Description: a specially crafted mp4 file might allow to overwrite memory locations in a worker process, if ngx_http_mp4_module is used, potentially resulting in arbitrary code execution. The mp4 module is not built in by default, and should be explicitly configured to be included in nginx. By default nginx worker processes run under non-privileged user account. The problem affects nginx versions newer than 1.1.3, 1.0.7, built with the ngx_http_mp4_module, and "mp4" directive in the configuration. To check if mp4 module is included in nginx build, use "nginx -V". Users of nginx and mp4 pseudo-streaming module are kindly advised to upgrade to the latest nginx versions, or apply the following patch: http://nginx.org/download/patch.2012.mp4.txt
*** Bug 411217 has been marked as a duplicate of this bug. ***
http://git.overlays.gentoo.org/gitweb/?p=dev/darkside.git;a=commit;h=dfc0254b49a18c548de27b82e367029e3c268384 (1.1.19 bump)
+ 13 Apr 2012; Jeremy Olexa <darkside@gentoo.org> -nginx-1.0.10.ebuild, + -nginx-1.1.17.ebuild, -nginx-1.1.18.ebuild, +nginx-1.1.19.ebuild, + metadata.xml: + Version bump from upstream (security bug 411751), addition of fancyindex + third party module (bug 411663). Cleanup metadata.xml
With multiple release trains in the same package, a ~arch version of the "stable train" will never get tested by ~arch users. Therefore, I feel like supporting multiple release trains for nginx in Gentoo is the wrong approach. I added myself to metadata.xml and will contribute to the dev't releases. It is my opinion that we should just stabilize 1.1.19.
Sounds good, thank you. Benedikt and Tiziano, please let us know if you object. Arches, please test and mark stable: =www-servers/nginx-1.1.19 Target keywords : "amd64 x86"
i'd rather bump and stabilize 1.0.15 instead of the development version ...
(In reply to comment #6) > i'd rather bump and stabilize 1.0.15 instead of the development version ... +1
i've added 1.0.15 to the tree, please stabilize that one (In reply to comment #4) > With multiple release trains in the same package, a ~arch version of the > "stable train" will never get tested by ~arch users. Therefore, I feel like > supporting multiple release trains for nginx in Gentoo is the wrong approach. i understand your concerns, but i'd rather use p.mask to prevent ~arch users from installing the development versions or stabilize 1.1.x at a later time. we should not push the development version onto users right now just because of a security update. please stabilize nginx-1.0.15!
amd64 stable
x86 stable, all arches done.
Thanks folks. Filed new glsa request.
CVE-2012-2089 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2089): Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4 directive is used, allows remote attackers to cause a denial of service (memory overwrite) or possibly execute arbitrary code via a crafted MP4 file.
This issue was resolved and addressed in GLSA 201206-07 at http://security.gentoo.org/glsa/glsa-201206-07.xml by GLSA coordinator Sean Amoss (ackle).
