Portaudit claims nginx 1.2.x vulnerable
Xin Li
delphij at delphij.net
Thu May 16 22:36:30 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi, Michael,
On 05/16/13 15:04, Michael Gmelin wrote:
> Hi,
>
> I just noticed that portaudit considers www/nginx >=1.2.0,1
> <1.4.1,1 to be affected by CVE-2013-2028, creating noise and
> preventing installation:
>
> http://portaudit.freebsd.org/efaa4071-b700-11e2-b1b9-f0def16c5c1b.html
>
> According to the announcement on the nginx mailing list, only
> versions of nginx >= 1.3.9 < 1.4.1,1 should be affected:
>
> http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html
> and the fix in nginx trac
> http://trac.nginx.org/nginx/changeset/5189/nginx
>
> I just checked the source of 1.2.8 (the current version in ports,
> www/nginx) and it doesn't even contain the affected functionality,
> nor the affected function implementing it (ngx_http_parse_chunked).
> This is in line with additional media and bugtracker coverage:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=960605
> http://www.openwall.com/lists/oss-security/2013/05/07/3
> http://www.ehackingnews.com/2013/05/cve-2013-2028-buffer-overflow.html
>
>
http://www.h-online.com/open/news/item/NGINX-patches-major-security-flaw-1858438.html
>
> Long story short: I would kindly ask you to correct the entry in
> the portaudit database to match only affected versions of nginx.
I have took a look at these and found this:
http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html
I'll update the vuxml entry to include these information.
Cheers,
- --
Xin LI <delphij at delphij.net> https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJRlV9sAAoJEG80Jeu8UPuzmM4H/i66ifeXHOJX8cle5cf9ATXt
Y5G74TCLqLlxEv+1DCGh8Wks/JvN7KVsLNieXkf+jVonuXr4O5LCV7Pgj3SQ6EQK
TISbHwDDnwBqIvNncO4uZxOs6JbuTKWh43YdoPG7Rfpb0AJWJl/N8LFtxEckohyu
jWfyK6n1ftnjtaHoXZ63hF3daMHJwxtj8nJmHOqD1O7LbI+UCTPDwuYDb6BJGq9h
1JNt/NUyuANupRHftKa42+NLBa8zeGSggu7nYFhjuhcQN1ts31klKC/ReUIoUrTI
09+6Eu6AwpTvVa+rSRv6WUvLuG2srEKHS8zS+toFINAcY5EUO0zdqTglXGL8/E8=
=fQL9
-----END PGP SIGNATURE-----
More information about the freebsd-ports
mailing list