{
  "id": "openEuler-SA-2022-2023",
  "url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2022-2023",
  "title": "An update for nginx is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS",
  "severity": "Important",
  "description": "NGINX is a free, open-source, high-performance HTTP server and reverse proxy,as well as an IMAP/POP3 proxy server.\r\n\r\nSecurity Fix(es):\r\n\r\nNGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.(CVE-2022-41742)\r\n\r\nNGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.(CVE-2022-41741)",
  "cves": [
    {
      "id": "CVE-2022-41741",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41741",
      "severity": "Important"
    }
  ]
}