Nginx and CVE-2010-3864
mdounin at mdounin.ru
Thu Nov 18 03:12:06 MSK 2010
On Wed, Nov 17, 2010 at 11:31:53AM -0800, Mark Moseley wrote:
> I think I know the answer to this but since the consequences of
> misguessing are somewhat dire, I figured I'd better ask.
> For the advisory,
> are we nginx users safe if we're using one of the affected versions
> (and rechecking security.debian.org every 10 minutes) but only ever
> ssl_session_cache shared:sslache:....
> i.e. *not*: ssl_session_cache builtin:....
> >From the wording of the advisory, it *sounds* like 'shared' bypasses
> the affected internal caching, but I wanted to be extra cautious.
> Clearly the right fix is to get openssl upgraded but until Debian gets
> their update out, it'd be good to know that nginx is not affected (at
> least with ssl_session_cache shared:...). Thanks!
nginx should be fine even if openssl's builtin session cache is
Both vulnerability information and code suggests that issue only
affects multi-threaded programs (due to multiple threads changing
the same session at the same time). nginx isn't multi-threaded
and the race in question isn't possible.
More information about the nginx