Join the community today
Become a Member

Nginx [nginx-announce] nginx security advisory (CVE-2013-2070)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Jun 7, 2014.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    29,016
    6,584
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,774
    Local Time:
    5:04 AM
    Nginx 1.13.x
    MariaDB 5.5
    Hello!

    A security problem related to CVE-2013-2028 was identified,
    affecting some previous nginx versions if proxy_pass to
    untrusted upstream HTTP servers is used.

    The problem may lead to a denial of service or a disclosure of a
    worker process memory on a specially crafted response from an
    upstream proxied server.

    The problem affects nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0.

    The problem is already fixed in nginx 1.5.0, 1.4.1. Version 1.2.9
    was released to address the issue in the 1.2.x legacy branch.

    Patch for nginx 1.3.9 - 1.4.0 is the same as for CVE-2013-2028:

    http://nginx.org/download/patch.2013.chunked.txt

    Patch for older nginx versions (1.1.4 - 1.2.8, 1.3.0 - 1.3.8)
    can be found here:

    http://nginx.org/download/patch.2013.proxy.txt


    --
    Maxim Dounin
    http://nginx.org/en/donation.html

    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...