[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[BSA-069] Security Update for NGINX



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi.

I uploaded new packages for nginx which fixed the following security
problems:

CVE-2012-2089 - nginx -- arbitrary code execution in mp4
pseudo-streaming module

A flaw was reported in the nginx standard mp4 pseudo-streaming module. A
specially-crafted mp4 file could allow for the overwriting of memory
locations in a worker process if ngx_http_mp4_module were used. This
could potentially result in arbitrary code execution with the privileges
of the unprivileged nginx user.

This has been corrected in upstream 1.0.15 and 1.1.9 versions, and only
affected versions newer than 1.1.3 and 1.0.7 when built with the
ngx_http_mp4_module and had the "mp4" directive set in the configuration
file.

For the squeeze-backports distribution the problems have been fixed in
version

    1.1.19-1~bpo60+1

For wheezy (testing) and sid (unstable) this was fixed in version

    1.1.19-1

Squeeze (stable) is not vulnerable to this security issue.

Thanks.

- -- 
Cyril "Davromaniak" Lavier
KeyID 59E9A881
http://www.davromaniak.eu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPlnwDAAoJEOcAaEhZ6aiB0t0P/3ZJscV016RSXfRn5ukQt1kA
z8tWE8UsVu6Bz3x3IL/aiURBeld1WMILa2bjmxl0JqsgFh+OlKBjSv4oV9ZVOe5k
m7uvkkKfXmH4cVpHmqdiVRST/+FYfZP+lnM3FDNwyeztDxKeIGMlqXRzYildSpR1
lVo4t/f1JO8HSJWGZZ7HblDyibS8iZyGJ40r5CzqBakLCXsERD9Vww3+7BdZleoP
DHpl14qB9pZuzJRXXytJ4iC9EzUrLXfgjcacFQ/VCyaVGvD5IvvmMx4tXRcYEY6u
cGI3x/noUuLeOz1eCqxtX+Q+ltagteY630l1I0AW/49S/xgep8TsGAAjZvD61G01
4jPOXB2R/5ljzTmq9IatheaPXScBSKm5UQxDhxHSbE4rn/SctzMoFBgFqoAMd4vp
V4CB0G+0SZ0j4RgHlsiX5FzPsSgu7/Smxylf1zmXjofmz1wMOrBCNnhhK14uFrqW
S7y7fPkKsev6Ngj2wa2EtSaXSrEbI9XsispGSHH1CpC9NO0zfyWWcr8XSChKeElq
MDbHK1vzeqteQnzY/WzTjZ86saR0WYtbWGlT1wyrickEGm5/Fd0jKevaf0xBWw5G
pyiDp4r0egab3PwDlH0es6mS/Mj584hpVpluud7rHE8MOGX6hNf7mo68R+4PtsK6
+FAOAHxHjLyO5RC8UEXf
=Wmb6
-----END PGP SIGNATURE-----


Reply to: