Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered a virtual host confusion issue in nginx, allowing HTTPS connections for one origin to be redirected to the virtual host of a different origin. This leads to a variety of issues, such as cookie theft and session hijacking. It could be triggered from a cross-site scripting flaw, tricking a user into visiting a malicious URL, and so on. The upstream changelog describes the issue as: "" it was possible to reuse SSL sessions in unrelated contexts if a shared SSL session cache or the same TLS session ticket key was used for multiple "server" blocks "" Full details and some mitigation strategies are available in their paper: http://bh.ht.vc/vhost_confusion.pdf It is reported that this issue affected nginx versions 0.5.6 to 1.7.4, and has been fixed in the 1.6.2 and 1.7.5 releases: http://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html Upstream patch: http://trac.nginx.org/nginx/changeset/5841/nginx External References: http://bh.ht.vc/vhost_confusion.pdf
Created nginx tracking bugs for this issue: Affects: fedora-all [bug 1142575] Affects: epel-all [bug 1142576]
nginx-1.6.2-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
nginx-1.4.7-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
nginx-1.4.7-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
nginx-1.6.2-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue affected the nginx14-nginx packages as shipped in Red Hat Software Collections 1. This collection was replaced by nginx16 collection in Red Hat Software Collections 1.2, which includes a fix for this issue. The nginx14-nginx are no longer supported and will not be fixed. https://access.redhat.com/documentation/en-US/Red_Hat_Software_Collections/1/html/1.2_Release_Notes/chap-RHSCL.html#sect-RHSCL-Changes https://access.redhat.com/documentation/en-US/Red_Hat_Software_Collections/1/html/1.2_Release_Notes/chap-Migration.html#sect-Migration-Migrate_nginx
nginx-1.0.15-10.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.