Nginx Debian vulnerabilities
Maxim Dounin
mdounin at team.vega.ru
Thu Aug 12 23:44:00 MSD 2010
Hello!
On Thu, Aug 12, 2010 at 05:10:16PM +0200, Mesaya at gmx.de wrote:
> Are the vulnerabilities listed at http://nginx.org/en/security_advisories.html fixed in the recent debian lenny packet?
>
> # nginx -v
> nginx version: nginx/0.6.32
>
> I've installed nginx through apt-get install nginx, am I vunerable to any of those vulnerabilities?
According to
http://patch-tracker.debian.org/package/nginx/0.6.32-3+lenny3
it has applied patches for CVE-2009-2629 (VU#180065) and
CVE-2009-3896.
The following remain:
- CVE-2009-3555 - you have to ensure your OpenSSL installation is
safe if you are using ssl (most likely it is - the patch was
released before fixed OpenSSL was widely available)
- CVE-2009-3898 - you shouldn't expose webdav module to untrusted
users
They aren't critical (well, CVE-2009-3555 is, but you are likely
have it patched in OpenSSL itself) but it's probably good idea to
upgrade anyway if you are planning to use nginx for something
serious. 0.6.32 is just way too old.
Maxim Dounin
More information about the nginx
mailing list