news 28 Posted June 22, 2014 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201406-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: nginx: Arbitrary code execution Date: June 22, 2014 Bugs: #505018 ID: 201406-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been found in nginx which may allow execution of arbitrary code. Background ========== nginx is a robust, small, and high performance HTTP and reverse proxy server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/nginx < 1.4.7 >= 1.4.7 Description =========== A bug in the SPDY implementation in nginx was found which might cause a heap memory buffer overflow in a worker process by using a specially crafted request. The SPDY implementation is not enabled in default configurations. Impact ====== A remote attacker could cause execution of arbitrary code by using a specially crafted request. Workaround ========== Disable the spdy module in NGINX_MODULES_HTTP. Resolution ========== All nginx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.4.7" References ========== [ 1 ] CVE-2014-0133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0133 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201406-20.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security ( -at -) gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 Share this post Link to post