Nginx and CVE-2010-3864

Maxim Dounin mdounin at mdounin.ru
Thu Nov 18 03:12:06 MSK 2010


Hello!

On Wed, Nov 17, 2010 at 11:31:53AM -0800, Mark Moseley wrote:

> I think I know the answer to this but since the consequences of
> misguessing are somewhat dire, I figured I'd better ask.
> 
> For the advisory,
> 
> http://www.openssl.org/news/secadv_20101116.txt
> 
> are we nginx users safe if we're using one of the affected versions
> (and rechecking security.debian.org every 10 minutes) but only ever
> use:
> 
> ssl_session_cache	shared:sslache:....
> 
> i.e. *not*: ssl_session_cache builtin:....
> 
> ?
> 
> >From the wording of the advisory, it *sounds* like 'shared' bypasses
> the affected internal caching, but I wanted to be extra cautious.
> Clearly the right fix is to get openssl upgraded but until Debian gets
> their update out, it'd be good to know that nginx is not affected (at
> least with ssl_session_cache shared:...). Thanks!

nginx should be fine even if openssl's builtin session cache is 
used.

Both vulnerability information and code suggests that issue only 
affects multi-threaded programs (due to multiple threads changing 
the same session at the same time).  nginx isn't multi-threaded 
and the race in question isn't possible.

Maxim Dounin



More information about the nginx mailing list