Summary: | www-servers/nginx remote arbitrary code execution (CVE-2009-4487) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | major | CC: | hollow, quantumsummers, voxus |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2? [ebuild] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2010-02-06 15:24:43 UTC
nginx changelog for 0.7 doesn't mention this CVE, so not sure if this has been fixed in 0.7.65. Not sure if the nginx author will recognize this as an actual "bug", here's varnish route: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4488 nginx seems to accept this as a vuln. see link http://nginx.org/en/security_advisories.html I mailed the author, if it's planned to fix this CVE. igor@sysoev.ru wrote: "No, I do not consider this as vulnerability. This is terminal issue." i have to agree with igor and also the team behind varnish, which issued the following statement, that this is not a vulnerability in nginx/varnish/apache/whatever. The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely. This is not a new issue. I first remember the issue with xterm(1)'s inadvisably implemented escape-sequences in a root-context, brought up heatedly, in 1988, possibly late 1987, at Copenhagens University Computer Science dept. [...] Issue disputed. I have not looked very deeply into this, but it really seems to be a terminal issue. However, it would have been nice to filter out these characters. It's a feature, not a bug? ;( |