Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Nov 2009 14:00:19 +0300
From: Igor Sysoev <igor@...oev.ru>
To: Jan Lieskovsky <jlieskov@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVEs for nginx

On Mon, Nov 23, 2009 at 11:48:17AM +0100, Jan Lieskovsky wrote:

> Hi Craig, vendors,
> 
> Craig wrote:
> > Hi,
> > 
> > are the CVEs for
> > 
> > 1.) nginx webdav: http://secunia.com/advisories/36818/
> 
>    I still haven't seen a CVE id for this (pls correct me
> if I overlooked it). Could one be assigned? (if there isn't one yet).

As I far I know - no.

> Also not sure, if this one has been already addressed upstream?
> (as there has been couple of more important Nginx security issues
>   recently).

This bug was fixed in 0.8.17 and 0.7.63:

Changes with nginx 0.8.17                                        28 Sep 2009

    *) Security: now "/../" are disabled in "Destination" request header
       line.

Changes with nginx 0.7.63                                        26 Oct 2009

    *) Security: now "/../" are disabled in "Destination" request header
       line.

> Igor, could you comment on upstream status of this one?
> Is there a patch handy?

There is no patch, however, I can created it for you.

> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
> 
> > 
> > 2.) nginx Null Pointer dereference:
> > http://sysoev.ru/nginx/patch.null.pointer.txt
> > 
> > 3.) nginx SSL Renegotiation: http://sysoev.ru/nginx/patch.cve-2009-3555.txt
> > 
> > I know the last one contains a CVE number, nginx uses openssl and the
> > patch will disable renegotiation, maybe this deserves an own CVE?
> > 
> > 
> > Best regards,
> > 
> > Craig


-- 
Igor Sysoev
http://sysoev.ru/en/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.