Maxim Dounin
2013-May-07 11:30 UTC
[nginx-ru-announce] nginx security advisory (CVE-2013-2028)
Hello! Greg MacManus ÉÚ iSIGHT Partners Labs ÏÂÎÁÒÕÖÉÌ ÐÒÏÂÌÅÍÕ ÂÅÚÏÐÁÓÎÏÓÔÉ × ÎÅÓËÏÌØËÉÈ ÐÏÓÌÅÄÎÉÈ ×ÅÒÓÉÑÈ nginx. ðÒÉ ÏÂÒÁÂÏÔËÅ ÓÐÅÃÉÁÌØÎÏ ÓÏÚÄÁÎÎÏÇÏ ÚÁÐÒÏÓÁ ÍÏÇ ÐÅÒÅÚÁÐÉÓÙ×ÁÔØÓÑ ÓÔÅË ÒÁÂÏÞÅÇÏ ÐÒÏÃÅÓÓÁ, ÞÔÏ ÍÏÇÌÏ ÐÒÉ×ÏÄÉÔØ Ë ×ÙÐÏÌÎÅÎÉÀ ÐÒÏÉÚ×ÏÌØÎÏÇÏ ËÏÄÁ (CVE-2013-2028). ðÒÏÂÌÅÍÅ ÐÏÄ×ÅÒÖÅÎÙ ×ÅÒÓÉÉ nginx 1.3.9 - 1.4.0. ðÒÏÂÌÅÍÁ ÉÓÐÒÁ×ÌÅÎÁ × nginx 1.5.0, 1.4.1. ðÁÔÞ, ÉÓÐÒÁ×ÌÑÀÝÉÊ ÐÒÏÂÌÅÍÕ, ÄÏÓÔÕÐÅÎ ÔÕÔ: http://nginx.org/download/patch.2013.chunked.txt ÷ ËÁÞÅÓÔ×Å ×ÒÅÍÅÎÎÏÊ ÚÁÝÉÔÙ ÍÏÖÎÏ × ËÁÖÄÏÍ ÂÌÏËÅ server{} ×ÏÓÐÏÌØÚÏ×ÁÔØÓÑ ËÏÎÆÉÇÕÒÁÃÉÅÊ ×ÉÄÁ: if ($http_transfer_encoding ~* chunked) { return 444; } -- Maxim Dounin http://nginx.org/en/donation.html