Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 03 Jan 2013 11:39:06 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Daniel Kahn Gillmor <dkg@...thhorseman.net>, nginx-devel@...nx.org
Subject: Re: nginx http proxy module does not verify peer identity
 of https origin server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/03/2013 08:36 AM, Daniel Kahn Gillmor wrote:
> nginx offers the ability for its http proxy module to talk to an
> origin server over https.  However, it does not verify the identity
> of the origin server in this case, which leaves it subject to MITM
> attacks between the proxy and the origin server.
> 
> Sadly, this appears to be unfixed for over a year after it was
> first reported:
> 
> http://trac.nginx.org/nginx/ticket/13
> 
> some patch review starts over here, but doesn't seem to reach any 
> resolution:
> 
> http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html
>
>  As far as i can tell, there is no CVE assigned for this yet.
> 
> --dkg
> 

Yup. Please use CVE-2011-4968 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ5dBKAAoJEBYNRVNeJnmTk10P/RUE7xS+vKvTitanyBfK88OZ
rApBQlDm0v4yFQw3Wr9YZRAOWcla8aiaGe9txK1t2NzHRcKtv4kidXk4VtbfG3El
LGdourO0zi2Z3Vho48p/OkeVzpTr0eGNPduiJQdDmbD1M0ngmM5CCFxfpCf9hUb8
1Ph8ZZsVhcvbxhKA6zOtKUVHi8LX+EUdF4XzNPP59gx0UHQhIiLfElbmz4wLoPuN
p8xLnzEia94VGlFYVWxET34RL8V4uljaGsHIKZOOcFGSrPofzvipnyowfoRVB5dG
YmNtnWGihpC+Bp54YD81ItsI99TtPCjQfdrUQW6qkdZivMP+SQSqwhc/QZLe7jsI
/ATkfp28QRTi5fYvJpwAJUo4L6+bXYz4dMa5F3IdZyxBfqGxzwuvf6i4dobYyDnU
fgtd7H1KbyxGZojNiA5MzY5WCdZYIqjbfrOo2M+maYVrAC/deqEZ8R5JJEK8vhYt
mfPYs+49Qj8k8aC0AJPC3djbnh6odcG76gcyouweXvSMpPsYKi15Cxa1pmEnC2Ll
JmTaAvj6MhKviaJekROjBDnPe4g3VNOjPykfN0O9564f3IBWtsgLFN1NmIrA/NvA
e/7ndDg2JM8sJm3y23gjH14jxyDRMSAn1Bn8WiFX6F3O9WHz7dmImMX4LHEjx94I
DCv+ThLcl5lpyFQ5UO3m
=/tAU
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.