Vulnerability in nginx
Vulnerability allows execution of arbitrary code on the target system.
It turned out unscheduled update server nginx to version 1.4.1, which eliminated the vulnerability CVE-2013-2028, which allows the execution of arbitrary code on the target redundant system.
The vulnerability can lead to overwriting the stack areas of the workflow when processing specially designed chunked-queries. Gaps are subject to the implementation of nginx versions 1.3.9 and 1.4.0.
The corresponding update was also issued for the FreeBSD ports with version 1.4.0.
As an additional method to correct the vulnerability of the manufacturer offers in each of the blocks server {} disable the processing of chunked-query this way:
if ($ http_transfer_encoding ~ * chunked) {
444 return;
}
We encourage our readers to fix the vulnerability as soon as possible.
Buffer overflow in nginx: Vulnerability description
Danger level: High
The presence of fixes: Yes
The number of vulnerabilities: 1
CVE ID: CVE-2013-2028
Vector of operation: Remote
Impact: System Compromise
Affected products: nginx 1.4.x
Affected versions: nginx version 1.3.9 – 1.4.0
Description:
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability is caused due to a boundary error when processing HTTP data as a function of ngx_http_parse_chunked () in the file http / ngx_http_parse.c. This can be exploited to execute arbitrary code on the target system.
Manufacturer URL: nginx.org
Solution: Update to version 1.4.1 or 1.5.0 with the manufacturer’s website.
Links:
http://nginx.org/en/security_advisories.html
http://www.openwall.com/lists/oss-security/2013/05/07/3
