|
Message-Id: <4C63D721-2A3A-474D-BE76-44E77F01215B@nginx.com> Date: Tue, 7 May 2013 05:44:36 -0700 From: Andrew Alexeev <andrew@...nx.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: nginx security advisory (CVE-2013-2028) Hello! Greg MacManus, of iSIGHT Partners Labs, found a security problem in several recent versions of nginx. A stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028). The problem affects nginx 1.3.9 - 1.4.0. The problem is fixed in nginx 1.5.0, 1.4.1. Patch for the problem can be found here: http://nginx.org/download/patch.2013.chunked.txt As a temporary workaround the following configuration can be used in each server{} block: if ($http_transfer_encoding ~* chunked) { return 444; } -- Andrew Alexeev Nginx, Inc.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.