nginx security advisory (CVE-2014-3616)

Matt Palmer mp+nginx at
Thu Sep 18 09:18:28 UTC 2014

On Thu, Sep 18, 2014 at 11:14:06AM +0300, Christos Trochalakis wrote:
> Salvatore Bonaccorso (cc'd) of the Debian Security Team has prepared a
> combined patch backporting the upstream commit and other bits needed
> (ngx_ssl_certificate_index). He has uploaded the patch here:
> We would appreciate it if someone could double-check the patch.

Yeah, that ain't going to fly.  The data behind ngx_ssl_certificate_index is
never getting initialized.  Why don't you just use the patch I put together
for the LTS upload I did a couple of days ago?

- Matt

More information about the nginx-devel mailing list