Welcome to Centmin Mod Community
Become a Member

Nginx [nginx-announce] nginx security advisory (CVE-2014-3616)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Sep 17, 2014.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    31,022
    6,925
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,431
    Local Time:
    1:17 PM
    Nginx 1.13.x
    MariaDB 5.5
    Hello!

    A problem with SSL session cache in nginx was identified by Antoine
    Delignat-Lavaud. It was possible to reuse cached SSL sessions in
    unrelated contexts, allowing virtual host confusion attacks in some
    configurations by an attacker in a privileged network position
    (CVE-2014-3616).

    The problem affects nginx 0.5.6 - 1.7.4 if the same shared
    ssl_session_cache and/or ssl_session_ticket_key are used for multiple
    server{} blocks.

    The problem is fixed in nginx 1.7.5, 1.6.2.

    Further details can be found in the paper by Antoine Delignat-Lavaud
    et al., available at http://bh.ht.vc/vhost_confusion.pdf.


    --
    Maxim Dounin
    http://nginx.org/en/donation.html

    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...
     
  2. eva2000

    eva2000 Administrator Staff Member

    31,022
    6,925
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,431
    Local Time:
    1:17 PM
    Nginx 1.13.x
    MariaDB 5.5
    Last edited: Sep 17, 2014