On 01/03/2013 08:36 AM, Daniel Kahn Gillmor wrote: > nginx offers the ability for its http proxy module to talk to an > origin server over https. However, it does not verify the identity > of the origin server in this case, which leaves it subject to MITM > attacks between the proxy and the origin server. > > Sadly, this appears to be unfixed for over a year after it was > first reported: > > http://trac.nginx.org/nginx/ticket/13 > > some patch review starts over here, but doesn't seem to reach any > resolution: > > http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html > > As far as i can tell, there is no CVE assigned for this yet. > > --dkg > Yup. Please use CVE-2011-4968 for this issue.
Assignee: bugsquad => shikamaruSource RPM: (none) => nginx
Here's RedHat's bug for this: https://bugzilla.redhat.com/show_bug.cgi?id=892030
CC: (none) => luigiwalser
CC: (none) => fundawang
Summary: CVE-2011-4968: nginx - MITM flaw => nginx - MITM flaw (CVE-2011-4968)
Closing this as WONTFIX as RedHat has done the same.
Status: NEW => RESOLVEDCC: (none) => shikamaruVersion: 2 => CauldronResolution: (none) => WONTFIXAssignee: shikamaru => sam