10819 – Multiple vulnerabilities in nginx (CVE-2013-2028, CVE-2013-2070)

Bug 10819 - Multiple vulnerabilities in nginx (CVE-2013-2028, CVE-2013-2070)

Summary: Multiple vulnerabilities in nginx (CVE-2013-2028, CVE-2013-2070)

Status:	RESOLVED DUPLICATE of bug 10085

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Mageia Bug Squad
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-07-23 07:33 CEST by Oden Eriksson
Modified:	2013-07-23 15:04 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	nginx
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Oden Eriksson 2013-07-23 07:33:41 CEST

======================================================
Name: CVE-2013-2028
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: MLIST:[nginx-announce] 20130507 nginx security advisory (CVE-2013-2028)
Reference: URL:http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html
Reference: MISC:http://nginx.org/download/patch.2013.chunked.txt
Reference: MISC:http://packetstormsecurity.com/files/121675/Nginx-1.3.9-1.4.0-Denial-Of-Service.html
Reference: MISC:http://www.vnsecurity.net/2013/05/analysis-of-nginx-cve-2013-2028/
Reference: MISC:https://github.com/rapid7/metasploit-framework/pull/1834
Reference: OSVDB:93037
Reference: URL:http://www.osvdb.org/93037

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx
1.3.9 through 1.4.0 allows remote attackers to cause a denial of
service (crash) and execute arbitrary code via a chunked
Transfer-Encoding request with a large chunk size, which triggers an
integer signedness error and a stack-based buffer overflow.



======================================================
Name: CVE-2013-2070
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2070
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: MLIST:[nginx-announce] 20130513 nginx security advisory (CVE-2013-2070)
Reference: URL:http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html
Reference: MLIST:[oss-security] 20130507 Re: nginx security advisory (CVE-2013-2028)
Reference: URL:http://seclists.org/oss-sec/2013/q2/291
Reference: MLIST:[oss-security] 20130513 nginx security advisory (CVE-2013-2070)
Reference: URL:http://www.openwall.com/lists/oss-security/2013/05/13/3
Reference: MISC:http://nginx.org/download/patch.2013.proxy.txt
Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=962525
Reference: BID:59824
Reference: URL:http://www.securityfocus.com/bid/59824
Reference: XF:nginx-cve20132070-dos(84172)
Reference: URL:http://xforce.iss.net/xforce/xfdb/84172

http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and
1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP
servers, allows remote attackers to cause a denial of service (crash)
and obtain sensitive information from worker process memory via a
crafted proxy response, a similar vulnerability to CVE-2013-2028.


Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2013-07-23 15:04:44 CEST

CVE-2013-2070 already fixed in Bug 10085.

CVE-2013-2028 does not affect Mageia (we have version 1.2.9).

*** This bug has been marked as a duplicate of bug 10085 ***

Status: NEW => RESOLVED
CC: (none) => luigiwalser
Resolution: (none) => DUPLICATE

Note You need to log in before you can comment on or make changes to this bug.