Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 03 Jan 2013 11:39:06 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Daniel Kahn Gillmor <dkg@...thhorseman.net>, nginx-devel@...nx.org
Subject: Re: nginx http proxy module does not verify peer identity
 of https origin server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/03/2013 08:36 AM, Daniel Kahn Gillmor wrote:
> nginx offers the ability for its http proxy module to talk to an
> origin server over https.  However, it does not verify the identity
> of the origin server in this case, which leaves it subject to MITM
> attacks between the proxy and the origin server.
> 
> Sadly, this appears to be unfixed for over a year after it was
> first reported:
> 
> http://trac.nginx.org/nginx/ticket/13
> 
> some patch review starts over here, but doesn't seem to reach any 
> resolution:
> 
> http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html
>
>  As far as i can tell, there is no CVE assigned for this yet.
> 
> --dkg
> 

Yup. Please use CVE-2011-4968 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ5dBKAAoJEBYNRVNeJnmTk10P/RUE7xS+vKvTitanyBfK88OZ
rApBQlDm0v4yFQw3Wr9YZRAOWcla8aiaGe9txK1t2NzHRcKtv4kidXk4VtbfG3El
LGdourO0zi2Z3Vho48p/OkeVzpTr0eGNPduiJQdDmbD1M0ngmM5CCFxfpCf9hUb8
1Ph8ZZsVhcvbxhKA6zOtKUVHi8LX+EUdF4XzNPP59gx0UHQhIiLfElbmz4wLoPuN
p8xLnzEia94VGlFYVWxET34RL8V4uljaGsHIKZOOcFGSrPofzvipnyowfoRVB5dG
YmNtnWGihpC+Bp54YD81ItsI99TtPCjQfdrUQW6qkdZivMP+SQSqwhc/QZLe7jsI
/ATkfp28QRTi5fYvJpwAJUo4L6+bXYz4dMa5F3IdZyxBfqGxzwuvf6i4dobYyDnU
fgtd7H1KbyxGZojNiA5MzY5WCdZYIqjbfrOo2M+maYVrAC/deqEZ8R5JJEK8vhYt
mfPYs+49Qj8k8aC0AJPC3djbnh6odcG76gcyouweXvSMpPsYKi15Cxa1pmEnC2Ll
JmTaAvj6MhKviaJekROjBDnPe4g3VNOjPykfN0O9564f3IBWtsgLFN1NmIrA/NvA
e/7ndDg2JM8sJm3y23gjH14jxyDRMSAn1Bn8WiFX6F3O9WHz7dmImMX4LHEjx94I
DCv+ThLcl5lpyFQ5UO3m
=/tAU
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ