Updated: May 29th, 2013
Note: This issue has been addressed with the May 29th, 2013 stack upgrades.
Risk Assessment: Low – when not using proxy_pass to untrusted upstream HTTP servers
Vulnerable versions: nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0. if proxy_pass to untrusted upstream HTTP servers is used.
Summary:
A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used. The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server. The problem affects nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0. The problem is already fixed in nginx 1.5.0, 1.4.1. Version 1.2.9 was released to address the issue in the 1.2.x legacy branch.
Solution:
Update to the latest cookbook by clicking Upgrade to get the May 29th, 2013 stack.
If you have any questions or concerns, please open a ticket here: https://support.cloud.engineyard.com/tickets/new
Comments
Please sign in to leave a comment.