Join the community today
Become a Member

Nginx [nginx-announce] nginx security advisory (CVE-2014-3556)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Aug 6, 2014.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,672
    Local Time:
    11:15 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Hello!

    A bug in nginx SMTP proxy was found, which allows an attacker in a
    privileged network position to inject commands into SSL sessions started
    with the STARTTLS command, potentially making it possible to steal
    sensitive information sent by clients (CVE-2014-3556).

    The problem affects nginx 1.5.6 - 1.7.3.


    The problem is fixed in nginx 1.7.4, 1.6.1.

    Patch for the problem can be found here:

    http://nginx.org/download/patch.2014.starttls.txt

    Thanks to Chris Boulton for discovering this.


    --
    Maxim Dounin
    http://nginx.org/en/donation.html

    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...
     
  2. eva2000

    eva2000 Administrator Staff Member

    53,488
    12,130
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,672
    Local Time:
    11:15 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+