Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 468962

Summary: www-servers/nginx-1.4.0 is vulnerable to a buffer overflow
Product: Gentoo Security Reporter: Robin Kauffman <robink>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: dev-zero, hollow, ryao
Priority: Normal Keywords: PATCH, SECURITY
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://nginx.org/download/patch.2013.chunked.txt
Whiteboard: Ars Technica reports that this is being exploited in the wild
Package list:
Runtime testing required: ---

Description Robin Kauffman 2013-05-07 23:08:06 UTC
Hi-
    nginx 1.4.0 is currently vulnerable to a bug introduced in 1.3.9 (buffer overflow/stacksmash triggered by a crafted request).
    First heard about it from Ars: http://arstechnica.com/security/2013/05/attack-hitting-apache-sites-goes-mainstream-hacks-nginx-lighttpd-too/
    The nginx dev team makes mention of it here: http://nginx.org/en/CHANGES-1.4.
    The CVE entry (currently empty) for the bug is at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2028
    The patch is at: http://nginx.org/download/patch.2013.chunked.txt
    You can also just bump to 1.4.1, which includes the patch in the source tree.

        -Robin K.
Comment 1 Qing Lei 2013-05-08 06:22:31 UTC
Changes with nginx 1.4.1                                         07 May 2013

    *) Security: a stack-based buffer overflow might occur in a worker
       process while handling a specially crafted request, potentially
       resulting in arbitrary code execution (CVE-2013-2028); the bug had
       appeared in 1.3.9.
       Thanks to Greg MacManus, iSIGHT Partners Labs.

http://nginx.org/en/CHANGES-1.4
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2013-05-08 06:27:24 UTC

*** This bug has been marked as a duplicate of bug 468870 ***