Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gentooGentoo FoundationGLSA-201203-22
HistoryMar 28, 2012 - 12:00 a.m.

nginx: Multiple vulnerabilities

2012-03-2800:00:00
Gentoo Foundation
security.gentoo.org
49

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.086 Low

EPSS

Percentile

94.4%

JSON

Background

nginx is a robust, small, and high performance HTTP and reverse proxy server.

Description

Multiple vulnerabilities have been found in nginx:

  • The TLS protocol does not properly handle session renegotiation requests (CVE-2009-3555).
  • The “ngx_http_process_request_headers()” function in ngx_http_parse.c could cause a NULL pointer dereference (CVE-2009-3896).
  • nginx does not properly sanitize user input for the the WebDAV COPY or MOVE methods (CVE-2009-3898).
  • The “ngx_resolver_copy()” function in ngx_resolver.c contains a boundary error which could cause a heap-based buffer overflow (CVE-2011-4315).
  • nginx does not properly parse HTTP header responses which could expose sensitive information (CVE-2012-1180).

Impact

A remote attacker could possibly execute arbitrary code with the privileges of the nginx process, cause a Denial of Service condition, create or overwrite arbitrary files, or obtain sensitive information.

Workaround

There is no known workaround at this time.

Resolution

All nginx users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.0.14"
OSVersionArchitecturePackageVersionFilename
Gentooanyallwww-servers/nginx< 1.0.14UNKNOWN

Related

nessus 55
openvas 72
fedora 14
cve 5
ubuntucve 4
seebug 6
nginx 4
debiancve 4
suse 3
prion 4
amazon 2
redhatcve 1
securityvulns 5
debian 5
altlinux 2
redhat 2
ubuntu 4
mozilla 1
hackerone 2
veracode 1
fortinet 1
slackware 1
oraclelinux 1
nessus
nessus
GLSA-201203-22 : nginx: Multiple vulnerabilities
2012-06-21 00:00:00
Fedora 11 : nginx-0.7.64-1.fc11 (2009-12782)
2009-12-08 00:00:00
Fedora 12 : nginx-0.7.64-1.fc12 (2009-12750)
2009-12-08 00:00:00
openvas
openvas
Gentoo Security Advisory GLSA 201203-22 (nginx)
2012-04-30 00:00:00
Gentoo Security Advisory GLSA 201203-22 (nginx)
2012-04-30 00:00:00
Fedora Core 12 FEDORA-2009-12750 (nginx)
2009-12-10 00:00:00
fedora
fedora
[SECURITY] Fedora 11 Update: nginx-0.7.64-1.fc11
2009-12-07 07:27:32
[SECURITY] Fedora 12 Update: nginx-0.7.64-1.fc12
2009-12-07 07:23:18
[SECURITY] Fedora 10 Update: nginx-0.7.64-1.fc10
2009-12-07 07:26:07
cve
cve
CVE-2009-3898
2009-11-24 17:30:00
CVE-2011-4315
2011-12-08 20:55:00
CVE-2009-3896
2009-11-24 17:30:00
ubuntucve
ubuntucve
CVE-2009-3898
2009-11-24 00:00:00
CVE-2011-4315
2011-12-08 00:00:00
CVE-2009-3896
2009-11-24 00:00:00
seebug
seebug
nginx DNS解析器远程堆缓冲区溢出漏洞
2011-11-18 00:00:00
nginx ngx_http_process_request_headers()函数空指针引用拒绝服务漏洞
2009-11-27 00:00:00
nginx 'ngx_cpystrn()'信息泄露漏洞(CVE-2012-1180)
2012-03-29 00:00:00
nginx
nginx
Directory traversal vulnerability
2009-11-24 17:30:00
Buffer overflow in resolver
2011-12-08 20:55:00
Null pointer dereference vulnerability
2009-11-24 17:30:00
debiancve
debiancve
CVE-2009-3898
2009-11-24 17:30:00
CVE-2011-4315
2011-12-08 20:55:00
CVE-2009-3896
2009-11-24 17:30:00
suse
suse
VUL-0: nginx: heap overflow (important)
2012-02-09 19:10:57
Security update for nginx-1.0 (important)
2011-12-05 18:08:33
man-in-the-middle attack in openssl
2009-11-18 09:50:39
prion
prion
Heap overflow
2011-12-08 20:55:00
Null pointer dereference
2009-11-24 17:30:00
Directory traversal
2009-11-24 17:30:00
amazon
amazon
Medium: nginx
2011-12-13 12:50:00
Medium: nginx
2012-04-05 12:50:00
redhatcve
redhatcve
CVE-2009-3896
2019-10-04 22:25:10
securityvulns
securityvulns
nginx information leakage
2012-03-17 00:00:00
Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability
2009-11-11 00:00:00
[ MDVSA-2009:337 ] proftpd
2009-12-22 00:00:00
debian
debian
[SECURITY] [DSA 2434-1] nginx security update
2012-03-19 22:56:59
[SECURITY] [DSA-2141-2] New nss packages fix protocol design flaw
2011-01-05 23:20:31
[SECURITY] [DSA-2141-4] New lighttpd packages fix regression
2011-01-12 18:51:18
altlinux
altlinux
Security fix for the ALT Linux 8 package openssl10 version 0.9.8l-alt1
2009-11-07 00:00:00
Security fix for the ALT Linux 9 package openssl1.1 version 0.9.8l-alt1
2009-11-07 00:00:00
redhat
redhat
(RHSA-2010:0164) Moderate: openssl097a security update
2010-03-25 00:00:00
(RHSA-2010:0155) Moderate: java-1.4.2-ibm security and bug fix update
2010-03-17 00:00:00
ubuntu
ubuntu
Apache vulnerability
2010-09-21 00:00:00
NSS vulnerability
2010-07-23 00:00:00
nss vulnerability
2010-06-29 00:00:00
mozilla
mozilla
Update NSS to support TLS renegotiation indication — Mozilla
2010-03-30 00:00:00
hackerone
hackerone
LocalTapiola: Secure Client-Initiated Renegotiation
2017-12-27 15:57:52
Slack: TLS1/SSLv3 Renegotiation Vulnerability
2014-04-02 13:01:00
veracode
veracode
Man-in-the-Middle (MitM)
2020-04-10 00:36:56
fortinet
fortinet
FortiOS SSL Deep-Inspection possible Insecure Renegotiation
2017-11-03 00:00:00
slackware
slackware
openssl
2009-11-16 13:42:36
oraclelinux
oraclelinux
openssl097a security update
2010-03-25 00:00:00

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.086 Low

EPSS

Percentile

94.4%

JSON
Related for GLSA-201203-22
nessus55openvas72fedora14cve5ubuntucve4seebug6nginx4debiancve4suse3prion4amazon2redhatcve1securityvulns5debian5altlinux2redhat2ubuntu4mozilla1hackerone2veracode1fortinet1slackware1oraclelinux1