Hello!

On Thu, Aug 12, 2010 at 05:10:16PM +0200, Mesaya@gmx.de wrote:

> Are the vulnerabilities listed at http://nginx.org/en/security_advisories.html fixed in the recent debian lenny packet?
>
> # nginx -v
> nginx version: nginx/0.6.32
>
> I've installed nginx through apt-get install nginx, am I vunerable to any of those vulnerabilities?

According to

http://patch-tracker.debian.org/package/nginx/0.6.32-3+lenny3

it has applied patches for CVE-2009-2629 (VU#180065) and
CVE-2009-3896.

The following remain:

- CVE-2009-3555 - you have to ensure your OpenSSL installation is
safe if you are using ssl (most likely it is - the patch was
released before fixed OpenSSL was widely available)

- CVE-2009-3898 - you shouldn't expose webdav module to untrusted
users

They aren't critical (well, CVE-2009-3555 is, but you are likely
have it patched in OpenSSL itself) but it's probably good idea to
upgrade anyway if you are planning to use nginx for something
serious. 0.6.32 is just way too old.

Maxim Dounin


_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx