Just a PSA for people running Debian servers: Subscribe to the debian-security-announce list[1] and you'll get these notices in your inbox rather than at the top of Hacker News. I got an email Sunday afternoon so when I saw this I thought ... another vulnerability, already?!
Patched source was actually posted back on May 7th and 13th for people who compile their own builds.
2013-05-07 nginx-1.4.1 stable and nginx-1.5.0 development versions have been released,
with the fix for the stack-based buffer overflow security problem in nginx 1.3.9 - 1.4.0,
discovered by Greg MacManus, of iSIGHT Partners Labs (CVE-2013-2028).
2013-05-13 nginx-1.2.9 legacy version has been released, addressing the information
disclosure security problem in some previous nginx versions (CVE-2013-2070).
Am I right in interpreting this as only a vulnerability if you use Nginx to proxy to an untrusted server (i.e. not yours) where specially formatted responses can compromise your Nginx?
It would seem to me that this is a particularly rare use case of nginx?
I suppose shared web hosts and services like CloudFlare are the types of implementation that may be affected.
Yes but this can be exploited if a trusted backend server (which is much more common) gets compromised. Basically if you have nginx in front of Node and you manage to execute arbitrary code in Node you could use this as an attack vector to compromise nginx which could act as a front-end to a whole lot of other things.
[1] http://lists.debian.org/debian-security-announce/