions(-)
I've added the cleanup whiteboard status assuming that 1.24.x is also vulnerable and still needs to be removed. Please let us know if this is not the case.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15ee8b9878108d89e4a0eae8770cc78d1466d287 commit 15ee8b9878108d89e4a0eae8770cc78d1466d287 Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2024-05-29 22:50:37 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2024-05-29 22:53:39 +0000 www-servers/nginx: drop 1.24.0-r3, 1.24.0-r4 Bug: https://bugs.gentoo.org/924619 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> www-servers/nginx/Manifest | 2 - www-servers/nginx/nginx-1.24.0-r3.ebuild | 1066 ----------------------------- www-servers/nginx/nginx-1.24.0-r4.ebuild | 1100 ------------------------------ 3 files changed, 2168 deletions(-)
I just have dropped 1.24.x from tree.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=93155fde00088b123d8b46acf068ecadcf7bcfdb commit 93155fde00088b123d8b46acf068ecadcf7bcfdb Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-09-28 08:27:19 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-09-28 08:27:36 +0000 [ GLSA 202409-32 ] nginx: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/924619 Bug: https://bugs.gentoo.org/937938 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202409-32.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+)