Bug 717080
Summary: | nginx: possible arbitrary code execution with null bytes in URI [epel-4] | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Vincent Danen <vdanen> |
Component: | nginx | Assignee: | Jeremy Hinegardner <jeremy> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | el4 | CC: | allisson, jeremy, neal |
Target Milestone: | --- | Keywords: | Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Release Note | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-02-20 03:40:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 717078 |
Description
Vincent Danen
2011-06-27 22:02:25 UTC
Any possibility of nginx being updated in the near future? This has the potential of being very problematic for people who use nginx. Thanks. Further details on this flaw will be published later this month, so it would also be ideal to have this corrected before then. Yes, I should be able to get this taken care of early next week. Thanks for the prod. Fantastic. Thank you! FYI, the details were published at https://nealpoole.com/blog/2011/08/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/ Chinese hackers appear to be particularly interested in this vulnerability. I would recommend trying to release a patched version ASAP. This was pushed to stable back in September. Should we close this ? https://admin.fedoraproject.org/updates/FEDORA-EPEL-2011-4281/nginx-0.8.55-1.el5 It loks like this should have been closed by bodhi but wasn't. Closing |