Comment 0 for bug 1098654

I am reporting this bug so there's a bug to track this in within Launchpad. If/when a patch is approved upstream, this bug can be used as a reference point in the changelog when SRU-ing the fix into older releases.

Confirmed as Debian Bug 697940.
Confirmed as CVE-2011-4968.

This has already been added to the Ubuntu Security Team Tracker at http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4968.html

Information as follows comes from the Debian Bug:
"When nginx is configured as a reverse proxy with an https origin server, it is vulnerable to a MITM attack, because it does not verify the certificate of the origin server.

This is upstream's bug https://trac.nginx.org/nginx/ticket/13, and also CVE-2011-4968.

It appears to have been known for over a year, but the proposed patches to resolve the problem appear to have never made it through the patch review process in upstream."