Updated patch for CVE-2013-2070 ?
mdounin at mdounin.ru
Fri Jun 7 13:28:55 UTC 2013
On Fri, Jun 07, 2013 at 08:37:49AM +0200, Cyril Lavier wrote:
> As stated here
> (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708164), the patch
> nginx developers wrote for fixing CVE-2013-2070 is not 100% correct C.
>From standards point of view - yes, the patch in question might
not be enough and the check might be, in theory, optimized out by
It's not a practical problem though.
> This is a big issue for us (I'm part of the nginx debian packaging
> team), because this patch can be applied on the Debian Wheezy's packages
> (1.2.1) but won't be accepted in the repositories because the patch can
> create new security issues.
The patch can't create new security issues as in worst
(theoretical) case the check added will be optimized out by a
More information about the nginx