body { background: white; color: black; font-family: sans-serif; line-height: 1.4em; text-align: center; margin: 0; padding: 0; } #banner { background: black; color: #F2F2F2; line-height: 1.2em; padding: .3em 0; box-shadow: 0 5px 10px black; } #banner a { color: #00B140; } #main { text-align: left; margin: 0 auto; min-width: 32em; max-width: 64em; } #menu { float: right; width: 11em; padding: 0 .5em 1em .5em; border-left: 2px solid #DDD; } #content { margin-right: 13.5em; padding: 0 .2em 0 1.5em; } h1 { display: block; font-size: 3em; text-align: left; height: .7em; margin: 0; margin-bottom: .5em; } h1 img { width: 100%; } h2 { text-align: center; } p { text-align: justify; } table.news p { margin-top: 0; } table.news td { vertical-align: baseline; } table.news .date { text-align: right; padding-right: 0.5em; white-space: nowrap; } table.donors td { vertical-align: baseline; } table.donors li { text-align: left; } div.directive { background: #F2F2F2; line-height: 1em; margin: 1em 0 1em -1em; padding: .7em .7em .7em 1em; border-top: 2px solid #DDD; } div.directive th { padding-left: 0; padding-right: .5em; vertical-align: baseline; text-align: left; font-weight: normal; } div.directive td { vertical-align: baseline; } div.directive pre { padding: 0; margin: 0; } div.directive p { margin: .5em 0 0 .1em; font-size: .8em; } a.notrans { color: gray; text-decoration:none; } span.initial { font-size: 200%; float: left; padding-right: 10pt;} ul, ol { margin: .5em 0 1em 1em; padding: 0 .5em; } ol { list-style-position: inside; } li { text-align: justify; padding: .5em 0 0 1px; } .compact li { padding-top: 0; } dl { margin: .5em 0 1em 0; } dt { margin: .5em 0; } .compact dt { margin-bottom: .2em; } dd { margin-left: 1.5em; padding-left: 1px; text-align: justify; } td.list { background: #F2F2F2; } blockquote { margin: 1em 0 1em 1em; padding: .5em; } li blockquote, dd blockquote { margin: .7em 0; } blockquote.note { border: 1px dotted #999; line-height: 1.2em; text-align: justify; } blockquote.example { line-height: 1em; border-left: 1px solid #BBB; } blockquote.example pre { padding: 0; margin: 0; } sup { font-size: 50%; } .video { position: relative; padding-bottom: 56.25%; overflow: hidden; } .video iframe, .video object, .video embed { position: absolute; top:0; left:0; width:100%; height:100%; }
All nginx security issues should be reported to security-alert@nginx.org.
Patches are signed using one of the PGP public keys.
NULL pointer dereference in HTTP/3
Severity: major
Advisory
CVE-2024-24989
Not vulnerable: 1.25.4+
Vulnerable: 1.25.3
Use-after-free in HTTP/3
Severity: major
Advisory
CVE-2024-24990
Not vulnerable: 1.25.4+
Vulnerable: 1.25.0-1.25.3
Memory corruption in the ngx_http_mp4_module
Severity: medium
Advisory
CVE-2022-41741
Not vulnerable: 1.23.2+, 1.22.1+
Vulnerable: 1.1.3-1.23.1, 1.0.7-1.0.15
The patch pgp
Memory disclosure in the ngx_http_mp4_module
Severity: medium
Advisory
CVE-2022-41742
Not vulnerable: 1.23.2+, 1.22.1+
Vulnerable: 1.1.3-1.23.1, 1.0.7-1.0.15
The patch pgp
1-byte memory overwrite in resolver
Severity: medium
Advisory
CVE-2021-23017
Not vulnerable: 1.21.0+, 1.20.1+
Vulnerable: 0.6.18-1.20.0
The patch pgp
Excessive CPU usage in HTTP/2 with small window updates
Severity: medium
Advisory
CVE-2019-9511
Not vulnerable: 1.17.3+, 1.16.1+
Vulnerable: 1.9.5-1.17.2
Excessive CPU usage in HTTP/2 with priority changes
Severity: low
Advisory
CVE-2019-9513
Not vulnerable: 1.17.3+, 1.16.1+
Vulnerable: 1.9.5-1.17.2
Excessive memory usage in HTTP/2 with zero length headers
Severity: low
Advisory
CVE-2019-9516
Not vulnerable: 1.17.3+, 1.16.1+
Vulnerable: 1.9.5-1.17.2
Excessive memory usage in HTTP/2
Severity: low
Advisory
CVE-2018-16843
Not vulnerable: 1.15.6+, 1.14.1+
Vulnerable: 1.9.5-1.15.5
Excessive CPU usage in HTTP/2
Severity: low
Advisory
CVE-2018-16844
Not vulnerable: 1.15.6+, 1.14.1+
Vulnerable: 1.9.5-1.15.5
Memory disclosure in the ngx_http_mp4_module
Severity: medium
Advisory
CVE-2018-16845
Not vulnerable: 1.15.6+, 1.14.1+
Vulnerable: 1.1.3-1.15.5, 1.0.7-1.0.15
The patch pgp
Integer overflow in the range filter
Severity: medium
Advisory
CVE-2017-7529
Not vulnerable: 1.13.3+, 1.12.1+
Vulnerable: 0.5.6-1.13.2
The patch pgp
NULL pointer dereference while writing client request body
Severity: medium
Advisory
CVE-2016-4450
Not vulnerable: 1.11.1+, 1.10.1+
Vulnerable: 1.3.9-1.11.0
The patch pgp (for 1.9.13-1.11.0)
The patch pgp (for 1.3.9-1.9.12)
Invalid pointer dereference in resolver
Severity: medium
Advisory
CVE-2016-0742
Not vulnerable: 1.9.10+, 1.8.1+
Vulnerable: 0.6.18-1.9.9
Use-after-free during CNAME response processing in resolver
Severity: medium
Advisory
CVE-2016-0746
Not vulnerable: 1.9.10+, 1.8.1+
Vulnerable: 0.6.18-1.9.9
Insufficient limits of CNAME resolution in resolver
Severity: medium
Advisory
CVE-2016-0747
Not vulnerable: 1.9.10+, 1.8.1+
Vulnerable: 0.6.18-1.9.9
SSL session reuse vulnerability
Severity: medium
Advisory
CVE-2014-3616
Not vulnerable: 1.7.5+, 1.6.2+
Vulnerable: 0.5.6-1.7.4
STARTTLS command injection
Severity: medium
Advisory
CVE-2014-3556
Not vulnerable: 1.7.4+, 1.6.1+
Vulnerable: 1.5.6-1.7.3
The patch pgp
SPDY heap buffer overflow
Severity: major
Advisory
CVE-2014-0133
Not vulnerable: 1.5.12+, 1.4.7+
Vulnerable: 1.3.15-1.5.11
The patch pgp
SPDY memory corruption
Severity: major
Advisory
CVE-2014-0088
Not vulnerable: 1.5.11+
Vulnerable: 1.5.10
The patch pgp
Request line parsing vulnerability
Severity: medium
Advisory
CVE-2013-4547
Not vulnerable: 1.5.7+, 1.4.4+
Vulnerable: 0.8.41-1.5.6
The patch pgp
Memory disclosure with specially crafted HTTP backend responses
Severity: medium
Advisory
CVE-2013-2070
Not vulnerable: 1.5.0+, 1.4.1+, 1.2.9+
Vulnerable: 1.1.4-1.2.8, 1.3.9-1.4.0
The patch pgp (for 1.3.9-1.4.0)
The patch pgp (for 1.1.4-1.2.8)
Stack-based buffer overflow with specially crafted request
Severity: major
Advisory
CVE-2013-2028
Not vulnerable: 1.5.0+, 1.4.1+
Vulnerable: 1.3.9-1.4.0
The patch pgp
Vulnerabilities with Windows directory aliases
Severity: medium
Advisory
CVE-2011-4963
Not vulnerable: 1.3.1+, 1.2.1+
Vulnerable: nginx/Windows 0.7.52-1.3.0
Buffer overflow in the ngx_http_mp4_module
Severity: major
Advisory
CVE-2012-2089
Not vulnerable: 1.1.19+, 1.0.15+
Vulnerable: 1.1.3-1.1.18, 1.0.7-1.0.14
The patch pgp
Memory disclosure with specially crafted backend responses
Severity: major
Advisory
CVE-2012-1180
Not vulnerable: 1.1.17+, 1.0.14+
Vulnerable: 0.1.0-1.1.16
The patch pgp
Buffer overflow in resolver
Severity: medium
CVE-2011-4315
Not vulnerable: 1.1.8+, 1.0.10+
Vulnerable: 0.6.18-1.1.7
Vulnerabilities with invalid UTF-8 sequence on Windows
Severity: major
CVE-2010-2266
Not vulnerable: 0.8.41+, 0.7.67+
Vulnerable: nginx/Windows 0.7.52-0.8.40
Vulnerabilities with Windows file default stream
Severity: major
CVE-2010-2263
Not vulnerable: 0.8.40+, 0.7.66+
Vulnerable: nginx/Windows 0.7.52-0.8.39
Vulnerabilities with Windows 8.3 filename pseudonyms
Severity: major
CORE-2010-0121
Not vulnerable: 0.8.33+, 0.7.65+
Vulnerable: nginx/Windows 0.7.52-0.8.32
An error log data are not sanitized
Severity: none
CVE-2009-4487
Not vulnerable: none
Vulnerable: all
The renegotiation vulnerability in SSL protocol
Severity: major
VU#120541 CVE-2009-3555
Not vulnerable: 0.8.23+, 0.7.64+
Vulnerable: 0.1.0-0.8.22
The patch pgp
Directory traversal vulnerability
Severity: minor
CVE-2009-3898
Not vulnerable: 0.8.17+, 0.7.63+
Vulnerable: 0.1.0-0.8.16
Buffer underflow vulnerability
Severity: major
VU#180065 CVE-2009-2629
Not vulnerable: 0.8.15+, 0.7.62+, 0.6.39+, 0.5.38+
Vulnerable: 0.1.0-0.8.14
The patch pgp
Null pointer dereference vulnerability
Severity: major
CVE-2009-3896
Not vulnerable: 0.8.14+, 0.7.62+, 0.6.39+, 0.5.38+
Vulnerable: 0.1.0-0.8.13
The patch pgp