Nginx and CVE-2010-3864
Mark Moseley
moseleymark at gmail.com
Thu Nov 18 03:52:31 MSK 2010
On Wed, Nov 17, 2010 at 4:12 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Wed, Nov 17, 2010 at 11:31:53AM -0800, Mark Moseley wrote:
>
>> I think I know the answer to this but since the consequences of
>> misguessing are somewhat dire, I figured I'd better ask.
>>
>> For the advisory,
>>
>> http://www.openssl.org/news/secadv_20101116.txt
>>
>> are we nginx users safe if we're using one of the affected versions
>> (and rechecking security.debian.org every 10 minutes) but only ever
>> use:
>>
>> ssl_session_cache shared:sslache:....
>>
>> i.e. *not*: ssl_session_cache builtin:....
>>
>> ?
>>
>> >From the wording of the advisory, it *sounds* like 'shared' bypasses
>> the affected internal caching, but I wanted to be extra cautious.
>> Clearly the right fix is to get openssl upgraded but until Debian gets
>> their update out, it'd be good to know that nginx is not affected (at
>> least with ssl_session_cache shared:...). Thanks!
>
> nginx should be fine even if openssl's builtin session cache is
> used.
>
> Both vulnerability information and code suggests that issue only
> affects multi-threaded programs (due to multiple threads changing
> the same session at the same time). nginx isn't multi-threaded
> and the race in question isn't possible.
>
> Maxim Dounin
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx
>
Excellent, thanks for the info. I'd forgotten nginx was event-based,
not threaded. That is a relief :)
More information about the nginx
mailing list