Join the community today
Become a Member

Nginx [nginx-announce] nginx security advisory (CVE-2013-2028)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Jun 7, 2014.

  1. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    8:17 AM
    Nginx 1.25.x
    MariaDB 10.x

    Greg MacManus, of iSIGHT Partners Labs, found a security problem
    in several recent versions of nginx. A stack-based buffer
    overflow might occur in a worker process while handling a
    specially crafted request, potentially resulting in arbitrary code
    execution (CVE-2013-2028).

    The problem affects nginx 1.3.9 - 1.4.0.

    The problem is fixed in nginx 1.5.0, 1.4.1.

    Patch for the problem can be found here:

    As a temporary workaround the following configuration
    can be used in each server{} block:

    if ($http_transfer_encoding ~* chunked) {
    return 444;

    Maxim Dounin

    nginx-announce mailing list

    Continue reading...