Mercurial > hg > nginx-site

changeset 904:22bd9315e047

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx-1.2.9
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 13 May 2013 15:23:37 +0400
parents 8ceb504cdb99
children f0b851313106
files text/en/CHANGES-1.2 text/ru/CHANGES.ru-1.2 xml/en/security_advisories.xml xml/index.xml
diffstat 4 files changed, 33 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/text/en/CHANGES-1.2
+++ b/text/en/CHANGES-1.2
@@ -1,4 +1,11 @@
 
+Changes with nginx 1.2.9                                         13 May 2013
+
+    *) Security: contents of worker process memory might be sent to a client
+       if HTTP backend returned specially crafted response (CVE-2013-2070);
+       the bug had appeared in 1.1.4.
+
+
 Changes with nginx 1.2.8                                         02 Apr 2013
 
     *) Bugfix: new sessions were not always stored if the "ssl_session_cache
--- a/text/ru/CHANGES.ru-1.2
+++ b/text/ru/CHANGES.ru-1.2
@@ -1,4 +1,11 @@
 
+Изменения в nginx 1.2.9                                           13.05.2013
+
+    *) Безопасность: содержимое памяти рабочего процесса могло быть
+       отправлено клиенту, если HTTP-бэкенд возвращал специально созданный
+       ответ (CVE-2013-2070); ошибка появилась в 1.1.4.
+
+
 Изменения в nginx 1.2.8                                           02.04.2013
 
     *) Исправление: при использовании директивы "ssl_session_cache shared"
--- a/xml/en/security_advisories.xml
+++ b/xml/en/security_advisories.xml
@@ -24,6 +24,15 @@ Patches are signed using one of the
 
 <security>
 
+<item name="Memory disclosure with specially crafted http backend responses"
+      severity="medium"
+      cve="2013-2070"
+      good="1.5.0+, 1.4.1+, 1.2.9+"
+      vulnerable="1.1.4-1.2.8, 1.3.9-1.4.0">
+<patch name="patch.2013.chunked.txt" versions="1.3.9-1.4.0" />
+<patch name="patch.2013.proxy.txt" versions="1.1.4-1.2.8" />
+</item>
+
 <item name="Stack-based buffer overflow with specially crafted request"
       severity="major"
       advisory="http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html"
--- a/xml/index.xml
+++ b/xml/index.xml
@@ -7,6 +7,16 @@
 
 <news name="nginx news" link="/" lang="en">
 
+<event date="2013-05-13">
+<para>
+<link doc="en/download.xml">nginx-1.2.9</link>
+legacy version has been released,
+addressing the
+<link doc="en/security_advisories.xml">information disclosure</link>
+security problem in some previous nginx versions (CVE-2013-2070).
+</para>
+</event>
+
 <event date="2013-05-07">
 <para>
 <link doc="en/download.xml">nginx-1.4.1</link>