Learn about Centmin Mod LEMP Stack today
Register Now

Nginx [nginx-announce] nginx security advisory (CVE-2014-3616)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Sep 17, 2014.

Tags:
  1. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Hello!

    A problem with SSL session cache in nginx was identified by Antoine
    Delignat-Lavaud. It was possible to reuse cached SSL sessions in
    unrelated contexts, allowing virtual host confusion attacks in some
    configurations by an attacker in a privileged network position
    (CVE-2014-3616).

    The problem affects nginx 0.5.6 - 1.7.4 if the same shared
    ssl_session_cache and/or ssl_session_ticket_key are used for multiple
    server{} blocks.

    The problem is fixed in nginx 1.7.5, 1.6.2.

    Further details can be found in the paper by Antoine Delignat-Lavaud
    et al., available at http://bh.ht.vc/vhost_confusion.pdf.



    --
    Maxim Dounin
    http://nginx.org/en/donation.html

    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,107
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,738
    Local Time:
    4:22 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Last edited: Sep 17, 2014