Bug 962525 (CVE-2013-2070)

Summary: CVE-2013-2070 nginx: denial of service or memory disclosure when using proxy_pass
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: affix, jamielinux, jeremy, jlieskov, pavel.lisy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130513,reported=20130513,source=oss-security,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P,fedora-18/nginx=affected,fedora-17/nginx=notaffected,epel-all/nginx=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-30 06:59:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 962526    
Bug Blocks:    

Description Vincent Danen 2013-05-13 18:53:43 UTC
A similar security issue to CVE-2013-2028 was identified [1] for versions of nginx if proxy_pass to untrusted upstream HTTP servers are used, which could lead to a denial of service or a disclosure of a worker process' memory.

The problem affects nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0 and was assigned the name CVE-2013-2070, so only Fedora 18 is affected.

http://nginx.org/download/patch.2013.proxy.txt

[1] http://www.openwall.com/lists/oss-security/2013/05/13/3

Comment 1 Vincent Danen 2013-05-13 18:54:28 UTC
Created nginx tracking bugs for this issue

Affects: fedora-18 [bug 962526]

Comment 2 Jan Lieskovsky 2013-05-22 13:05:26 UTC
nginx-announce ML post:
  http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html

Comment 3 Fedora Update System 2013-05-23 12:24:11 UTC
nginx-1.2.9-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.