[nginx-announce] nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)
Andrew Hutchings
ahutchings at nginx.com
Tue Jan 26 19:49:21 UTC 2016
Hi Christos,
On 26/01/16 19:11, Christos Trochalakis wrote:
> On Tue, Jan 26, 2016 at 07:32:17PM +0300, Maxim Dounin wrote:
>> Hello!
>>
>> Several problems in nginx resolver were identified, which might allow
>> an attacker to cause worker process crash, or might have potential
>> other impact
>>
>> The problems are fixed in nginx 1.9.10, 1.8.1.
>>
>
> I am one of debian's nginx maintainers, I have just uploaded
> nginx-1.9.10 for unstable, so we are ready on that front. But debian
> stable is also affected (1.6.x series) and we will need to prepare a
> patch. Is it possible to ask for a single combined patch (or even better
> an 1.6.x release)?
It should be possible to get a combined patch straight out of the
mercurial repository just by doing a range on the diff. Alternatively
Fedora has already backported the patches to 1.6 which can be found
here: http://koji.fedoraproject.org/koji/buildinfo?buildID=713981
Hope this helps
Kind Regards
--
Andrew Hutchings (LinuxJedi)
Technical Product Manager, NGINX Inc.
More information about the nginx-devel
mailing list