Hacker News new | past | comments | ask | show | jobs | submit login
Nginx security update (seclists.org)
67 points by pyritschard on July 9, 2013 | hide | past | favorite | 16 comments



Just a PSA for people running Debian servers: Subscribe to the debian-security-announce list[1] and you'll get these notices in your inbox rather than at the top of Hacker News. I got an email Sunday afternoon so when I saw this I thought ... another vulnerability, already?!

[1] http://lists.debian.org/debian-security-announce/


Nice tip, thanks!


Note that's for Debian distribution.

Patched source was actually posted back on May 7th and 13th for people who compile their own builds.

   2013-05-07 nginx-1.4.1 stable and nginx-1.5.0 development versions have been released, 
   with the fix for the stack-based buffer overflow security problem in nginx 1.3.9 - 1.4.0, 
   discovered by Greg MacManus, of iSIGHT Partners Labs (CVE-2013-2028). 

   2013-05-13 nginx-1.2.9 legacy version has been released, addressing the information 
   disclosure security problem in some previous nginx versions (CVE-2013-2070).


So is 1.4.1 okay?


Yes


Well, debian guys are so slow. It's the most unsecure and unstable distribution.


We've had the fixed versions of the packages for quite some time.


What's the difference between wheezy and wheezy (security)?

https://security-tracker.debian.org/tracker/CVE-2013-2070


Wheezy is the base packages, security is security updates, which are enabled by default, and most sysadmins will enable automatic upgrading to.


The NGINX advisory is here: http://mailman.nginx.org/pipermail/nginx-announce/2013/00011...

This is almost 2 months old.


Am I right in interpreting this as only a vulnerability if you use Nginx to proxy to an untrusted server (i.e. not yours) where specially formatted responses can compromise your Nginx?

It would seem to me that this is a particularly rare use case of nginx?

I suppose shared web hosts and services like CloudFlare are the types of implementation that may be affected.


Yes but this can be exploited if a trusted backend server (which is much more common) gets compromised. Basically if you have nginx in front of Node and you manage to execute arbitrary code in Node you could use this as an attack vector to compromise nginx which could act as a front-end to a whole lot of other things.


Yes, you interpret it correctly.

It's not that common, but I know at least an app using nginx in that way, and it was performing very well.


And, thankfully, all the current packages in Debian are either unaffected or it's been patched :)


Anyone know of the Ubuntu packages that are safe here?





Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: