May 072013
 

From nginx.org

Hello!

Greg MacManus, of iSIGHT Partners Labs, found a security problem in several recent versions of nginx. A stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028).

The problem affects nginx 1.3.9 – 1.4.0.

The problem is fixed in nginx 1.5.0, 1.4.1.

Patch for the problem can be found here:

http://nginx.org/download/patch.2013.chunked.txt

As a temporary workaround the following configuration
can be used in each server{} block:

if ($http_transfer_encoding ~* chunked) {
return 444;
}

 Posted by at 10:23 am

Sorry, the comment form is closed at this time.