Maxim Dounin
2013-May-07 11:30 UTC
[nginx-ru-announce] nginx security advisory (CVE-2013-2028)
Hello!
Greg MacManus ÉÚ iSIGHT Partners Labs ÏÂÎÁÒÕÖÉÌ ÐÒÏÂÌÅÍÕ
ÂÅÚÏÐÁÓÎÏÓÔÉ × ÎÅÓËÏÌØËÉÈ ÐÏÓÌÅÄÎÉÈ ×ÅÒÓÉÑÈ nginx. ðÒÉ ÏÂÒÁÂÏÔËÅ
ÓÐÅÃÉÁÌØÎÏ ÓÏÚÄÁÎÎÏÇÏ ÚÁÐÒÏÓÁ ÍÏÇ ÐÅÒÅÚÁÐÉÓÙ×ÁÔØÓÑ ÓÔÅË ÒÁÂÏÞÅÇÏ
ÐÒÏÃÅÓÓÁ, ÞÔÏ ÍÏÇÌÏ ÐÒÉ×ÏÄÉÔØ Ë ×ÙÐÏÌÎÅÎÉÀ ÐÒÏÉÚ×ÏÌØÎÏÇÏ ËÏÄÁ
(CVE-2013-2028).
ðÒÏÂÌÅÍÅ ÐÏÄ×ÅÒÖÅÎÙ ×ÅÒÓÉÉ nginx 1.3.9 - 1.4.0.
ðÒÏÂÌÅÍÁ ÉÓÐÒÁ×ÌÅÎÁ × nginx 1.5.0, 1.4.1.
ðÁÔÞ, ÉÓÐÒÁ×ÌÑÀÝÉÊ ÐÒÏÂÌÅÍÕ, ÄÏÓÔÕÐÅÎ ÔÕÔ:
http://nginx.org/download/patch.2013.chunked.txt
÷ ËÁÞÅÓÔ×Å ×ÒÅÍÅÎÎÏÊ ÚÁÝÉÔÙ ÍÏÖÎÏ × ËÁÖÄÏÍ ÂÌÏËÅ server{}
×ÏÓÐÏÌØÚÏ×ÁÔØÓÑ ËÏÎÆÉÇÕÒÁÃÉÅÊ ×ÉÄÁ:
if ($http_transfer_encoding ~* chunked) {
return 444;
}
--
Maxim Dounin
http://nginx.org/en/donation.html