Date: Thu, 12 Apr 2012 18:21:18 +0400 From: Andrew Alexeev <andrew@...nx.com> To: oss-security@...ts.openwall.com Subject: nginx security advisory: mp4 module vulnerability, CVE-2012-2089 Hello, The nginx team has released stable version 1.0.15, and development version 1.1.19 of its nginx web server, which include a fix for a vulnerability discovered by Matthew Daley in nginx's standard mp4 pseudo-streaming module. The following CVE-ID has been used: CVE-2012-2089 (privately assigned earlier by Kurt Seifried): http://nginx.org/en/security_advisories.html Description: a specially crafted mp4 file might allow to overwrite memory locations in a worker process, if ngx_http_mp4_module is used, potentially resulting in arbitrary code execution. The mp4 module is not built in by default, and should be explicitly configured to be included in nginx. By default nginx worker processes run under non-privileged user account. The problem affects nginx versions newer than 1.1.3, 1.0.7, built with the ngx_http_mp4_module, and "mp4" directive in the configuration. To check if mp4 module is included in nginx build, use "nginx -V". Users of nginx and mp4 pseudo-streaming module are kindly advised to upgrade to the latest nginx versions, or apply the following patch: http://nginx.org/download/patch.2012.mp4.txt -- Andrew Alexeev @nginxorg
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ