Nginx 1.0.15 packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. They fix a buffer overflow in the ngx_http_mp4_module :
- Security: specially crafted mp4 file might allow to overwrite memory locations in a worker process if the ngx_http_mp4_module was used, potentially resulting in arbitrary code execution (CVE-2012-2089). Thanks to Matthew Daley.
- Bugfix: in the ngx_http_mp4_module.
Upgrading is recommended if you’re using the nginx-extras packages.