Nginx and CVE-2010-3864

Mark Moseley moseleymark at gmail.com
Wed Nov 17 22:31:53 MSK 2010


I think I know the answer to this but since the consequences of
misguessing are somewhat dire, I figured I'd better ask.

For the advisory,

http://www.openssl.org/news/secadv_20101116.txt

are we nginx users safe if we're using one of the affected versions
(and rechecking security.debian.org every 10 minutes) but only ever
use:

ssl_session_cache	shared:sslache:....

i.e. *not*: ssl_session_cache builtin:....

?

>From the wording of the advisory, it *sounds* like 'shared' bypasses
the affected internal caching, but I wanted to be extra cautious.
Clearly the right fix is to get openssl upgraded but until Debian gets
their update out, it'd be good to know that nginx is not affected (at
least with ssl_session_cache shared:...). Thanks!



More information about the nginx mailing list