Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 13 May 2013 08:07:59 -0700
From: Andrew Alexeev <>
To: "" <>
Subject: nginx security advisory (CVE-2013-2070)


A security problem related to CVE-2013-2028 was identified,
affecting some previous nginx versions if proxy_pass to 
untrusted upstream HTTP servers is used.

The problem may lead to a denial of service or a disclosure of a
worker process memory on a specially crafted response from an
upstream proxied server.

The problem affects nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0.

The problem is already fixed in nginx 1.5.0, 1.4.1.  Version 1.2.9
was released to address the issue in the 1.2.x legacy branch.

Patch for nginx 1.3.9 - 1.4.0 is the same as for CVE-2013-2028:

Patch for older nginx versions (1.1.4 - 1.2.8, 1.3.0 - 1.3.8)
can be found here:

Andrew Alexeev
Nginx, Inc.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ