
Nginx security update - pyritschard
http://seclists.org/bugtraq/2013/Jul/39
======
oinksoft
Just a PSA for people running Debian servers: Subscribe to the debian-
security-announce list[1] and you'll get these notices in your inbox rather
than at the top of Hacker News. I got an email Sunday afternoon so when I saw
this I thought ... another vulnerability, already?!

[1] [http://lists.debian.org/debian-security-
announce/](http://lists.debian.org/debian-security-announce/)

~~~
pallandt
Nice tip, thanks!

------
ck2
Note that's for Debian distribution.

Patched source was actually posted back on May 7th and 13th for people who
compile their own builds.

    
    
       2013-05-07 nginx-1.4.1 stable and nginx-1.5.0 development versions have been released, 
       with the fix for the stack-based buffer overflow security problem in nginx 1.3.9 - 1.4.0, 
       discovered by Greg MacManus, of iSIGHT Partners Labs (CVE-2013-2028). 
    
       2013-05-13 nginx-1.2.9 legacy version has been released, addressing the information 
       disclosure security problem in some previous nginx versions (CVE-2013-2070).

~~~
astrodust
So is 1.4.1 okay?

~~~
enduser
Yes

------
danielpal
The NGINX advisory is here: [http://mailman.nginx.org/pipermail/nginx-
announce/2013/00011...](http://mailman.nginx.org/pipermail/nginx-
announce/2013/000114.html)

This is almost 2 months old.

------
samwillis
Am I right in interpreting this as only a vulnerability if you use Nginx to
proxy to an untrusted server (i.e. not yours) where specially formatted
responses can compromise your Nginx?

It would seem to me that this is a particularly rare use case of nginx?

I suppose shared web hosts and services like CloudFlare are the types of
implementation that may be affected.

~~~
DrJokepu
Yes but this can be exploited if a trusted backend server (which is much more
common) gets compromised. Basically if you have nginx in front of Node and you
manage to execute arbitrary code in Node you could use this as an attack
vector to compromise nginx which could act as a front-end to a whole lot of
other things.

------
antihero
And, thankfully, all the current packages in Debian are either unaffected or
it's been patched :)

------
hgezim
Anyone know of the Ubuntu packages that are safe here?

~~~
mclemme
Seems to be ok

[http://people.canonical.com/~ubuntu-
security/cve/2013/CVE-20...](http://people.canonical.com/~ubuntu-
security/cve/2013/CVE-2013-2070.html)

