oss-sec mailing list archives
Re: CVEs for nginx
From: Josh Bressers <bressers () redhat com>
Date: Mon, 23 Nov 2009 14:20:23 -0500 (EST)
----- "Craig" <craig () haquarter de> wrote:
1.) nginx webdav: http://secunia.com/advisories/36818/
Let's use CVE-2009-3898 for this one: CVE-2009-3898 nginx versions before 0.8.17 and 0.7.63 contain a directory traversal flaw in the webdav component. A user who can COPY or MOVE permissions could place files outside the webdav root. http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0379.html http://secunia.com/advisories/36818/ http://marc.info/?l=oss-security&m=125900327409842&w=2
2.) nginx Null Pointer dereference: http://sysoev.ru/nginx/patch.null.pointer.txt
This is CVE-2009-3896
3.) nginx SSL Renegotiation: http://sysoev.ru/nginx/patch.cve-2009-3555.txt I know the last one contains a CVE number, nginx uses openssl and the patch will disable renegotiation, maybe this deserves an own CVE?
We'll use the same ID. mod_ssl did a similar thing and used CVE-2009-3555. I think multiple IDs in this instance would actually create more confusion that it would solve. Thanks. -- JB
Current thread:
- CVEs for nginx Craig (Nov 19)
- Re: CVEs for nginx Jan Lieskovsky (Nov 23)
- Re: CVEs for nginx Igor Sysoev (Nov 23)
- Re: CVEs for nginx Jan Lieskovsky (Nov 23)
- Re: CVEs for nginx Igor Sysoev (Nov 23)
- Re: CVEs for nginx Igor Sysoev (Nov 23)
- Re: CVEs for nginx Jan Lieskovsky (Nov 23)
- Re: CVEs for nginx Josh Bressers (Nov 23)
- Re: CVEs for nginx Steven M. Christey (Nov 23)