Hi- nginx 1.4.0 is currently vulnerable to a bug introduced in 1.3.9 (buffer overflow/stacksmash triggered by a crafted request). First heard about it from Ars: http://arstechnica.com/security/2013/05/attack-hitting-apache-sites-goes-mainstream-hacks-nginx-lighttpd-too/ The nginx dev team makes mention of it here: http://nginx.org/en/CHANGES-1.4. The CVE entry (currently empty) for the bug is at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2028 The patch is at: http://nginx.org/download/patch.2013.chunked.txt You can also just bump to 1.4.1, which includes the patch in the source tree. -Robin K.
Changes with nginx 1.4.1 07 May 2013 *) Security: a stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028); the bug had appeared in 1.3.9. Thanks to Greg MacManus, iSIGHT Partners Labs. http://nginx.org/en/CHANGES-1.4
*** This bug has been marked as a duplicate of bug 468870 ***
