nginx security advisory (CVE-2014-3616)
Matt Palmer
mp+nginx at hezmatt.org
Thu Sep 18 09:18:28 UTC 2014
On Thu, Sep 18, 2014 at 11:14:06AM +0300, Christos Trochalakis wrote:
> Salvatore Bonaccorso (cc'd) of the Debian Security Team has prepared a
> combined patch backporting the upstream commit and other bits needed
> (ngx_ssl_certificate_index). He has uploaded the patch here:
>
> https://people.debian.org/~carnil/tmp/nginx/nginx_1.2.1-2.2+wheezy3.debdiff
> https://people.debian.org/~carnil/tmp/nginx/
>
> We would appreciate it if someone could double-check the patch.
Yeah, that ain't going to fly. The data behind ngx_ssl_certificate_index is
never getting initialized. Why don't you just use the patch I put together
for the LTS upload I did a couple of days ago?
- Matt
More information about the nginx-devel
mailing list