nginx security advisory (CVE-2014-3616)

Matt Palmer mp+nginx at hezmatt.org
Thu Sep 18 09:18:28 UTC 2014


On Thu, Sep 18, 2014 at 11:14:06AM +0300, Christos Trochalakis wrote:
> Salvatore Bonaccorso (cc'd) of the Debian Security Team has prepared a
> combined patch backporting the upstream commit and other bits needed
> (ngx_ssl_certificate_index). He has uploaded the patch here:
> 
> https://people.debian.org/~carnil/tmp/nginx/nginx_1.2.1-2.2+wheezy3.debdiff
> https://people.debian.org/~carnil/tmp/nginx/
> 
> We would appreciate it if someone could double-check the patch.

Yeah, that ain't going to fly.  The data behind ngx_ssl_certificate_index is
never getting initialized.  Why don't you just use the patch I put together
for the LTS upload I did a couple of days ago?

- Matt



More information about the nginx-devel mailing list