Learn about Centmin Mod LEMP Stack today
Register Now

Nginx [nginx-announce] nginx security advisory (CVE-2014-3616)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Sep 17, 2014.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    50,869
    11,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,237
    Local Time:
    9:55 AM
    Nginx 1.25.x
    MariaDB 10.x
    Hello!

    A problem with SSL session cache in nginx was identified by Antoine
    Delignat-Lavaud. It was possible to reuse cached SSL sessions in
    unrelated contexts, allowing virtual host confusion attacks in some
    configurations by an attacker in a privileged network position
    (CVE-2014-3616).

    The problem affects nginx 0.5.6 - 1.7.4 if the same shared
    ssl_session_cache and/or ssl_session_ticket_key are used for multiple
    server{} blocks.

    The problem is fixed in nginx 1.7.5, 1.6.2.

    Further details can be found in the paper by Antoine Delignat-Lavaud
    et al., available at http://bh.ht.vc/vhost_confusion.pdf.


    --
    Maxim Dounin
    http://nginx.org/en/donation.html


    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...
     
  2. eva2000

    eva2000 Administrator Staff Member

    50,869
    11,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,237
    Local Time:
    9:55 AM
    Nginx 1.25.x
    MariaDB 10.x
    Last edited: Sep 17, 2014