6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
7.3 High
AI Score
Confidence
Low
0.024 Low
EPSS
Percentile
90.0%
Hi.
I uploaded new packages for nginx which fixed the following security
problems:
CVE-2012-2089 - nginx β arbitrary code execution in mp4
pseudo-streaming module
A flaw was reported in the nginx standard mp4 pseudo-streaming module. A
specially-crafted mp4 file could allow for the overwriting of memory
locations in a worker process if ngx_http_mp4_module were used. This
could potentially result in arbitrary code execution with the privileges
of the unprivileged nginx user.
This has been corrected in upstream 1.0.15 and 1.1.9 versions, and only
affected versions newer than 1.1.3 and 1.0.7 when built with the
ngx_http_mp4_module and had the "mp4" directive set in the configuration
file.
For the squeeze-backports distribution the problems have been fixed in
version
1.1.19-1~bpo60+1
For wheezy (testing) and sid (unstable) this was fixed in version
1.1.19-1
Squeeze (stable) is not vulnerable to this security issue.
Thanks.
Cyril "Davromaniak" Lavier
KeyID 59E9A881
http://www.davromaniak.eu
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 7 | all | nginx | <Β 1.1 | nginx_1.1_all.deb |
Debian | 6 | all | nginx | <Β 1.1 | nginx_1.1_all.deb |
Debian | 999 | all | nginx | <Β 1.1 | nginx_1.1_all.deb |