nginx (1.14.2-2+deb10u5) buster-security; urgency=high
.
* Non-maintainer upload by the LTS team.
* Fix CVE-2021-3618:
ALPACA is an application layer protocol content confusion attack,
exploiting TLS servers implementing different protocols but using
compatible certificates, such as multi-domain or wildcard certificates. A
MiTM attacker having access to victim's traffic at the TCP/IP layer can
redirect traffic from one subdomain to another, resulting in a valid TLS
session. This breaks the authentication of TLS and cross-protocol attacks
may be possible where the behavior of one protocol service may compromise
the other at the application layer.
* Fix CVE-2022-41741 and CVE-2022-41742:
It was discovered that parsing errors in the mp4 module of Nginx, a
high-performance web and reverse proxy server, could result in denial of
service, memory disclosure or potentially the execution of arbitrary code
when processing a malformed mp4 file.
.
nginx (1.14.2-2+deb10u4) buster-security; urgency=medium
.
* CVE-2021-23017 (Closes: #989095)
.
nginx (1.14.2-2+deb10u3) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* bugfix: prevented request smuggling in the ngx.location.capture API
(CVE-2020-11724) (Closes: #964950)
.
nginx (1.14.2-2+deb10u2) buster; urgency=medium
.
* Handle CVE-2019-20372, error page request smuggling
(Closes: #948579)
