http://nginx.org/en/CHANGES Changes with nginx 1.25.4 14 Feb 2024 *) Security: when using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session (CVE-2024-24989, CVE-2024-24990).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c67aacaa0cdf0181c71042f49dce7dc8b23c2e08 commit c67aacaa0cdf0181c71042f49dce7dc8b23c2e08 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2024-02-15 04:03:04 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2024-02-15 13:17:10 +0000 www-servers/nginx: add 1.25.4 Bug: https://bugs.gentoo.org/924619 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-servers/nginx/Manifest | 1 + www-servers/nginx/nginx-1.25.4.ebuild | 1112 +++++++++++++++++++++++++++++++++ 2 files changed, 1113 insertions(+)
Please stabilize when ready, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf4dd40ab44f6407164eeee7d5189602b7f295be commit cf4dd40ab44f6407164eeee7d5189602b7f295be Author: Conrad Kostecki <conikost@gentoo.org> AuthorDate: 2024-04-24 12:38:37 +0000 Commit: Conrad Kostecki <conikost@gentoo.org> CommitDate: 2024-04-24 12:41:47 +0000 www-servers/nginx: drop 1.25.3, 1.25.3-r1 Bug: https://bugs.gentoo.org/924619 Signed-off-by: Conrad Kostecki <conikost@gentoo.org> www-servers/nginx/Manifest | 1 - www-servers/nginx/nginx-1.25.3-r1.ebuild | 1112 ------------------------------ www-servers/nginx/nginx-1.25.3.ebuild | 1078 ----------------------------- 3 files changed, 2191 deletions(-)
I've added the cleanup whiteboard status assuming that 1.24.x is also vulnerable and still needs to be removed. Please let us know if this is not the case.