This upload fixes two security issues in the version of nginx shipped in bullseye.
CVE-2024-7347
Nginx has a vulnerability in the ngx_http_mp4_module, which might
allow an attacker to over-read nginx worker memory resulting in
its termination using a specially crafted mp4 file. The issue only
affects nginx if it is built with the ngx_http_mp4_module and the
mp4 directive is used in the configuration file. Additionally, the
attack is possible only if an attacker can trigger the processing
of a specially crafted mp4 file with the ngx_http_mp4_module.
CVE-2025-23419
When multiple server blocks are configured to share the same
IP address and port, an attacker can use session resumption
to bypass client certificate authentication requirements on
these servers. This vulnerability arises when TLS Session Tickets
are used and/or the SSL session cache
are used in the default server and the default server is performing
client certificate authentication.
This issue did not affect ngx_stream_ssl_module in bullseye since
the stream virtual servers funcionality was added in a later
release.
1.18.0-6.1+deb11u4