Security fix in recent release 0.6.39/DSA-1884-1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nginx (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bug Description
Binary package hint: nginx
The release on 2009-09-14 contains a buffer underflow fix. Unpatched servers may be vulnerable to DoS or arbitrary code execution.
A fix has been applied to Debian packages. please update the Ubuntu packages to the latest code, or backport the fix.
- -------
Debian Security Advisory DSA-1884-1 <email address hidden>
http://
September 14th, 2009 http://
- -------
Package : nginx
Vulnerability : buffer underflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2629
Chris Ries discovered that nginx, a high-performance HTTP server, reverse
proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when
processing certain HTTP requests. An attacker can use this to execute
arbitrary code with the rights of the worker process (www-data on Debian)
or possibly perform denial of service attacks by repeatedly crashing
worker processes via a specially crafted URL in an HTTP request.
For the oldstable distribution (etch), this problem has been fixed in
version 0.4.13-2+etch2.
For the stable distribution (lenny), this problem has been fixed in
version 0.6.32-3+lenny2.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 0.7.61-3.
visibility: | private → public |
Changed in nginx (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → High |
assignee: | nobody → Andres E. Rodriguez Lazo (andreserl) |
Changed in nginx (Ubuntu): | |
status: | Confirmed → In Progress |
Changed in nginx (Ubuntu): | |
status: | In Progress → Triaged |
tags: | added: patch |
Changed in nginx (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in nginx (Ubuntu): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in nginx (Ubuntu): | |
assignee: | Marc Deslauriers (mdeslaur) → nobody |
patch: http:// sysoev. ru/nginx/ patch.180065. txt
Affected 0.1.0-0.8.14.
Not affected 0.8.15, 0.7.62, 0.6.39 and 0.5.38