[GLSA-202105-38] nginx: Remote code execution
A vulnerability in nginx could lead to remote code execution.
Background
nginx is a robust, small, and high performance HTTP and reverse proxy
server.
Description
It was discovered that nginx did not properly handle DNS responses when
“resolver” directive is used.
Impact
A remote attacker, able to provide DNS responses to a nginx instance,
could cause the execution of arbitrary code with the privileges of the
process or a Denial of Service condition.
Workaround
There is no known workaround at this time.
Resolution
All nginx users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/nginx-1.20.1"
All nginx mainline users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
">=www-servers/nginx-1.21.0:mainline"
Package | Affected Version |
---|---|
pkg:ebuild/www-servers/nginx?distro=gentoo | < 1.21.0 |
Package | Unaffected Version |
---|---|
pkg:ebuild/www-servers/nginx?distro=gentoo | >= 1.20.1 |
pkg:ebuild/www-servers/nginx?distro=gentoo | >= 1.21.0 |
- ID
- GLSA-202105-38
- Severity
- high
- URL
- https://security.gentoo.org/glsa/202105-38
- Published
-
2021-05-26T00:00:00
(3 years ago) - Modified
-
2021-05-26T00:00:00
(3 years ago) - Rights
- Gentoo Foundation, Inc.
- Other Advisories
-
- ALAS-2021-1507
- ALPINE:CVE-2021-23017
- ALSA-2021:2259
- ALSA-2021:2290
- ALSA-2022:0323
- ASA-202106-36
- ASA-202106-48
- DSA-4921-1
- ELSA-2021-2259
- ELSA-2021-2290
- ELSA-2022-0323
- FEDORA-2021-393d698493
- FEDORA-2021-b37cffac0d
- FREEBSD:0882F019-BD60-11EB-9BDD-8C164567CA3C
- MS:CVE-2021-23017
- NGINX:CVE-2021-23017
- openSUSE-SU-2021:0835-1
- openSUSE-SU-2021:1815-1
- RHSA-2021:2259
- RHSA-2021:2290
- RHSA-2022:0323
- RLSA-2021:2259
- RLSA-2021:2290
- RLSA-2022:0323
- SUSE-SU-2021:1792-1
- SUSE-SU-2021:1814-1
- SUSE-SU-2021:1815-1
- SUSE-SU-2021:1839-1
- USN-4967-1
- USN-4967-2
Source | # ID | Name | URL |
---|---|---|---|
CVE | CVE-2021-23017 | CVE-2021-23017 | https://nvd.nist.gov/vuln/detail/CVE-2021-23017 |
Bugzilla | 792087 | Bugzilla #792087 | https://bugs.gentoo.org/show_bug.cgi?id=792087 |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:ebuild/www-servers/nginx?distro=gentoo | www-servers | nginx | < 1.21.0 | gentoo | ||
Unaffected | pkg:ebuild/www-servers/nginx?distro=gentoo | www-servers | nginx | >= 1.20.1 | gentoo | ||
Unaffected | pkg:ebuild/www-servers/nginx?distro=gentoo | www-servers | nginx | >= 1.21.0 | gentoo |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |