Hide Forgot
It was reported [1] that nginx suffered from a flaw where an attacker could bypass security restrictions in certain configurations due to how the HTTP request parser handled URI's with an unescaped space character. This problem affects nginx 0.8.41 through to 1.5.6; new 1.5.7 and 1.4.4 releases are available to correct this. A patch [2] also exists for older versions. As a temporary workaround the following configuration can be used in each server{} block: if ($request_uri ~ " ") { return 444; } [1] http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html [2] http://nginx.org/download/patch.2013.space.txt
Created nginx tracking bugs for this issue: Affects: fedora-all [bug 1032267] Affects: epel-5 [bug 1032269] Affects: epel-6 [bug 1032270]
nginx-1.4.4-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
nginx-1.4.4-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
nginx-0.8.55-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
nginx-1.0.15-11.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.