diff options
| author | Jochen Neumeister <joneum@FreeBSD.org> | 2026-03-26 21:06:44 +0000 |
|---|---|---|
| committer | Jochen Neumeister <joneum@FreeBSD.org> | 2026-03-26 21:08:40 +0000 |
| commit | 2ce2108cbf8791a60e72c04f4ef3b6ec85baedea (patch) | |
| tree | 08e23a702d23206a4ae263409e57322e83f2f89d /sysutils/py-azure-cli-telemetry | |
| parent | 6481257f531ef599b4034e270971b9eb0dc76e44 (diff) | |
Changes with nginx 1.28.3 24 Mar
2026
*) Security: a buffer overflow might occur while handling a COPY or
MOVE
request in a location with "alias", allowing an attacker to
modify
the source or destination path outside of the document root
(CVE-2026-27654).
Thanks to Calif.io in collaboration with Claude and Anthropic
Research.
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker
process
crash, or might have potential other impact (CVE-2026-27784).
Thanks to Prabhav Srinath (sprabhav7).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might
have
potential other impact (CVE-2026-32647).
Thanks to Xint Code and Pavel Kohout (Aisle Research).
*) Security: a segmentation fault might occur in a worker process if
the
CRAM-MD5 or APOP authentication methods were used and
authentication
retry was enabled (CVE-2026-27651).
Thanks to Arkadi Vainbrand.
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the
backend
SMTP connection (CVE-2026-28753).
Thanks to Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu
(Yunnan
University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou
University).
*) Security: SSL handshake might succeed despite OCSP rejecting a
client
certificate in the stream module (CVE-2026-28755).
Thanks to Mufeed VH of Winfunc Research.
*) Change: now nginx limits the size and rate of QUIC stateless
reset
packets.
*) Bugfix: receiving a QUIC packet by a wrong worker process could
cause
the connection to terminate.
*) Bugfix: in the ngx_http_mp4_module.
Thanks to Andrew Lacambra.
Sponsored by: Netzkommune GmbH
Diffstat (limited to 'sysutils/py-azure-cli-telemetry')
0 files changed, 0 insertions, 0 deletions