Nginx Debian vulnerabilities
mdounin at team.vega.ru
Thu Aug 12 23:44:00 MSD 2010
On Thu, Aug 12, 2010 at 05:10:16PM +0200, Mesaya at gmx.de wrote:
> Are the vulnerabilities listed at http://nginx.org/en/security_advisories.html fixed in the recent debian lenny packet?
> # nginx -v
> nginx version: nginx/0.6.32
> I've installed nginx through apt-get install nginx, am I vunerable to any of those vulnerabilities?
it has applied patches for CVE-2009-2629 (VU#180065) and
The following remain:
- CVE-2009-3555 - you have to ensure your OpenSSL installation is
safe if you are using ssl (most likely it is - the patch was
released before fixed OpenSSL was widely available)
- CVE-2009-3898 - you shouldn't expose webdav module to untrusted
They aren't critical (well, CVE-2009-3555 is, but you are likely
have it patched in OpenSSL itself) but it's probably good idea to
upgrade anyway if you are planning to use nginx for something
serious. 0.6.32 is just way too old.
More information about the nginx