oss-sec mailing list archives

Re: CVEs for nginx

From: Josh Bressers <bressers () redhat com>
Date: Mon, 23 Nov 2009 14:20:23 -0500 (EST)

----- "Craig" <craig () haquarter de> wrote:


1.) nginx webdav: http://secunia.com/advisories/36818/


Let's use CVE-2009-3898 for this one:

CVE-2009-3898

nginx versions before 0.8.17 and 0.7.63 contain a directory traversal flaw in
the webdav component. A user who can COPY or MOVE permissions could place
files outside the webdav root.

http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0379.html
http://secunia.com/advisories/36818/
http://marc.info/?l=oss-security&m=125900327409842&w=2


2.) nginx Null Pointer dereference:
http://sysoev.ru/nginx/patch.null.pointer.txt


This is CVE-2009-3896


3.) nginx SSL Renegotiation:
http://sysoev.ru/nginx/patch.cve-2009-3555.txt

I know the last one contains a CVE number, nginx uses openssl and the
patch will disable renegotiation, maybe this deserves an own CVE?


We'll use the same ID. mod_ssl did a similar thing and used CVE-2009-3555. I
think multiple IDs in this instance would actually create more confusion that
it would solve.

Thanks.

-- 
    JB

Current thread:

CVEs for nginx Craig (Nov 19)
- Re: CVEs for nginx Jan Lieskovsky (Nov 23)
  - Re: CVEs for nginx Igor Sysoev (Nov 23)
    - Re: CVEs for nginx Jan Lieskovsky (Nov 23)
    - Re: CVEs for nginx Igor Sysoev (Nov 23)
- Re: CVEs for nginx Josh Bressers (Nov 23)
  - Re: CVEs for nginx Steven M. Christey (Nov 23)