Welcome! Log In Create A New Profile

Advanced

nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
January 26, 2016 11:56AM
Hello!

Several problems in nginx resolver were identified, which might
allow an attacker to cause worker process crash, or might have
potential other impact:

- Invalid pointer dereference might occur during DNS server response
processing, allowing an attacker who is able to forge UDP
packets from the DNS server to cause worker process crash
(CVE-2016-0742).

- Use-after-free condition might occur during CNAME response
processing. This problem allows an attacker who is able to trigger
name resolution to cause worker process crash, or might
have potential other impact (CVE-2016-0746).

- CNAME resolution was insufficiently limited, allowing an attacker who
is able to trigger arbitrary name resolution to cause excessive resource
consumption in worker processes (CVE-2016-0747).

The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive
is used in a configuration file.

The problems are fixed in nginx 1.9.10, 1.8.1.


--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)

Maxim Dounin January 26, 2016 11:56AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 244
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready