Nginx security advisory (CVE-2014-0088)


A bug in the experimental SPDY implementation in nginx 1.5.10 was found,
which might allow an attacker to corrupt worker process memory by using
a specially crafted request, potentially resulting in arbitrary code
execution (CVE-2014-0088).

The problem only affects nginx 1.5.10 on 32-bit platforms, compiled with
the ngx_http_spdy_module module (which is not compiled by default), if
the “spdy” option of the “listen” directive is used in a configuration

The problem is fixed in nginx 1.5.11.

Patch for the problem can be found here:

Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr. Manuel
Sadosky, Buenos Aires, Argentina.

Maxim D.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs