Welcome! Log In Create A New Profile


[nginx-announce] nginx security advisory (CVE-2013-2028)

Posted by Maxim Dounin 
This forum is currently read only. You can not log in or make any changes. This is a temporary situation.

Greg MacManus, of iSIGHT Partners Labs, found a security problem
in several recent versions of nginx. A stack-based buffer
overflow might occur in a worker process while handling a
specially crafted request, potentially resulting in arbitrary code
execution (CVE-2013-2028).

The problem affects nginx 1.3.9 - 1.4.0.

The problem is fixed in nginx 1.5.0, 1.4.1.

Patch for the problem can be found here:


As a temporary workaround the following configuration
can be used in each server{} block:

if ($http_transfer_encoding ~* chunked) {
return 444;

Maxim Dounin

nginx-announce mailing list

Online Users

Guests: 227
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready