Nginx Debian vulnerabilities

Maxim Dounin mdounin at
Thu Aug 12 23:44:00 MSD 2010


On Thu, Aug 12, 2010 at 05:10:16PM +0200, Mesaya at wrote:

> Are the vulnerabilities listed at fixed in the recent debian lenny packet?
> # nginx -v
> nginx version: nginx/0.6.32
> I've installed nginx through apt-get install nginx, am I vunerable to any of those vulnerabilities?

According to

it has applied patches for CVE-2009-2629 (VU#180065) and 

The following remain:

- CVE-2009-3555 - you have to ensure your OpenSSL installation is 
  safe if you are using ssl (most likely it is - the patch was 
  released before fixed OpenSSL was widely available)

- CVE-2009-3898 - you shouldn't expose webdav module to untrusted 

They aren't critical (well, CVE-2009-3555 is, but you are likely 
have it patched in OpenSSL itself) but it's probably good idea to 
upgrade anyway if you are planning to use nginx for something 
serious.  0.6.32 is just way too old.

Maxim Dounin

More information about the nginx mailing list