Security advisory

Server NGINX
1

Hello!

Matthew Daley recently discovered a security problem which may
lead to a disclosure of previously freed memory on specially
crafted response from an upstream server, potentially resulting in
sensitive information leak.

Patch for the problem can be found here:

http://nginx.org/download/patch.2012.memory.txt

The patch is not required for 1.1.17, 1.0.14.

Maxim D.

2

Hello!

Hello Maxim,

Matthew Daley recently discovered a security problem which may
lead to a disclosure of previously freed memory on specially
crafted response from an upstream server, potentially resulting in
sensitive information leak.

Patch for the problem can be found here:

http://nginx.org/download/patch.2012.memory.txt

The patch is not required for 1.1.17, 1.0.14.

There’s a CVE # for it? Someone asked me about it on twitter.

Thanks,

–appa

3

Hello!

On Thu, Mar 15, 2012 at 01:52:26PM +0100, Antonio P.P. Almeida wrote:

http://nginx.org/download/patch.2012.memory.txt

The patch is not required for 1.1.17, 1.0.14.

There’s a CVE # for it? Someone asked me about it on twitter.

No.

Maxim D.

4

Replying to myself here.

Maxim, Igor, Andrei, Valentin, Ruslan, &c,

I think that there’s room for improvement on the security advisory
front.

  1. Make it official: nginx-sa-01-2012 with an official numbering
    scheme.

  2. Get a CVE identifier.

  3. Publish it also on security lists like full-disclosure and bugtraq,
    for example

I know that Nginx has been a labour of love of a few people until
recently.
But now that you’re an established company I think that having in place
a
more formal procedure for security advisories would bring great benefits
to Nginx as a free software project with its community and as a company
also.

Just my unsolicited $.02

Salutations distingues,

Antnio

5

Antonio,

On Mar 15, 2012, at 5:04 PM, Antonio P.P. Almeida wrote:

Just my unsolicited $.02

Thanks, this had been planned and now ongoing.