Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 924619 (CVE-2024-24989, CVE-2024-24990) - <www-servers/nginx-1.25.4: segmentation fault might occur while processing a specially crafted QUIC session
Summary: <www-servers/nginx-1.25.4: segmentation fault might occur while processing a ...
Status: RESOLVED FIXED
Alias: CVE-2024-24989, CVE-2024-24990
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords: PullRequest
Depends on: 928619
Blocks:
  Show dependency tree
 
Reported: 2024-02-15 04:01 UTC by Tomáš Mózes
Modified: 2024-09-28 08:28 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2024-02-15 04:01:17 UTC
http://nginx.org/en/CHANGES

Changes with nginx 1.25.4                                        14 Feb 2024

    *) Security: when using HTTP/3 a segmentation fault might occur in a
       worker process while processing a specially crafted QUIC session
       (CVE-2024-24989, CVE-2024-24990).
Comment 1 Larry the Git Cow gentoo-dev 2024-02-15 13:17:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c67aacaa0cdf0181c71042f49dce7dc8b23c2e08

commit c67aacaa0cdf0181c71042f49dce7dc8b23c2e08
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2024-02-15 04:03:04 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2024-02-15 13:17:10 +0000

    www-servers/nginx: add 1.25.4
    
    Bug: https://bugs.gentoo.org/924619
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-servers/nginx/Manifest            |    1 +
 www-servers/nginx/nginx-1.25.4.ebuild | 1112 +++++++++++++++++++++++++++++++++
 2 files changed, 1113 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-17 21:27:11 UTC
Please stabilize when ready, thanks!
Comment 3 Larry the Git Cow gentoo-dev 2024-04-24 12:42:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf4dd40ab44f6407164eeee7d5189602b7f295be

commit cf4dd40ab44f6407164eeee7d5189602b7f295be
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2024-04-24 12:38:37 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2024-04-24 12:41:47 +0000

    www-servers/nginx: drop 1.25.3, 1.25.3-r1
    
    Bug: https://bugs.gentoo.org/924619
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 www-servers/nginx/Manifest               |    1 -
 www-servers/nginx/nginx-1.25.3-r1.ebuild | 1112 ------------------------------
 www-servers/nginx/nginx-1.25.3.ebuild    | 1078 -----------------------------
 3 files changed, 2191 deletions(-)
Comment 4 Hans de Graaff gentoo-dev Security 2024-04-28 07:06:34 UTC
I've added the cleanup whiteboard status assuming that 1.24.x is also vulnerable and still needs to be removed. Please let us know if this is not the case.
Comment 5 Larry the Git Cow gentoo-dev 2024-05-29 22:58:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15ee8b9878108d89e4a0eae8770cc78d1466d287

commit 15ee8b9878108d89e4a0eae8770cc78d1466d287
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2024-05-29 22:50:37 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2024-05-29 22:53:39 +0000

    www-servers/nginx: drop 1.24.0-r3, 1.24.0-r4
    
    Bug: https://bugs.gentoo.org/924619
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 www-servers/nginx/Manifest               |    2 -
 www-servers/nginx/nginx-1.24.0-r3.ebuild | 1066 -----------------------------
 www-servers/nginx/nginx-1.24.0-r4.ebuild | 1100 ------------------------------
 3 files changed, 2168 deletions(-)
Comment 6 Conrad Kostecki gentoo-dev 2024-05-29 22:58:52 UTC
I just have dropped 1.24.x from tree.
Comment 7 Larry the Git Cow gentoo-dev 2024-09-28 08:27:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=93155fde00088b123d8b46acf068ecadcf7bcfdb

commit 93155fde00088b123d8b46acf068ecadcf7bcfdb
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-28 08:27:19 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-28 08:27:36 +0000

    [ GLSA 202409-32 ] nginx: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/924619
    Bug: https://bugs.gentoo.org/937938
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-32.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)