Portaudit claims nginx 1.2.x vulnerable

Michael Gmelin freebsd at grem.de
Thu May 16 22:57:25 UTC 2013 

On Thu, 16 May 2013 15:36:28 -0700
Xin Li <delphij at delphij.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi, Michael,
> 
> On 05/16/13 15:04, Michael Gmelin wrote:
> > Hi,
> > 
> > I just noticed that portaudit considers www/nginx >=1.2.0,1
> > <1.4.1,1 to be affected by CVE-2013-2028, creating noise and
> > preventing installation:
> > 
> > http://portaudit.freebsd.org/efaa4071-b700-11e2-b1b9-f0def16c5c1b.html
> >
> >  According to the announcement on the nginx mailing list, only
> > versions of nginx >= 1.3.9 < 1.4.1,1 should be affected:
> > 
> > http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html 
> > and the fix in nginx trac 
> > http://trac.nginx.org/nginx/changeset/5189/nginx
> > 
> > I just checked the source of 1.2.8 (the current version in ports, 
> > www/nginx) and it doesn't even contain the affected functionality,
> > nor the affected function implementing it (ngx_http_parse_chunked).
> > This is in line with additional media and bugtracker coverage:
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=960605 
> > http://www.openwall.com/lists/oss-security/2013/05/07/3 
> > http://www.ehackingnews.com/2013/05/cve-2013-2028-buffer-overflow.html
> >
> > 
> http://www.h-online.com/open/news/item/NGINX-patches-major-security-flaw-1858438.html
> > 
> > Long story short: I would kindly ask you to correct the entry in
> > the portaudit database to match only affected versions of nginx.
> 
> I have took a look at these and found this:
> 
> http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html
> 
> I'll update the vuxml entry to include these information.
> 
> Cheers,

Hi Xin,

I missed that nginx got updated to 1.4.0 and now 1.4.1,1 - seems like
I've been working on an old copy of the ports tree. So recovering from
this should be easy for users and at the same time my statement about
the current version in the ports tree being 1.2.8 was clearly wrong.

Anyway, thanks for the clarification, so basically CVE-2013-2070 and
CVE-2013-2028 got mixed up (the former affecting only certain setups
while the latter affecting everybody in a severe way unless they took
special measures to harden their setup).

Cheers & thanks for your swift response,
Michael

-- 
Michael Gmelin

More information about the freebsd-ports mailing list