Welcome! Log In Create A New Profile

Advanced

Nginx and CVE-2010-3864

Mark Moseley
November 17, 2010 02:36PM
I think I know the answer to this but since the consequences of
misguessing are somewhat dire, I figured I'd better ask.

For the advisory,

http://www.openssl.org/news/secadv_20101116.txt

are we nginx users safe if we're using one of the affected versions
(and rechecking security.debian.org every 10 minutes) but only ever
use:

ssl_session_cache shared:sslache:....

i.e. *not*: ssl_session_cache builtin:....

?

>From the wording of the advisory, it *sounds* like 'shared' bypasses
the affected internal caching, but I wanted to be extra cautious.
Clearly the right fix is to get openssl upgraded but until Debian gets
their update out, it'd be good to know that nginx is not affected (at
least with ssl_session_cache shared:...). Thanks!

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Subject Author Posted

Nginx and CVE-2010-3864

Mark Moseley November 17, 2010 02:36PM

Re: Nginx and CVE-2010-3864

Maxim Dounin November 17, 2010 07:16PM

Re: Nginx and CVE-2010-3864

Mark Moseley November 17, 2010 07:56PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 152
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready