Detections
Analytics

openSUSE Security Update : nginx (openSUSE-SU-2013:1015-1)

medium Nessus Plugin ID 75025

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This version update for nginx to 1.2.9 includes a security fix and several bugfixes and feature enhancements. (bnc#821184)

*) Security: contents of worker process memory might be sent to a client if HTTP backend returned specially crafted response (CVE-2013-2070); the bug had appeared in 1.1.4.

 - changes with 1.2.8 :

 *) Bugfix: new sessions were not always stored if the 'ssl_session_cache shared' directive was used and there was no free space in shared memory.

 *) Bugfix: responses might hang if subrequests were used and a DNS error happened during subrequest processing.

 *) Bugfix: in the ngx_http_mp4_module.

 *) Bugfix: in backend usage accounting.

 - changes with nginx 1.2.7

 *) Change: now if the 'include' directive with mask is used on Unix systems, included files are sorted in alphabetical order.

 *) Change: the 'add_header' directive adds headers to 201 responses.

 *) Feature: the 'geo' directive now supports IPv6 addresses in CIDR notation.

 *) Feature: the 'flush' and 'gzip' parameters of the 'access_log' directive.

 *) Feature: variables support in the 'auth_basic' directive.

 *) Feature: the $pipe, $request_length, $time_iso8601, and $time_local variables can now be used not only in the 'log_format' directive.

 *) Feature: IPv6 support in the ngx_http_geoip_module.

 *) Bugfix: nginx could not be built with the ngx_http_perl_module in some cases.

 *) Bugfix: a segmentation fault might occur in a worker process if the ngx_http_xslt_module was used.

 *) Bugfix: nginx could not be built on MacOSX in some cases.

 *) Bugfix: the 'limit_rate' directive with high rates might result in truncated responses on 32-bit platforms.

 *) Bugfix: a segmentation fault might occur in a worker process if the 'if' directive was used.

 *) Bugfix: a '100 Continue' response was issued with '413 Request Entity Too Large' responses.

 *) Bugfix: the 'image_filter', 'image_filter_jpeg_quality' and 'image_filter_sharpen' directives might be inherited incorrectly.

 *) Bugfix: 'crypt_r() failed' errors might appear if the 'auth_basic' directive was used on Linux.

 *) Bugfix: in backup servers handling.

 *) Bugfix: proxied HEAD requests might return incorrect response if the 'gzip' directive was used.

 *) Bugfix: a segmentation fault occurred on start or during reconfiguration if the 'keepalive' directive was specified more than once in a single upstream block.

 *) Bugfix: in the 'proxy_method' directive.

 *) Bugfix: a segmentation fault might occur in a worker process if resolver was used with the poll method.

 *) Bugfix: nginx might hog CPU during SSL handshake with a backend if the select, poll, or /dev/poll methods were used.

 *) Bugfix: the '[crit] SSL_write() failed (SSL:)' error.

 *) Bugfix: in the 'fastcgi_keep_conn' directive.

Solution

Update the affected nginx packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=821184

https://lists.opensuse.org/opensuse-updates/2013-06/msg00145.html

Plugin Details

Severity: Medium

ID: 75025

File Name: openSUSE-2013-484.nasl

Version: 1.4

Type: local

Agent: unix

Published: 6/13/2014

Updated: 1/19/2021

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.5

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:nginx, p-cpe:/a:novell:opensuse:nginx-debugsource, p-cpe:/a:novell:opensuse:nginx-debuginfo, cpe:/o:novell:opensuse:12.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 5/24/2013

Reference Information

CVE: CVE-2013-2070