Nginx and CVE-2010-3864
moseleymark at gmail.com
Thu Nov 18 03:52:31 MSK 2010
On Wed, Nov 17, 2010 at 4:12 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> On Wed, Nov 17, 2010 at 11:31:53AM -0800, Mark Moseley wrote:
>> I think I know the answer to this but since the consequences of
>> misguessing are somewhat dire, I figured I'd better ask.
>> For the advisory,
>> are we nginx users safe if we're using one of the affected versions
>> (and rechecking security.debian.org every 10 minutes) but only ever
>> ssl_session_cache shared:sslache:....
>> i.e. *not*: ssl_session_cache builtin:....
>> >From the wording of the advisory, it *sounds* like 'shared' bypasses
>> the affected internal caching, but I wanted to be extra cautious.
>> Clearly the right fix is to get openssl upgraded but until Debian gets
>> their update out, it'd be good to know that nginx is not affected (at
>> least with ssl_session_cache shared:...). Thanks!
> nginx should be fine even if openssl's builtin session cache is
> Both vulnerability information and code suggests that issue only
> affects multi-threaded programs (due to multiple threads changing
> the same session at the same time). nginx isn't multi-threaded
> and the race in question isn't possible.
> Maxim Dounin
> nginx mailing list
> nginx at nginx.org
Excellent, thanks for the info. I'd forgotten nginx was event-based,
not threaded. That is a relief :)
More information about the nginx