Hello! A bug in nginx SMTP proxy was found, which allows an attacker in a privileged network position to inject commands into SSL sessions started with the STARTTLS command, potentially making it possible to steal sensitive information sent by clients (CVE-2014-3556).
The problem affects nginx 1.5.6 - 1.7.3. The problem is fixed in nginx 1.7.4, 1.6.1. Patch for the problem can be found here: http://nginx.org/download/patch.2014.starttls.txt Thanks to Chris Boulton for discovering this. -- Maxim Dounin http://nginx.org/en/donation.html _______________________________________________ nginx-announce mailing list nginx-announce@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-announce
