16 comments

[ 2.0 ms ] story [ 53.2 ms ] thread
Am I right in interpreting this as only a vulnerability if you use Nginx to proxy to an untrusted server (i.e. not yours) where specially formatted responses can compromise your Nginx?

It would seem to me that this is a particularly rare use case of nginx?

I suppose shared web hosts and services like CloudFlare are the types of implementation that may be affected.

Yes, you interpret it correctly.

It's not that common, but I know at least an app using nginx in that way, and it was performing very well.

Yes but this can be exploited if a trusted backend server (which is much more common) gets compromised. Basically if you have nginx in front of Node and you manage to execute arbitrary code in Node you could use this as an attack vector to compromise nginx which could act as a front-end to a whole lot of other things.
Note that's for Debian distribution.

Patched source was actually posted back on May 7th and 13th for people who compile their own builds.

   2013-05-07 nginx-1.4.1 stable and nginx-1.5.0 development versions have been released, 
   with the fix for the stack-based buffer overflow security problem in nginx 1.3.9 - 1.4.0, 
   discovered by Greg MacManus, of iSIGHT Partners Labs (CVE-2013-2028). 

   2013-05-13 nginx-1.2.9 legacy version has been released, addressing the information 
   disclosure security problem in some previous nginx versions (CVE-2013-2070).
Well, debian guys are so slow. It's the most unsecure and unstable distribution.
And, thankfully, all the current packages in Debian are either unaffected or it's been patched :)
Just a PSA for people running Debian servers: Subscribe to the debian-security-announce list[1] and you'll get these notices in your inbox rather than at the top of Hacker News. I got an email Sunday afternoon so when I saw this I thought ... another vulnerability, already?!

[1] http://lists.debian.org/debian-security-announce/