Closed Bug 979342 Opened 11 years ago Closed 11 years ago

Triage nginx remote code execution CVE-2014-0088

Categories

(Security Assurance :: General, task)

Product:
Security Assurance
Component:
General
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: mhenry, Assigned: mhenry)

Details

Date announced: 2014-03-04 Notified via: Nginx announce email list Description: A bug in the experimental SPDY implementation in nginx 1.5.10 was found, which might allow an attacker to corrupt worker process memory by using a specially crafted request, potentially resulting in arbitrary code execution (CVE-2014-0088). The problem only affects nginx 1.5.10 on 32-bit platforms, compiled with the ngx_http_spdy_module module (which is not compiled by default), if the "spdy" option of the "listen" directive is used in a configuration file. The problem is fixed in nginx 1.5.11. Patch for the problem can be found here: http://nginx.org/download/patch.2014.spdy.txt
Assignee: nobody → mhenry
At the time of this comment we are not affected. * We do not run nginx 1.5 (currently bleeding edge) * Our nginx servers are 64bit * We do not currently have spdy enabled on our nginx servers
Group: mozilla-employee-confidential, infrasec
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
You need to log in before you can comment on or make changes to this bug.