Bug#697940: marked as done ([CVE-2011-4968] nginx does not verify the backend's identity when proxying to an https origin server)

Debian Bug Tracking System Mon, 28 Oct 2013 23:15:20 -0700

Your message dated Tue, 29 Oct 2013 01:12:51 -0500
with message-id <[email protected]>
and subject line Closing
has caused the Debian Bug report #697940,
regarding [CVE-2011-4968] nginx does not verify the backend's identity when 
proxying to an https origin server
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
697940: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697940
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: nginx
Version: 0.7.67-3+squeeze2
Severity: normal
Tags: upstream security
Control: found -1 1.2.1-2.2

When nginx is configured as a reverse proxy with an https origin
server, it is vulnerable to a MITM attack, because it does not verify
the certificate of the origin server.

This is upstream's bug https://trac.nginx.org/nginx/ticket/13, and
also CVE-2011-4968.

It appears to have been known for over a year, but the proposed
patches to resolve the problem appear to have never made it through
the patch review process in upstream:

 http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html

Regards,

     --dkg

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---

--- Begin Message ---

I'm closing this bug because it's an issue in upstream that needs to be solved
there. As I said, we won't be making this significant of a patch. If you need
to follow up on this, please see http://trac.nginx.org/nginx/ticket/13.

-- 
Michael Lustfield

--- End Message ---

Bug#697940: marked as done ([CVE-2011-4968] nginx does not verify the backend's identity when proxying to an https origin server)

Reply via email to