Portaudit claims nginx 1.2.x vulnerable
Michael Gmelin
freebsd at grem.de
Thu May 16 22:11:21 UTC 2013
Hi,
I just noticed that portaudit considers www/nginx >=1.2.0,1 <1.4.1,1 to
be affected by CVE-2013-2028, creating noise and preventing
installation:
http://portaudit.freebsd.org/efaa4071-b700-11e2-b1b9-f0def16c5c1b.html
According to the announcement on the nginx mailing list, only versions
of nginx >= 1.3.9 < 1.4.1,1 should be affected:
http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html
and the fix in nginx trac
http://trac.nginx.org/nginx/changeset/5189/nginx
I just checked the source of 1.2.8 (the current version in ports,
www/nginx) and it doesn't even contain the affected functionality, nor
the affected function implementing it (ngx_http_parse_chunked). This is
in line with additional media and bugtracker coverage:
https://bugzilla.redhat.com/show_bug.cgi?id=960605
http://www.openwall.com/lists/oss-security/2013/05/07/3
http://www.ehackingnews.com/2013/05/cve-2013-2028-buffer-overflow.html
http://www.h-online.com/open/news/item/NGINX-patches-major-security-flaw-1858438.html
Long story short: I would kindly ask you to correct the entry in the
portaudit database to match only affected versions of nginx.
Cheers,
Michael
--
Michael Gmelin
More information about the freebsd-ports
mailing list