Synopsis:
nginx security updateSummary:
An update for nginx is now available for openEuler-22.03-LTS-SP4Description:
NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server.
Security Fix(es):
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.(CVE-2026-42945)Topic:
An update for nginx is now available for openEuler-22.03-LTS-SP4.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Severity:
HighAffected Component:
nginx
1.21.5-13.oe2203sp41.21.5-13.oe2203sp41.21.5-13.oe2203sp41.21.5-13.oe2203sp41.21.5-13.oe2203sp41.21.5-13.oe2203sp41.21.5-13.oe2203sp41.21.5-13.oe2203sp41.21.5-13.oe2203sp41.21.5-13.oe2203sp4Exploitability
AV:NAC:HPR:NUI:NScope
S:UImpact
C:HI:HA:H8.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H