Welcome! Log In Create A New Profile

Advanced

nginx security advisory (CVE-2013-2070)

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
May 13, 2013 07:34AM
Hello!

A security problem related to CVE-2013-2028 was identified,
affecting some previous nginx versions if proxy_pass to
untrusted upstream HTTP servers is used.

The problem may lead to a denial of service or a disclosure of a
worker process memory on a specially crafted response from an
upstream proxied server.

The problem affects nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0.

The problem is already fixed in nginx 1.5.0, 1.4.1. Version 1.2.9
was released to address the issue in the 1.2.x legacy branch.

Patch for nginx 1.3.9 - 1.4.0 is the same as for CVE-2013-2028:

http://nginx.org/download/patch.2013.chunked.txt

Patch for older nginx versions (1.1.4 - 1.2.8, 1.3.0 - 1.3.8)
can be found here:

http://nginx.org/download/patch.2013.proxy.txt


--
Maxim Dounin
http://nginx.org/en/donation.html

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

nginx security advisory (CVE-2013-2070)

Maxim Dounin May 13, 2013 07:34AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 257
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready