Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Nov 2009 14:20:23 -0500 (EST)
From: Josh Bressers <>
Cc: coley <>
Subject: Re: CVEs for nginx

----- "Craig" <> wrote:

> 1.) nginx webdav:

Let's use CVE-2009-3898 for this one:


nginx versions before 0.8.17 and 0.7.63 contain a directory traversal flaw in
the webdav component. A user who can COPY or MOVE permissions could place
files outside the webdav root.

> 2.) nginx Null Pointer dereference:

This is CVE-2009-3896

> 3.) nginx SSL Renegotiation:
> I know the last one contains a CVE number, nginx uses openssl and the
> patch will disable renegotiation, maybe this deserves an own CVE?

We'll use the same ID. mod_ssl did a similar thing and used CVE-2009-3555. I
think multiple IDs in this instance would actually create more confusion that
it would solve.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ