Hi!
> I just saw something strange on > http://nginx.org/en/security_advisories.html: > > > "An error log data are not sanitized > Severity: none > CVE-2009-4487 > Not vulnerable: none > Vulnerable: all" > > > > Severity is labelled as 'None', though the CVE talks, among other stuff, > about 'arbitrary commands and file write'. > Is your advisories page wrong? Is the CVE wrong? Has this been solved? Afaik the nginx developers didn't agree with this CVE advisory, because its actually a terminal problem. Nginx cannot be exploited, but the user when looking at the log files can. Read the advisory for details [1]. Regards, Lukas [1] http://www.ush.it/team/ush/hack_httpd_escape/adv.txt _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
