<html><head><base href="x-msg://789/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>On Apr 13, 2012, at 2:20 AM, Lukas Tribus wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div class="hmmessage" style="font-size: 10pt; font-family: Tahoma; "><div dir="ltr">You are running a release which dates back to December 2010. The last relase in the 0.8 train is from July 2011, while CVE-2011-4315 was fixed in November 2011. You can assume your version is vulnerable.<br><br>If you can't upgrade to current stable you will need to backport the bugfix to 0.8.<br><br><br>CVE-2011-4315 is missing on the nginx security advisories on<span class="Apple-converted-space"> </span><a href="http://nginx.org">nginx.org</a>, can someone add it?<br></div></div></span></blockquote><div><br></div><div>Thanks for spotting it's missing, we'll add it.</div><br><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div class="hmmessage" style="font-size: 10pt; font-family: Tahoma; "><div dir="ltr">BR,<br><br>Lukas<br><br><br><br><div><div id="SkyDrivePlaceholder"></div>> Date: Fri, 13 Apr 2012 00:11:23 +0200<br>> From:<span class="Apple-converted-space"> </span><a href="mailto:lists@ruby-forum.com">lists@ruby-forum.com</a><br>> To:<span class="Apple-converted-space"> </span><a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>> Subject: buffer overflow CVE-2011-4315<br>><span class="Apple-converted-space"> </span><br>> we are running nginx 0.8.54, I'm trying to pass PCI compliance testing<br>> they say this is vulnerable to a buffer overflow.<br>><span class="Apple-converted-space"> </span><br>> however when i try and find out if it is i can't seem to find out.<br>><span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4315">http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4315</a><br>><span class="Apple-converted-space"> </span><br>><span class="Apple-converted-space"> </span><a href="http://www.securityfocus.com/bid/50710">http://www.securityfocus.com/bid/50710</a><br>><span class="Apple-converted-space"> </span><br>> these links don't show that my version has this flaw.<br>><span class="Apple-converted-space"> </span><br>> i'm hoping there is a link to show that this version is safe.<br>><span class="Apple-converted-space"> </span><br>> Thanks<br>><span class="Apple-converted-space"> </span><br>> Stephen<br>><span class="Apple-converted-space"> </span><br>> --<span class="Apple-converted-space"> </span><br>> Posted via<span class="Apple-converted-space"> </span><a href="http://www.ruby-forum.com/">http://www.ruby-forum.com/</a>.<br>><span class="Apple-converted-space"> </span><br>> _______________________________________________<br>> nginx mailing list<br>><span class="Apple-converted-space"> </span><a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>><span class="Apple-converted-space"> </span><a href="http://mailman.nginx.org/mailman/listinfo/nginx">http://mailman.nginx.org/mailman/listinfo/nginx</a><br></div></div>_______________________________________________<br>nginx mailing list<br><a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br><a href="http://mailman.nginx.org/mailman/listinfo/nginx">http://mailman.nginx.org/mailman/listinfo/nginx</a></div></span></blockquote></div><br></body></html>