Greg MacManus, of iSIGHT Partners Labs, found a security problem in several recent versions of nginx. A stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028). The problem affects nginx 1.3.9 - 1.4.0. The problem is fixed in nginx 1.5.0, 1.4.1. Reference site: http://nginx.org/en/security_advisories.html CVE url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028 Maintainers: I have tested renaming nginx-1.4.0-r1 to nginx-1.4.1 which worked well in my setup.
*** Bug 468962 has been marked as a duplicate of this bug. ***
1.4.1 is now in the tree
(In reply to comment #2) > 1.4.1 is now in the tree I'd like to wait before close the bug because of this: http://www.openwall.com/lists/oss-security/2013/05/07/4
Arches, please test and mark stable: =www-servers/nginx-1.4.1-r2 Target keywords : "amd64 x86"
amd64 stable
x86 stable
Old removed, security please go ahead with the glsa
CVE-2013-2070 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2070): http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028. CVE-2013-2028 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2028): The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow.
GLSA request filed.
This issue was resolved and addressed in GLSA 201310-04 at http://security.gentoo.org/glsa/glsa-201310-04.xml by GLSA coordinator Sean Amoss (ackle).