Summary: | <www-servers/nginx-1.0.15 : Buffer overflow in the ngx_http_mp4_module (CVE-2012-2089) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | darkside, dev-zero, hollow |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://nginx.org/en/security_advisories.html | ||
Whiteboard: | C2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
![]() *** Bug 411217 has been marked as a duplicate of this bug. *** http://git.overlays.gentoo.org/gitweb/?p=dev/darkside.git;a=commit;h=dfc0254b49a18c548de27b82e367029e3c268384 (1.1.19 bump) + 13 Apr 2012; Jeremy Olexa <darkside@gentoo.org> -nginx-1.0.10.ebuild, + -nginx-1.1.17.ebuild, -nginx-1.1.18.ebuild, +nginx-1.1.19.ebuild, + metadata.xml: + Version bump from upstream (security bug 411751), addition of fancyindex + third party module (bug 411663). Cleanup metadata.xml With multiple release trains in the same package, a ~arch version of the "stable train" will never get tested by ~arch users. Therefore, I feel like supporting multiple release trains for nginx in Gentoo is the wrong approach. I added myself to metadata.xml and will contribute to the dev't releases. It is my opinion that we should just stabilize 1.1.19. Sounds good, thank you. Benedikt and Tiziano, please let us know if you object. Arches, please test and mark stable: =www-servers/nginx-1.1.19 Target keywords : "amd64 x86" i'd rather bump and stabilize 1.0.15 instead of the development version ... (In reply to comment #6) > i'd rather bump and stabilize 1.0.15 instead of the development version ... +1 i've added 1.0.15 to the tree, please stabilize that one (In reply to comment #4) > With multiple release trains in the same package, a ~arch version of the > "stable train" will never get tested by ~arch users. Therefore, I feel like > supporting multiple release trains for nginx in Gentoo is the wrong approach. i understand your concerns, but i'd rather use p.mask to prevent ~arch users from installing the development versions or stabilize 1.1.x at a later time. we should not push the development version onto users right now just because of a security update. please stabilize nginx-1.0.15! amd64 stable x86 stable, all arches done. Thanks folks. Filed new glsa request. CVE-2012-2089 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2089): Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4 directive is used, allows remote attackers to cause a denial of service (memory overwrite) or possibly execute arbitrary code via a crafted MP4 file. This issue was resolved and addressed in GLSA 201206-07 at http://security.gentoo.org/glsa/glsa-201206-07.xml by GLSA coordinator Sean Amoss (ackle). |