Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201206-07 ] nginx: User-assisted execution of arbitrary code
Date: Thu, 21 Jun 2012 10:39:42
Message-Id: 4FE2F7F9.4070305@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201206-07
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: nginx: User-assisted execution of arbitrary code
9 Date: June 21, 2012
10 Bugs: #411751
11 ID: 201206-07
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 A buffer overflow vulnerability in nginx could result in the execution
19 of arbitrary code.
20
21 Background
22 ==========
23
24 nginx is a robust, small, and high performance HTTP and reverse proxy
25 server.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 www-servers/nginx < 1.0.15 >= 1.0.15
34
35 Description
36 ===========
37
38 An error in ngx_http_mp4_module.c could cause a buffer overflow.
39
40 NOTE: nginx must have been emerged with USE="nginx_modules_http_mp4" in
41 order to be affected by this vulnerability.
42
43 Impact
44 ======
45
46 A remote attacker could entice a user to place a specially crafted MP4
47 file on the nginx server, possibly resulting in execution of arbitrary
48 code with the privileges of the process or a Denial of Service
49 condition.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All nginx users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.0.15"
63
64 References
65 ==========
66
67 [ 1 ] CVE-2012-2089
68 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2089
69
70 Availability
71 ============
72
73 This GLSA and any updates to it are available for viewing at
74 the Gentoo Security Website:
75
76 http://security.gentoo.org/glsa/glsa-201206-07.xml
77
78 Concerns?
79 =========
80
81 Security is a primary focus of Gentoo Linux and ensuring the
82 confidentiality and security of our users' machines is of utmost
83 importance to us. Any security concerns should be addressed to
84 security@g.o or alternatively, you may file a bug at
85 https://bugs.gentoo.org.
86
87 License
88 =======
89
90 Copyright 2012 Gentoo Foundation, Inc; referenced text
91 belongs to its owner(s).
92
93 The contents of this document are licensed under the
94 Creative Commons - Attribution / Share Alike license.
95
96 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature