Strange advisory

Kurt Cancemi kurt at x64architecture.com
Sat May 10 19:41:27 UTC 2014


Hello,

This has not been fixed in current nginx releases, this is not
directly related to nginx either, the problem is outdated terminal
emulators would parse the potentially malicious commands in the log
file. This answer http://unix.stackexchange.com/a/15210 explains it
better.

---
Regards,
Kurt Cancemi


On Sat, May 10, 2014 at 2:59 PM, B.R. <reallfqq-nginx at yahoo.fr> wrote:
> I just saw something strange on
> http://nginx.org/en/security_advisories.html:
> "An error log data are not sanitized
> Severity: none
> CVE-2009-4487
> Not vulnerable: none
> Vulnerable: all"
>
> Severity is labelled as 'None', though the CVE talks, among other stuff,
> about 'arbitrary commands and file write'.
> Is your advisories page wrong? Is the CVE wrong? Has this been solved?
> ---
> B. R.
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list