Posted by & filed under Nginx.

Nginx 1.0.15 packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. They fix a buffer overflow in the ngx_http_mp4_module :

  • Security: specially crafted mp4 file might allow to overwrite memory locations in a worker process if the ngx_http_mp4_module was used, potentially resulting in arbitrary code execution (CVE-2012-2089). Thanks to Matthew Daley.
  • Bugfix: in the ngx_http_mp4_module.

Upgrading is recommended if you’re using the nginx-extras packages.

8 Responses to “Security : Nginx 1.0.15”

    • Guillaume Plessis

      @raphaël : I’ve never tried. But I don’t think you could install both ruby-passenger from Dotdeb and ruby 1.9.3p0 from Bearstech, because ruby-passenger has a dependency on libruby1.9.1.
      Please tell me if you manage them working together.

      Reply
  1. raphaël

    I’m not a package/debian expert but bearstech seems to “override” ruby 1.9.1 with 1.9.3 so system think its still using standard 1.9.1 package. I’ve installed nginx-passenger and ruby is still at 1.9.3p0.

    However, if I set passenger_root to /usr, passenger fail with :

    [ASYNC BUG] thread_timer: select
    EBADF

    ruby 1.9.3p0 (2011-10-30 revision 33570) [x86_64-linux]

    [NOTE]
    You may have encountered a bug in the Ruby interpreter or extension libraries.
    Bug reports are welcome.
    For details: http://www.ruby-lang.org/bugreport.html

    Reply
  2. thompson

    Somehow my /etc/init.d/nginx file got wiped out and is empty. I don’t know if it was during the upgrade, or something I did just after the upgrade (probably), but now I can’t get Nginx to start or respond.

    Could anyone post or tell me where I can find the contents for /etc/init.d/nginx, please?

    Reply

Leave a Reply

  • (will not be published)


two + = 7