May 14, 2013 - nginx security advisory (CVE-2013-2070)

Updated: May 29th, 2013

Note: This issue has been addressed with the May 29th, 2013 stack upgrades.

 

Risk Assessment: Low – when not using proxy_pass to untrusted upstream HTTP servers

Vulnerable versions: nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0. if proxy_pass to untrusted upstream HTTP servers is used. 

 

Summary:

A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used.  The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server.  The problem affects nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0.  The problem is already fixed in nginx 1.5.0, 1.4.1.  Version 1.2.9 was released to address the issue in the 1.2.x legacy branch. 

 

Solution:

Update to the latest cookbook by clicking Upgrade to get the May 29th, 2013 stack.

 

If you have any questions or concerns, please open a ticket here: https://support.cloud.engineyard.com/tickets/new

Comments

Please sign in to leave a comment.