Bugzilla – Bug 797033
VUL-1: nginx: http proxy module does not verify peer identity of https origin server
Last modified: 2015-02-18 07:57:28 UTC
Via oss-sec: Date: Thu, 03 Jan 2013 10:36:20 -0500 From: Daniel Kahn Gillmor To: oss-security nginx offers the ability for its http proxy module to talk to an origin server over https. However, it does not verify the identity of the origin server in this case, which leaves it subject to MITM attacks between the proxy and the origin server. Sadly, this appears to be unfixed for over a year after it was first reported: http://trac.nginx.org/nginx/ticket/13 some patch review starts over here, but doesn't seem to reach any resolution: http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html As far as i can tell, there is no CVE assigned for this yet. --dkg
CVE-2011-4968 Probably something for factory.
bugbot adjusting priority
we have it just in opensuse and its already fixed.
No, nginx is also on SLE nginx-0.8 and nginx-1.0nginx-1.0