[ALAS-2023-1665] Amazon Linux AMI 2014.03 - ALAS-2023-1665: medium priority package update for nginx
Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2022-41742:
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
CVE-2022-41741:
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
- ID
- ALAS-2023-1665
- Severity
- medium
- URL
- https://alas.aws.amazon.com/ALAS-2023-1665.html
- Published
-
2023-01-18T20:56:00
(20 months ago) - Modified
-
2023-01-24T17:23:00
(20 months ago) - Rights
- Amazon Linux Security Team
- Other Advisories
-
- ALPINE:CVE-2022-41741
- ALPINE:CVE-2022-41742
- DSA-5281-1
- FEDORA-2022-12721789aa
- FEDORA-2022-97de53f202
- FEDORA-2022-b0f5bc2175
- FREEBSD:676D4F16-4FB3-11ED-A374-8C164567CA3C
- MS:CVE-2022-41741
- MS:CVE-2022-41742
- NGINX:CVE-2022-41741
- NGINX:CVE-2022-41742
- SUSE-SU-2023:0205-1
- SUSE-SU-2023:0210-1
- SUSE-SU-2023:0212-1
- SUSE-SU-2023:0293-1
- USN-5722-1
Source | # ID | Name | URL |
---|---|---|---|
CVE | CVE-2022-41741 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41741 | |
CVE | CVE-2022-41742 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41742 |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:rpm/amazonlinux/nginx?arch=x86_64&distro=amazonlinux-1 | amazonlinux | nginx | < 1.18.0-1.44.amzn1 | amazonlinux-1 | x86_64 | |
Affected | pkg:rpm/amazonlinux/nginx?arch=i686&distro=amazonlinux-1 | amazonlinux | nginx | < 1.18.0-1.44.amzn1 | amazonlinux-1 | i686 | |
Affected | pkg:rpm/amazonlinux/nginx-mod-stream?arch=x86_64&distro=amazonlinux-1 | amazonlinux | nginx-mod-stream | < 1.18.0-1.44.amzn1 | amazonlinux-1 | x86_64 | |
Affected | pkg:rpm/amazonlinux/nginx-mod-stream?arch=i686&distro=amazonlinux-1 | amazonlinux | nginx-mod-stream | < 1.18.0-1.44.amzn1 | amazonlinux-1 | i686 | |
Affected | pkg:rpm/amazonlinux/nginx-mod-mail?arch=x86_64&distro=amazonlinux-1 | amazonlinux | nginx-mod-mail | < 1.18.0-1.44.amzn1 | amazonlinux-1 | x86_64 | |
Affected | pkg:rpm/amazonlinux/nginx-mod-mail?arch=i686&distro=amazonlinux-1 | amazonlinux | nginx-mod-mail | < 1.18.0-1.44.amzn1 | amazonlinux-1 | i686 | |
Affected | pkg:rpm/amazonlinux/nginx-mod-http-xslt-filter?arch=x86_64&distro=amazonlinux-1 | amazonlinux | nginx-mod-http-xslt-filter | < 1.18.0-1.44.amzn1 | amazonlinux-1 | x86_64 | |
Affected | pkg:rpm/amazonlinux/nginx-mod-http-xslt-filter?arch=i686&distro=amazonlinux-1 | amazonlinux | nginx-mod-http-xslt-filter | < 1.18.0-1.44.amzn1 | amazonlinux-1 | i686 | |
Affected | pkg:rpm/amazonlinux/nginx-mod-http-perl?arch=x86_64&distro=amazonlinux-1 | amazonlinux | nginx-mod-http-perl | < 1.18.0-1.44.amzn1 | amazonlinux-1 | x86_64 | |
Affected | pkg:rpm/amazonlinux/nginx-mod-http-perl?arch=i686&distro=amazonlinux-1 | amazonlinux | nginx-mod-http-perl | < 1.18.0-1.44.amzn1 | amazonlinux-1 | i686 | |
Affected | pkg:rpm/amazonlinux/nginx-mod-http-image-filter?arch=x86_64&distro=amazonlinux-1 | amazonlinux | nginx-mod-http-image-filter | < 1.18.0-1.44.amzn1 | amazonlinux-1 | x86_64 | |
Affected | pkg:rpm/amazonlinux/nginx-mod-http-image-filter?arch=i686&distro=amazonlinux-1 | amazonlinux | nginx-mod-http-image-filter | < 1.18.0-1.44.amzn1 | amazonlinux-1 | i686 | |
Affected | pkg:rpm/amazonlinux/nginx-mod-http-geoip?arch=x86_64&distro=amazonlinux-1 | amazonlinux | nginx-mod-http-geoip | < 1.18.0-1.44.amzn1 | amazonlinux-1 | x86_64 | |
Affected | pkg:rpm/amazonlinux/nginx-mod-http-geoip?arch=i686&distro=amazonlinux-1 | amazonlinux | nginx-mod-http-geoip | < 1.18.0-1.44.amzn1 | amazonlinux-1 | i686 | |
Affected | pkg:rpm/amazonlinux/nginx-debuginfo?arch=x86_64&distro=amazonlinux-1 | amazonlinux | nginx-debuginfo | < 1.18.0-1.44.amzn1 | amazonlinux-1 | x86_64 | |
Affected | pkg:rpm/amazonlinux/nginx-debuginfo?arch=i686&distro=amazonlinux-1 | amazonlinux | nginx-debuginfo | < 1.18.0-1.44.amzn1 | amazonlinux-1 | i686 | |
Affected | pkg:rpm/amazonlinux/nginx-all-modules?arch=x86_64&distro=amazonlinux-1 | amazonlinux | nginx-all-modules | < 1.18.0-1.44.amzn1 | amazonlinux-1 | x86_64 | |
Affected | pkg:rpm/amazonlinux/nginx-all-modules?arch=i686&distro=amazonlinux-1 | amazonlinux | nginx-all-modules | < 1.18.0-1.44.amzn1 | amazonlinux-1 | i686 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |