Security : Nginx 1.0.15

Nginx 1.0.15 packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. They fix a buffer overflow in the ngx_http_mp4_module :

  • Security: specially crafted mp4 file might allow to overwrite memory locations in a worker process if the ngx_http_mp4_module was used, potentially resulting in arbitrary code execution (CVE-2012-2089). Thanks to Matthew Daley.
  • Bugfix: in the ngx_http_mp4_module.

Upgrading is recommended if you’re using the nginx-extras packages.

8 replies on “Security : Nginx 1.0.15”

@raphaël : I’ve never tried. But I don’t think you could install both ruby-passenger from Dotdeb and ruby 1.9.3p0 from Bearstech, because ruby-passenger has a dependency on libruby1.9.1.
Please tell me if you manage them working together.

I’m not a package/debian expert but bearstech seems to “override” ruby 1.9.1 with 1.9.3 so system think its still using standard 1.9.1 package. I’ve installed nginx-passenger and ruby is still at 1.9.3p0.

However, if I set passenger_root to /usr, passenger fail with :

[ASYNC BUG] thread_timer: select

ruby 1.9.3p0 (2011-10-30 revision 33570) [x86_64-linux]

You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details:

Somehow my /etc/init.d/nginx file got wiped out and is empty. I don’t know if it was during the upgrade, or something I did just after the upgrade (probably), but now I can’t get Nginx to start or respond.

Could anyone post or tell me where I can find the contents for /etc/init.d/nginx, please?

Comments are closed.