Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 408367 (CVE-2012-1180)

Summary: <www-servers/nginx-1.0.14 : Header Parsing Memory Disclosure Weakness (CVE-2012-1180)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: dev-zero, hollow, patrick
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-03-15 15:54:19 UTC
From secunia security advisory at $URL:

The weakness is caused due to an error when parsing header responses from servers and can be exploited to disclose the contents of previously freed memory.

The weakness is reported in versions prior to 1.0.14.

Update to version 1.0.14.

Fixed also in 1.1.17 for testing.
Comment 1 Patrick Lauer gentoo-dev 2012-03-15 16:40:53 UTC
+  15 Mar 2012; Patrick Lauer <> +nginx-1.0.14.ebuild,
+  +nginx-1.1.17.ebuild:
+  Bump for #408367
Comment 2 Patrick Lauer gentoo-dev 2012-03-15 16:44:01 UTC
+  15 Mar 2012; Patrick Lauer <> -nginx-1.0.11.ebuild,
+  -nginx-1.0.12.ebuild, -nginx-1.1.14.ebuild, -nginx-1.1.16.ebuild:
+  Removing old versions

1.0.10 is stable, recommend stabling 1.0.14 so it can be removed.
Comment 3 Agostino Sarubbo gentoo-dev 2012-03-15 16:48:36 UTC
Thanks for the fast bump

Arches, please test and mark stable:
Target keywords : "amd64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2012-03-15 18:18:19 UTC
both stable

@security, please vote.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-03-15 20:31:17 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-17 14:37:07 UTC
GLSA vote: yes.

Adding to existing GLSA request.
Comment 7 Richard H. 2012-03-20 09:47:20 UTC
Also, FreeBSD reports this (just as information)

That's where I found it.

It's already stable, but not in GLSA, is that right?
Comment 8 Agostino Sarubbo gentoo-dev 2012-03-20 09:50:21 UTC
(In reply to comment #7)
> It's already stable, but not in GLSA, is that right?

The advisory will be done.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-03-28 10:59:51 UTC
This issue was resolved and addressed in
 GLSA 201203-22 at
by GLSA coordinator Sean Amoss (ackle).
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-04-28 00:44:29 UTC
CVE-2012-1180 (
  Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17
  allows remote HTTP servers to obtain sensitive information from process
  memory via a crafted backend response, in conjunction with a client request.