Nginx and CVE-2010-3864
Mark Moseley
moseleymark at gmail.com
Wed Nov 17 22:31:53 MSK 2010
I think I know the answer to this but since the consequences of
misguessing are somewhat dire, I figured I'd better ask.
For the advisory,
http://www.openssl.org/news/secadv_20101116.txt
are we nginx users safe if we're using one of the affected versions
(and rechecking security.debian.org every 10 minutes) but only ever
use:
ssl_session_cache shared:sslache:....
i.e. *not*: ssl_session_cache builtin:....
?
>From the wording of the advisory, it *sounds* like 'shared' bypasses
the affected internal caching, but I wanted to be extra cautious.
Clearly the right fix is to get openssl upgraded but until Debian gets
their update out, it'd be good to know that nginx is not affected (at
least with ssl_session_cache shared:...). Thanks!
More information about the nginx
mailing list