On Thu, 16 May 2013 15:36:28 -0700
Xin Li delp...@delphij.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi, Michael,
On 05/16/13 15:04, Michael Gmelin wrote:
Hi,
I just noticed that portaudit considers www/nginx =1.2.0,1
1.4.1,1 to be affected by CVE-2013-2028, creating noise and
preventing installation:
http://portaudit.freebsd.org/efaa4071-b700-11e2-b1b9-f0def16c5c1b.html
According to the announcement on the nginx mailing list, only
versions of nginx = 1.3.9 1.4.1,1 should be affected:
http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html
and the fix in nginx trac
http://trac.nginx.org/nginx/changeset/5189/nginx
I just checked the source of 1.2.8 (the current version in ports,
www/nginx) and it doesn't even contain the affected functionality,
nor the affected function implementing it (ngx_http_parse_chunked).
This is in line with additional media and bugtracker coverage:
https://bugzilla.redhat.com/show_bug.cgi?id=960605
http://www.openwall.com/lists/oss-security/2013/05/07/3
http://www.ehackingnews.com/2013/05/cve-2013-2028-buffer-overflow.html
http://www.h-online.com/open/news/item/NGINX-patches-major-security-flaw-1858438.html
Long story short: I would kindly ask you to correct the entry in
the portaudit database to match only affected versions of nginx.
I have took a look at these and found this:
http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html
I'll update the vuxml entry to include these information.
Cheers,
Hi Xin,
I missed that nginx got updated to 1.4.0 and now 1.4.1,1 - seems like
I've been working on an old copy of the ports tree. So recovering from
this should be easy for users and at the same time my statement about
the current version in the ports tree being 1.2.8 was clearly wrong.
Anyway, thanks for the clarification, so basically CVE-2013-2070 and
CVE-2013-2028 got mixed up (the former affecting only certain setups
while the latter affecting everybody in a severe way unless they took
special measures to harden their setup).
Cheers thanks for your swift response,
Michael
--
Michael Gmelin
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org