Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 17 Nov 2011 08:58:34 -0700
From: Kurt Seifried <>
Subject: Re: CVE Request: nginx resolver heap overflow

On 11/17/2011 08:37 AM, Kurt Seifried wrote:
> On 11/16/2011 10:50 PM, Ben Hawkes wrote:
>> Hi,
>> The nginx team have released stable version 1.0.10, which includes a fix 
>> for a heap overflow bug in the custom DNS resolver:
>> The resolver is most commonly used with the proxy and fastcgi modules,
>> which are not enabled by default.
>> In order to trigger this condition an attacker would need to be in
>> control of an upstream resolver host, or be in a position to brute-force
>> the weakly generated 16-bit transaction identifier.
>> Thanks,
>> Ben Hawkes
> Do you need a CVE # for this issue?
And this is why coffee is a popular morning drink (and Kurt should have
some =).

Please use CVE-2011-4315 for this issue.


-Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ