Join the community today
Register Now

Nginx [nginx-announce] nginx security advisory (CVE-2013-2028)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Jun 7, 2014.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    30,546
    6,849
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,262
    Local Time:
    3:27 AM
    Nginx 1.13.x
    MariaDB 5.5
    Hello!

    Greg MacManus, of iSIGHT Partners Labs, found a security problem
    in several recent versions of nginx. A stack-based buffer
    overflow might occur in a worker process while handling a
    specially crafted request, potentially resulting in arbitrary code
    execution (CVE-2013-2028).

    The problem affects nginx 1.3.9 - 1.4.0.

    The problem is fixed in nginx 1.5.0, 1.4.1.

    Patch for the problem can be found here:

    http://nginx.org/download/patch.2013.chunked.txt

    As a temporary workaround the following configuration
    can be used in each server{} block:

    if ($http_transfer_encoding ~* chunked) {
    return 444;
    }


    --
    Maxim Dounin
    http://nginx.org/en/donation.html

    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...