Nginx and CVE-2010-3864
Maxim Dounin
mdounin at mdounin.ru
Thu Nov 18 03:12:06 MSK 2010
Hello!
On Wed, Nov 17, 2010 at 11:31:53AM -0800, Mark Moseley wrote:
> I think I know the answer to this but since the consequences of
> misguessing are somewhat dire, I figured I'd better ask.
>
> For the advisory,
>
> http://www.openssl.org/news/secadv_20101116.txt
>
> are we nginx users safe if we're using one of the affected versions
> (and rechecking security.debian.org every 10 minutes) but only ever
> use:
>
> ssl_session_cache shared:sslache:....
>
> i.e. *not*: ssl_session_cache builtin:....
>
> ?
>
> >From the wording of the advisory, it *sounds* like 'shared' bypasses
> the affected internal caching, but I wanted to be extra cautious.
> Clearly the right fix is to get openssl upgraded but until Debian gets
> their update out, it'd be good to know that nginx is not affected (at
> least with ssl_session_cache shared:...). Thanks!
nginx should be fine even if openssl's builtin session cache is
used.
Both vulnerability information and code suggests that issue only
affects multi-threaded programs (due to multiple threads changing
the same session at the same time). nginx isn't multi-threaded
and the race in question isn't possible.
Maxim Dounin
More information about the nginx
mailing list