Bug 8656

Summary: nginx - MITM flaw (CVE-2011-4968)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: Sam Bailey <sam>
Status: RESOLVED WONTFIX QA Contact:
Severity: normal    
Priority: Normal CC: fundawang, luigiwalser, shikamaru
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: nginx CVE:
Status comment:

Description Oden Eriksson 2013-01-11 06:47:54 CET 
On 01/03/2013 08:36 AM, Daniel Kahn Gillmor wrote:
> nginx offers the ability for its http proxy module to talk to an
> origin server over https.  However, it does not verify the identity
> of the origin server in this case, which leaves it subject to MITM
> attacks between the proxy and the origin server.
>
> Sadly, this appears to be unfixed for over a year after it was
> first reported:
>
> http://trac.nginx.org/nginx/ticket/13
>
> some patch review starts over here, but doesn't seem to reach any
> resolution:
>
> http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html
>
>  As far as i can tell, there is no CVE assigned for this yet.
>
> --dkg
>

Yup. Please use CVE-2011-4968 for this issue.
Manuel Hiebel 2013-01-11 22:32:15 CET

Assignee: bugsquad => shikamaru
Source RPM: (none) => nginx

Comment 1 David Walser 2013-01-31 22:52:41 CET 
Here's RedHat's bug for this:
https://bugzilla.redhat.com/show_bug.cgi?id=892030

CC: (none) => luigiwalser

David Walser 2013-01-31 22:54:32 CET

CC: (none) => fundawang

David Walser 2013-02-01 19:43:09 CET

Summary: CVE-2011-4968: nginx - MITM flaw => nginx - MITM flaw (CVE-2011-4968)

Comment 2 David Walser 2013-11-22 15:57:33 CET 
Closing this as WONTFIX as RedHat has done the same.

Status: NEW => RESOLVED
CC: (none) => shikamaru
Version: 2 => Cauldron
Resolution: (none) => WONTFIX
Assignee: shikamaru => sam