Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <6E6DFCC9-6BFC-4774-BCF7-903C61418524@nginx.com>
Date: Thu, 12 Apr 2012 18:21:18 +0400
From: Andrew Alexeev <andrew@...nx.com>
To: oss-security@...ts.openwall.com
Subject: nginx security advisory: mp4 module vulnerability, CVE-2012-2089

Hello,

The nginx team has released stable version 1.0.15, and development
version 1.1.19 of its nginx web server, which include a fix for a
vulnerability discovered by Matthew Daley in nginx's standard mp4
pseudo-streaming module.

The following CVE-ID has been used: CVE-2012-2089 (privately
assigned earlier by Kurt Seifried):

http://nginx.org/en/security_advisories.html

Description: a specially crafted mp4 file might allow to overwrite
memory locations in a worker process, if ngx_http_mp4_module is 
used, potentially resulting in arbitrary code execution.  The mp4
module is not built in by default, and should be explicitly
configured to be included in nginx.  By default nginx worker
processes run under non-privileged user account.

The problem affects nginx versions newer than 1.1.3, 1.0.7, built with
the ngx_http_mp4_module, and "mp4" directive in the configuration.
To check if mp4 module is included in nginx build, use "nginx -V".

Users of nginx and mp4 pseudo-streaming module are kindly advised
to upgrade to the latest nginx versions, or apply the following patch:

http://nginx.org/download/patch.2012.mp4.txt



-- 
Andrew Alexeev
@nginxorg

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.