Welcome to Centmin Mod Community
Become a Member

Nginx [nginx-announce] nginx security advisory (CVE-2013-2028)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Jun 7, 2014.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    53,461
    12,128
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,668
    Local Time:
    11:52 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Hello!

    Greg MacManus, of iSIGHT Partners Labs, found a security problem
    in several recent versions of nginx. A stack-based buffer
    overflow might occur in a worker process while handling a
    specially crafted request, potentially resulting in arbitrary code
    execution (CVE-2013-2028).

    The problem affects nginx 1.3.9 - 1.4.0.

    The problem is fixed in nginx 1.5.0, 1.4.1.


    Patch for the problem can be found here:

    http://nginx.org/download/patch.2013.chunked.txt

    As a temporary workaround the following configuration
    can be used in each server{} block:

    if ($http_transfer_encoding ~* chunked) {
    return 444;
    }


    --
    Maxim Dounin
    http://nginx.org/en/donation.html

    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...