Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <6E6DFCC9-6BFC-4774-BCF7-903C61418524@nginx.com>
Date: Thu, 12 Apr 2012 18:21:18 +0400
From: Andrew Alexeev <andrew@...nx.com>
To: oss-security@...ts.openwall.com
Subject: nginx security advisory: mp4 module vulnerability, CVE-2012-2089

Hello,

The nginx team has released stable version 1.0.15, and development
version 1.1.19 of its nginx web server, which include a fix for a
vulnerability discovered by Matthew Daley in nginx's standard mp4
pseudo-streaming module.

The following CVE-ID has been used: CVE-2012-2089 (privately
assigned earlier by Kurt Seifried):

http://nginx.org/en/security_advisories.html

Description: a specially crafted mp4 file might allow to overwrite
memory locations in a worker process, if ngx_http_mp4_module is 
used, potentially resulting in arbitrary code execution.  The mp4
module is not built in by default, and should be explicitly
configured to be included in nginx.  By default nginx worker
processes run under non-privileged user account.

The problem affects nginx versions newer than 1.1.3, 1.0.7, built with
the ngx_http_mp4_module, and "mp4" directive in the configuration.
To check if mp4 module is included in nginx build, use "nginx -V".

Users of nginx and mp4 pseudo-streaming module are kindly advised
to upgrade to the latest nginx versions, or apply the following patch:

http://nginx.org/download/patch.2012.mp4.txt



-- 
Andrew Alexeev
@nginxorg

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.