Hello!
Matthew Daley discovered a security problem in the
ngx_http_mp4_module, CVE-2012-2089.
A specially crafted mp4 file might allow to overwrite memory
locations in a worker process if the ngx_http_mp4_module is
used, potentially resulting in arbitrary code execution.
The problem affects nginx 1.1.3+, 1.0.7+ built with the
ngx_http_mp4_module (the module is not built by default) and
the “mp4” directive is used in a configuration file.
The problem is fixed in 1.1.19, 1.0.15.
Patch for the problem can be found here:
http://nginx.org/download/patch.2012.mp4.txt
Maxim D.