This bug was fixed in the package nginx - 1.4.1-3ubuntu1.3
---
nginx (1.4.1-3ubuntu1.3) saucy-security; urgency=low
* SECURITY UPDATE: SPDY Heap Buffer Overflow Vulnerabilty (LP: #1294280)
- debian/patches/cve-2014-0133.patch: modify src/http/ngx_http_spdy.c to
fix a heap
Key thing to check is if all binaries build with the --with-debug
option. If they all build with it, then we are not vulnerable.
(according to the Debian people)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nginx in Ubuntu.
** Changed in: nginx (Debian)
Status: Unknown = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nginx in Ubuntu.
https://bugs.launchpad.net/bugs/1294280
Title:
[CVE-2014-0133] SPDY Heap Buffer Overflow
As with Debian, we are not affected by this bug, as we build with the
--with-debug option on all binaries, and it's up to the security team if
they want to sponsor the patch in, since we're not affected.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which
Trusty uses the --with-debug on all binaries; Saucy does not. Saucy
should probably just get the upstream Nginx patch to enable that one
code block.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nginx in Ubuntu.
I've attached a debdiff for Saucy.
** Patch added: CVE-2014-0133 Debdiff for Saucy
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1294280/+attachment/4031514/+files/cve-2014-0133_saucy.debdiff
--
You received this bug notification because you are a member of Ubuntu
Server Team, which
The attachment CVE-2014-0133 Debdiff for Saucy seems to be a debdiff.
The ubuntu-sponsors team has been subscribed to the bug report so that
they can review and hopefully sponsor the debdiff. If the attachment
isn't a patch, please remove the patch flag from the attachment,
remove the patch tag,