CVE-2021-23017 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Arbitrary code execution
Description	A security issue in nginx resolver was identified, which might allow an attacker to cause 1-byte memory overwrite by using a specially crafted DNS response, resulting in worker process crash or, potentially, in arbitrary code execution. The issue only affects nginx if the "resolver" directive is used in the configuration file. Further, the attack is only possible if an attacker is able to forge UDP packets from the DNS server.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1988	nginx	1.20.0-1	1.20.1-1	Medium	Fixed
AVG-1987	nginx-mainline	1.19.10-1	1.21.0-1	Medium	Fixed

Date	Advisory	Group	Package	Severity	Type
22 Jun 2021	ASA-202106-48	AVG-1987	nginx-mainline	Medium	arbitrary code execution
15 Jun 2021	ASA-202106-36	AVG-1988	nginx	Medium	arbitrary code execution

References
https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/ https://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html http://nginx.org/download/patch.2021.resolver.txt https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf

References

https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
https://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html
http://nginx.org/download/patch.2021.resolver.txt
https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf