a specially crafted mp4 file might allow to overwrite
memory locations in a worker process, if ngx_http_mp4_module is
used, potentially resulting in arbitrary code execution. The mp4
module is not built in by default, and should be explicitly
configured to be included in nginx. By default nginx worker
processes run under non-privileged user account.
The problem affects nginx versions newer than 1.1.3, 1.0.7, built with
the ngx_http_mp4_module, and "mp4" directive in the configuration.
To check if mp4 module is included in nginx build, use "nginx -V".
Users of nginx and mp4 pseudo-streaming module are kindly advised
to upgrade to the latest nginx versions, or apply the following patch:
*** Bug 411217 has been marked as a duplicate of this bug. ***
http://git.overlays.gentoo.org/gitweb/?p=dev/darkside.git;a=commit;h=dfc0254b49a18c548de27b82e367029e3c268384 (1.1.19 bump)
+ 13 Apr 2012; Jeremy Olexa <firstname.lastname@example.org> -nginx-1.0.10.ebuild,
+ -nginx-1.1.17.ebuild, -nginx-1.1.18.ebuild, +nginx-1.1.19.ebuild,
+ Version bump from upstream (security bug 411751), addition of fancyindex
+ third party module (bug 411663). Cleanup metadata.xml
With multiple release trains in the same package, a ~arch version of the "stable train" will never get tested by ~arch users. Therefore, I feel like supporting multiple release trains for nginx in Gentoo is the wrong approach.
I added myself to metadata.xml and will contribute to the dev't releases. It is my opinion that we should just stabilize 1.1.19.
Sounds good, thank you. Benedikt and Tiziano, please let us know if you object.
Arches, please test and mark stable:
Target keywords : "amd64 x86"
i'd rather bump and stabilize 1.0.15 instead of the development version ...
(In reply to comment #6)
> i'd rather bump and stabilize 1.0.15 instead of the development version ...
i've added 1.0.15 to the tree, please stabilize that one
(In reply to comment #4)
> With multiple release trains in the same package, a ~arch version of the
> "stable train" will never get tested by ~arch users. Therefore, I feel like
> supporting multiple release trains for nginx in Gentoo is the wrong approach.
i understand your concerns, but i'd rather use p.mask to prevent ~arch users from installing the development versions or stabilize 1.1.x at a later time. we should not push the development version onto users right now just because of a security update.
please stabilize nginx-1.0.15!
x86 stable, all arches done.
Filed new glsa request.
Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module
in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4
directive is used, allows remote attackers to cause a denial of service
(memory overwrite) or possibly execute arbitrary code via a crafted MP4
This issue was resolved and addressed in
GLSA 201206-07 at http://security.gentoo.org/glsa/glsa-201206-07.xml
by GLSA coordinator Sean Amoss (ackle).