Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4487 to
the following vulnerability:
nginx 0.7.64 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.
 http://nginx.org/en/security_advisories.html contains record
An error log data are not sanitized
Not vulnerable: none
So looks, they are aware of it, but not planning to fix it.
In fact the impact of this issue against various versions of *term
package / binary, as shipped within Fedora release of 11 and 12,
because advisory  from References part above further references
(, , ,  links in ):
[a] --  Debian GNU/Linux XTERM (DECRQSS/comments) Weakness Vulnerability
This is #CVE-2008-2383, which is already fixed.
[b] --  Terminal Emulator Security Issues
The list of CNA's is pretty long, but similar as above.
[c] --  Eterm Screen Dump Escape Sequence Local File Corruption Vulnerability
This is CVE-2003-0021, which was fixed in upstream Eterm 0.9.2 version
(current versions of Eterm package in Fedora are newer than this).
[d] --  RXVT Screen Dump Escape Sequence Local File Corruption Vulnerability
This is CVE-2003-0022, which was fixed in upstream rxvt-v2.7.10 version
(ftp://ftp.rxvt.org/pub/rxvt/rxvt-2.7.10.tar.gz) and current rxvt
packages in Fedora and EPEL repositories are already v2.7.10 based.
So the issues, as mentioned in:
would be real issues only on very old (not updated) systems.
Just for completeness, here are the links to patches for the Cherokee
web server, as applied for the clone of the same issue (CVE-2009-4489)
I assume this means, since upstream nginx is not providing a fix at this time that we should not do anything?
I'm about package up 0.7.65 and want to check if we should do anything before then.
(In reply to Jan Lieskovsky from comment #1)
> So the issues, as mentioned in:
>  http://www.securityfocus.com/archive/1/archive/1/508830/100/0/threaded
> would be real issues only on very old (not updated) systems.
Upstream have been aware of this issue for years and have decided not to fix it. As stated in the quote above, it appears to only affect very old systems running vulnerable *term packages so there does not appear to be any significant consequences. I am therefore closing this bug.