It was reported [1],[2] that nginx does not verify the identity of an origin server when the http proxy module talks to that origin server over HTTPS. This could allow for a MITM attack between the proxy and the origin server. There are proposed patches attached to the upstream ticket, but as of yet this is not fixed in any release. [1] http://www.openwall.com/lists/oss-security/2013/01/03/4 [2] http://trac.nginx.org/nginx/ticket/13
Created nginx tracking bugs for this issue Affects: epel-all [bug 892032] Affects: fedora-all [bug 892033]
Upstream apparently do not consider this important enough to fix. Since the upstream bug was originally reported 2 yeas ago, closing as WONTFIX for now until upstream decide they want to patch it.
This has been fixed by upstream: http://mailman.nginx.org/pipermail/nginx-devel/2013-August/004085.html http://mailman.nginx.org/pipermail/nginx-devel/2013-August/004128.html
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.