Date: Fri, 17 May 2013 00:04:31 +0200 From: Michael Gmelin <freebsd@grem.de> To: freebsd-ports@freebsd.org Cc: secteam@freebsd.org Subject: Portaudit claims nginx 1.2.x vulnerable Message-ID: <20130517000431.0fab3a3a@bsd64.grem.de>
next in thread | raw e-mail | index | archive | help
Hi, I just noticed that portaudit considers www/nginx >=1.2.0,1 <1.4.1,1 to be affected by CVE-2013-2028, creating noise and preventing installation: http://portaudit.freebsd.org/efaa4071-b700-11e2-b1b9-f0def16c5c1b.html According to the announcement on the nginx mailing list, only versions of nginx >= 1.3.9 < 1.4.1,1 should be affected: http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html and the fix in nginx trac http://trac.nginx.org/nginx/changeset/5189/nginx I just checked the source of 1.2.8 (the current version in ports, www/nginx) and it doesn't even contain the affected functionality, nor the affected function implementing it (ngx_http_parse_chunked). This is in line with additional media and bugtracker coverage: https://bugzilla.redhat.com/show_bug.cgi?id=960605 http://www.openwall.com/lists/oss-security/2013/05/07/3 http://www.ehackingnews.com/2013/05/cve-2013-2028-buffer-overflow.html http://www.h-online.com/open/news/item/NGINX-patches-major-security-flaw-1858438.html Long story short: I would kindly ask you to correct the entry in the portaudit database to match only affected versions of nginx. Cheers, Michael -- Michael Gmelin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130517000431.0fab3a3a>