On Thu, 16 May 2013 15:36:28 -0700 Xin Li <delp...@delphij.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, Michael, > > On 05/16/13 15:04, Michael Gmelin wrote: > > Hi, > > > > I just noticed that portaudit considers www/nginx >=1.2.0,1 > > <1.4.1,1 to be affected by CVE-2013-2028, creating noise and > > preventing installation: > > > > http://portaudit.freebsd.org/efaa4071-b700-11e2-b1b9-f0def16c5c1b.html > > > > According to the announcement on the nginx mailing list, only > > versions of nginx >= 1.3.9 < 1.4.1,1 should be affected: > > > > http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html > > and the fix in nginx trac > > http://trac.nginx.org/nginx/changeset/5189/nginx > > > > I just checked the source of 1.2.8 (the current version in ports, > > www/nginx) and it doesn't even contain the affected functionality, > > nor the affected function implementing it (ngx_http_parse_chunked). > > This is in line with additional media and bugtracker coverage: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=960605 > > http://www.openwall.com/lists/oss-security/2013/05/07/3 > > http://www.ehackingnews.com/2013/05/cve-2013-2028-buffer-overflow.html > > > > > http://www.h-online.com/open/news/item/NGINX-patches-major-security-flaw-1858438.html > > > > Long story short: I would kindly ask you to correct the entry in > > the portaudit database to match only affected versions of nginx. > > I have took a look at these and found this: > > http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html > > I'll update the vuxml entry to include these information. > > Cheers, Hi Xin, I missed that nginx got updated to 1.4.0 and now 1.4.1,1 - seems like I've been working on an old copy of the ports tree. So recovering from this should be easy for users and at the same time my statement about the current version in the ports tree being 1.2.8 was clearly wrong. Anyway, thanks for the clarification, so basically CVE-2013-2070 and CVE-2013-2028 got mixed up (the former affecting only certain setups while the latter affecting everybody in a severe way unless they took special measures to harden their setup). Cheers & thanks for your swift response, Michael -- Michael Gmelin _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
