Summary: | <www-servers/nginx-1.0.14 : Header Parsing Memory Disclosure Weakness (CVE-2012-1180) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | dev-zero, hollow, patrick |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/48366/ | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2012-03-15 15:54:19 UTC
+ 15 Mar 2012; Patrick Lauer <patrick@gentoo.org> +nginx-1.0.14.ebuild, + +nginx-1.1.17.ebuild: + Bump for #408367 + 15 Mar 2012; Patrick Lauer <patrick@gentoo.org> -nginx-1.0.11.ebuild, + -nginx-1.0.12.ebuild, -nginx-1.1.14.ebuild, -nginx-1.1.16.ebuild: + Removing old versions 1.0.10 is stable, recommend stabling 1.0.14 so it can be removed. Thanks for the fast bump Arches, please test and mark stable: =www-servers/nginx-1.0.14 Target keywords : "amd64 x86" both stable @security, please vote. Thanks, everyone. GLSA Vote: yes. GLSA vote: yes. Adding to existing GLSA request. Also, FreeBSD reports this (just as information) http://www.vuxml.org/freebsd/29194cb8-6e9f-11e1-8376-f0def16c5c1b.html That's where I found it. It's already stable, but not in GLSA, is that right? (In reply to comment #7) > It's already stable, but not in GLSA, is that right? The advisory will be done. This issue was resolved and addressed in GLSA 201203-22 at http://security.gentoo.org/glsa/glsa-201203-22.xml by GLSA coordinator Sean Amoss (ackle). CVE-2012-1180 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1180): Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request. |