oss-sec mailing list archives

Re: CVEs for nginx

From: Igor Sysoev <igor () sysoev ru>
Date: Mon, 23 Nov 2009 16:12:44 +0300

On Mon, Nov 23, 2009 at 12:12:53PM +0100, Jan Lieskovsky wrote:

Hi Igor,

Igor Sysoev wrote:
 > As I far I know - no.

   Josh, could you allocate one then?

  > This bug was fixed in 0.8.17 and 0.7.63:


Changes with nginx 0.8.17                                        28 Sep 2009

    *) Security: now "/../" are disabled in "Destination" request header
       line.

Changes with nginx 0.7.63                                        26 Oct 2009

    *) Security: now "/../" are disabled in "Destination" request header
       line.

There is no patch, however, I can created it for you.


   That would be perfect.


The patch attached.


-- 
Igor Sysoev
http://sysoev.ru/en/

Attachment: patch.dest.txt
Description:

Current thread:

CVEs for nginx Craig (Nov 19)
- Re: CVEs for nginx Jan Lieskovsky (Nov 23)
  - Re: CVEs for nginx Igor Sysoev (Nov 23)
    - Re: CVEs for nginx Jan Lieskovsky (Nov 23)
    - Re: CVEs for nginx Igor Sysoev (Nov 23)
- Re: CVEs for nginx Josh Bressers (Nov 23)
  - Re: CVEs for nginx Steven M. Christey (Nov 23)