Date: Thu, 16 May 2013 15:36:28 -0700 From: Xin Li <delphij@delphij.net> To: Michael Gmelin <freebsd@grem.de> Cc: secteam@freebsd.org, freebsd-ports@freebsd.org Subject: Re: Portaudit claims nginx 1.2.x vulnerable Message-ID: <51955F6C.2090102@delphij.net> In-Reply-To: <20130517000431.0fab3a3a@bsd64.grem.de> References: <20130517000431.0fab3a3a@bsd64.grem.de>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, Michael, On 05/16/13 15:04, Michael Gmelin wrote: > Hi, > > I just noticed that portaudit considers www/nginx >=1.2.0,1 > <1.4.1,1 to be affected by CVE-2013-2028, creating noise and > preventing installation: > > http://portaudit.freebsd.org/efaa4071-b700-11e2-b1b9-f0def16c5c1b.html > > According to the announcement on the nginx mailing list, only > versions of nginx >= 1.3.9 < 1.4.1,1 should be affected: > > http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html > and the fix in nginx trac > http://trac.nginx.org/nginx/changeset/5189/nginx > > I just checked the source of 1.2.8 (the current version in ports, > www/nginx) and it doesn't even contain the affected functionality, > nor the affected function implementing it (ngx_http_parse_chunked). > This is in line with additional media and bugtracker coverage: > > https://bugzilla.redhat.com/show_bug.cgi?id=960605 > http://www.openwall.com/lists/oss-security/2013/05/07/3 > http://www.ehackingnews.com/2013/05/cve-2013-2028-buffer-overflow.html > > http://www.h-online.com/open/news/item/NGINX-patches-major-security-flaw-1858438.html > > Long story short: I would kindly ask you to correct the entry in > the portaudit database to match only affected versions of nginx. I have took a look at these and found this: http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html I'll update the vuxml entry to include these information. Cheers, - -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJRlV9sAAoJEG80Jeu8UPuzmM4H/i66ifeXHOJX8cle5cf9ATXt Y5G74TCLqLlxEv+1DCGh8Wks/JvN7KVsLNieXkf+jVonuXr4O5LCV7Pgj3SQ6EQK TISbHwDDnwBqIvNncO4uZxOs6JbuTKWh43YdoPG7Rfpb0AJWJl/N8LFtxEckohyu jWfyK6n1ftnjtaHoXZ63hF3daMHJwxtj8nJmHOqD1O7LbI+UCTPDwuYDb6BJGq9h 1JNt/NUyuANupRHftKa42+NLBa8zeGSggu7nYFhjuhcQN1ts31klKC/ReUIoUrTI 09+6Eu6AwpTvVa+rSRv6WUvLuG2srEKHS8zS+toFINAcY5EUO0zdqTglXGL8/E8= =fQL9 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51955F6C.2090102>