Bug 821184 (CVE-2013-2070) - VUL-0: nginx: CVE-2013-2070: Memory disclosure with specially crafted HTTP backend responses
Summary: VUL-0: nginx: CVE-2013-2070: Memory disclosure with specially crafted HTTP ba...
Status: VERIFIED FIXED
Alias: CVE-2013-2070
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Stefan Schubert
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-22 10:35 UTC by Alexander Bergmann
Modified: 2019-02-06 15:46 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-05-22 10:35:42 UTC 
Public via nginx.org:

http://nginx.org/en/security_advisories.html
http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html
--------------
A security problem related to CVE-2013-2028 was identified,
affecting some previous nginx versions if proxy_pass to 
untrusted upstream HTTP servers is used.

The problem may lead to a denial of service or a disclosure of a
worker process memory on a specially crafted response from an
upstream proxied server.

The problem affects nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0.

The problem is already fixed in nginx 1.5.0, 1.4.1.  Version 1.2.9
was released to address the issue in the 1.2.x legacy branch.

Patch for nginx 1.3.9 - 1.4.0 is the same as for CVE-2013-2028:

http://nginx.org/download/patch.2013.chunked.txt

Patch for older nginx versions (1.1.4 - 1.2.8, 1.3.0 - 1.3.8)
can be found here:

http://nginx.org/download/patch.2013.proxy.txt
--------------

Not vulnerable: 1.5.0+, 1.4.1+, 1.2.9+
Vulnerable: 1.1.4-1.2.8, 1.3.9-1.4.0

Fixes:

(for 1.3.9-1.4.0)
http://nginx.org/download/patch.2013.chunked.txt
http://nginx.org/download/patch.2013.chunked.txt.asc

(for 1.1.4-1.2.8)
http://nginx.org/download/patch.2013.proxy.txt
http://nginx.org/download/patch.2013.proxy.txt.asc
Comment 1 Swamp Workflow Management 2013-05-22 22:00:10 UTC 
bugbot adjusting priority
Comment 2 Forgotten User 0kSNykd7IH 2013-05-24 13:02:16 UTC 
update to 1.2.9 at server:http committed (auto-submit to factory)

maintenance update from 1.2.6 to 1.2.9 for openSUSE 12.3 submitted: mr#176508
Comment 3 Forgotten User 0kSNykd7IH 2013-05-24 13:19:53 UTC 
factory has issues with passenger, so that might delay it a bit...
Comment 4 Bernhard Wiedemann 2013-05-24 14:00:07 UTC 
This is an autogenerated message for OBS integration:
This bug (821184) was mentioned in
https://build.opensuse.org/request/show/176508 Maintenance /
Comment 5 Stefan Schubert 2013-05-27 06:51:07 UTC 
As far I see we have nginx-1.0-1.0.15-0.5.39 on SLES. So it should be not
affected.
Thanks Marcel for taking care the openSUSE branch !!!
Comment 6 Swamp Workflow Management 2013-06-14 09:08:35 UTC 
openSUSE-SU-2013:1015-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 821184
CVE References: CVE-2013-2070
Sources used:
openSUSE 12.3 (src):    nginx-1.2.9-3.4.1
Comment 7 Alexander Bergmann 2013-06-24 08:32:15 UTC 
released.
Comment 8 Alexander Bergmann 2013-06-24 08:33:12 UTC 
Closing bug.