[nginx-announce] nginx security advisory (CVE-2014-3616)

Christos Trochalakis yatiohi at ideopolis.gr
Thu Sep 18 08:14:06 UTC 2014


On Wed, Sep 17, 2014 at 10:58:40AM +0300, Christos Trochalakis wrote:
>On Tue, Sep 16, 2014 at 06:47:20PM +0400, Maxim Dounin wrote:
>>Hello!
>>
>>A problem with SSL session cache in nginx was identified by Antoine
>>Delignat-Lavaud.  It was possible to reuse cached SSL sessions in
>>unrelated contexts, allowing virtual host confusion attacks in some
>>configurations by an attacker in a privileged network position
>>(CVE-2014-3616).
>>
>>The problem affects nginx 0.5.6 - 1.7.4 if the same shared
>>ssl_session_cache and/or ssl_session_ticket_key are used for multiple
>>server{} blocks.
>>
>>The problem is fixed in nginx 1.7.5, 1.6.2.
>>
>>Further details can be found in the paper by Antoine Delignat-Lavaud
>>et al., available at http://bh.ht.vc/vhost_confusion.pdf.
>>
>
>Hello all,
>
>I am one of the debian nginx maintainers. Is it possible to provide a
>patch for nginx-1.2 series since the relevant commit is not backportable
>as-is?
>
>Debian stable (wheezy) comes with nginx 1.2 and unfortunately only
>security fixes are allowed.
>
>Ubuntu might have a similar problem, although I have not checked the
>applicability of the patch there (Ubuntu comes with nginx-1.4).
>
>Thank you,
>chris
>

Salvatore Bonaccorso (cc'd) of the Debian Security Team has prepared a
combined patch backporting the upstream commit and other bits needed
(ngx_ssl_certificate_index). He has uploaded the patch here:

https://people.debian.org/~carnil/tmp/nginx/nginx_1.2.1-2.2+wheezy3.debdiff
https://people.debian.org/~carnil/tmp/nginx/

We would appreciate it if someone could double-check the patch.

Thank you,
chris



More information about the nginx-devel mailing list