Discover Centmin Mod today
Register Now

Nginx [nginx-announce] nginx security advisory (CVE-2014-3556)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Aug 6, 2014.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    30,958
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,419
    Local Time:
    5:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    Hello!

    A bug in nginx SMTP proxy was found, which allows an attacker in a
    privileged network position to inject commands into SSL sessions started
    with the STARTTLS command, potentially making it possible to steal
    sensitive information sent by clients (CVE-2014-3556).

    The problem affects nginx 1.5.6 - 1.7.3.

    The problem is fixed in nginx 1.7.4, 1.6.1.

    Patch for the problem can be found here:

    http://nginx.org/download/patch.2014.starttls.txt

    Thanks to Chris Boulton for discovering this.


    --
    Maxim Dounin
    http://nginx.org/en/donation.html

    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,958
    6,918
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,419
    Local Time:
    5:25 PM
    Nginx 1.13.x
    MariaDB 5.5