Nginx security advisory (CVE-2013-2028)

Hello!

Greg MacManus, of iSIGHT Partners Labs, found a security problem
in several recent versions of nginx. A stack-based buffer
overflow might occur in a worker process while handling a
specially crafted request, potentially resulting in arbitrary code
execution (CVE-2013-2028).

The problem affects nginx 1.3.9 - 1.4.0.

The problem is fixed in nginx 1.5.0, 1.4.1.

Patch for the problem can be found here:

http://nginx.org/download/patch.2013.chunked.txt

As a temporary workaround the following configuration
can be used in each server{} block:

if ($http_transfer_encoding ~* chunked) {
    return 444;
}


Maxim D.
http://nginx.org/en/donation.html

Hello,

I use nginx 1.1.19, latest version from ubuntu repository.
Anyone knows if Is it secure to use the latest verison from ubuntu
repository?

thanks

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,238946,239015#msg-239015

I would add to Patrick answer the following:

  • 1.1.19 is a development version. IMHO it is always better to prefer
    stable in production environments. 1.2.8 or 1.4.1 depending on your
    needs/requirements.
  • Check the changes from 1.2 or 1.4 http://nginx.org/en/download.html
    to
    decide what is better for you (there are only few security alerts, most
    of
    entries are bugfixes)
  • Consider using nginx packages
    http://nginx.org/en/linux_packages.html(available for Ubuntu), which
    will keep you nginx updates to the most
    recent version of your choice (stable or ‘mainline’ which I suppose is
    development? or maybe old-stable 1.2.8?) via aptitude

Hope that’ll help

B. R.

Hello,

the security leak is only affected in nginx 1.3.9 and 1.4.0. So just
find
out which version is currently in the ubuntu repository and decide if
you
can update or not.

Kind regards,
Patrik

-----Ursprngliche Nachricht-----
Von: [email protected] [mailto:[email protected]] Im Auftrag
von
jonas
Gesendet: Mittwoch, 08. Mai 2013 16:36
An: [email protected]
Betreff: Re: nginx security advisory (CVE-2013-2028)

Hello,

I use nginx 1.1.19, latest version from ubuntu repository.
Anyone knows if Is it secure to use the latest verison from ubuntu
repository?

thanks

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,238946,239015#msg-239015


nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx