[nginx-announce] nginx security advisory (CVE-2013-2028)

Hello! Greg MacManus, of iSIGHT Partners Labs, found a security problem in several recent versions of nginx. A stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution (CVE-2013-2028). The problem affects nginx 1.3.9 - 1.4.0. The problem is fixed in nginx 1.5.0, 1.4.1. Patch for the problem can be found here: http://nginx.org/download/patch.2013.chunked.txt As a temporary workaround the following configuration can be used in each server{} block: if ($http_transfer_encoding ~* chunked) { return 444; } -- Maxim Dounin http://nginx.org/en/donation.html