Debian LTS: DLA-4091-1: nginx Security Advisory Updates
debian lts
March 25, 2025
This upload fixes two security issues in the version of nginx shipped in bullseye
Topics Covered
Summary
CVE-2024-7347
Nginx has a vulnerability in the ngx_http_mp4_module, which might
allow an attacker to over-read nginx worker memory resulting in
its termination using a specially crafted mp4 file. The issue only
affects nginx if it is built with the ngx_http_mp4_module and the
mp4 directive is used in the configuration file. Additionally, the
attack is possible only if an attacker can trigger the processing
of a specially crafted mp4 file with the ngx_http_mp4_module.
CVE-2025-23419
When multiple server blocks are configured to share the same
IP address and port, an attacker can use session resumption
to bypass client certificate authentication requirements on
these servers. This vulnerability arises when TLS Session Tickets
are used and/or the SSL session cache
are used in the default server and the default server is performing
client certificate authentication.
This issue did not affect ngx_stream_ssl_module in bullseye since
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Package: nginx
Version: 1.18.0-6.1+deb11u4
CVE ID: CVE-2024-7347 CVE-2025-23419
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!