nginx-announce May 2013

nginx-announce@nginx.org

1 participants
5 discussions

nginx security advisory (CVE-2013-2070)

by Maxim Dounin

Hello! A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used. The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server. The problem affects nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0. The problem is already fixed in nginx 1.5.0, 1.4.1. Version 1.2.9 was released to address the issue in the 1.2.x legacy branch. Patch for nginx 1.3.9 - 1.4.0 is the same as for CVE-2013-2028: http://nginx.org/download/patch.2013.chunked.txt Patch for older nginx versions (1.1.4 - 1.2.8, 1.3.0 - 1.3.8) can be found here: http://nginx.org/download/patch.2013.proxy.txt -- Maxim Dounin http://nginx.org/en/donation.html

9 years, 6 months

nginx-1.2.9

by Maxim Dounin

Changes with nginx 1.2.9 13 May 2013 *) Security: contents of worker process memory might be sent to a client if HTTP backend returned specially crafted response (CVE-2013-2070); the bug had appeared in 1.1.4. -- Maxim Dounin http://nginx.org/en/donation.html

9 years, 6 months

nginx security advisory (CVE-2013-2028)

by Maxim Dounin

Hello! Greg MacManus, of iSIGHT Partners Labs, found a security problem in several recent versions of nginx. A stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028). The problem affects nginx 1.3.9 - 1.4.0. The problem is fixed in nginx 1.5.0, 1.4.1. Patch for the problem can be found here: http://nginx.org/download/patch.2013.chunked.txt As a temporary workaround the following configuration can be used in each server{} block: if ($http_transfer_encoding ~* chunked) { return 444; } -- Maxim Dounin http://nginx.org/en/donation.html

9 years, 6 months

nginx-1.4.1

by Maxim Dounin

Changes with nginx 1.4.1 07 May 2013 *) Security: a stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028); the bug had appeared in 1.3.9. Thanks to Greg MacManus, iSIGHT Partners Labs. -- Maxim Dounin http://nginx.org/en/donation.html

9 years, 6 months

nginx-1.5.0

by Maxim Dounin

Changes with nginx 1.5.0 07 May 2013 *) Security: a stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028); the bug had appeared in 1.3.9. Thanks to Greg MacManus, iSIGHT Partners Labs. -- Maxim Dounin http://nginx.org/en/donation.html

9 years, 6 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

nginx-announce May 2013