====================================================================

                                CERT-Renater

                      Note d'Information No. 2012/VULN133
____________________________________________________________________

DATE                : 16/03/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Nginx versions prior to 1.1.17,
1.0.14.

======================================================================
http://mailman.nginx.org/pipermail/nginx-announce/2012/000074.html
http://mailman.nginx.org/pipermail/nginx-announce/2012/000075.html
http://mailman.nginx.org/pipermail/nginx-announce/2012/000076.html
______________________________________________________________________

Changes with nginx 1.1.17                                        15 Mar 2012

    *) Security: content of previously freed memory might be sent to a
       client if backend returned specially crafted response.
       Thanks to Matthew Daley.

    *) Bugfix: in the embedded perl module if used from SSI.
       Thanks to Matthew Daley.

    *) Bugfix: in the ngx_http_uwsgi_module.


Maxim Dounin
______________________________________________________________________

Changes with nginx 1.0.14                                 15 Mar 2012

    *) Security: content of previously freed memory might be sent to a
       client if backend returned specially crafted response.
       Thanks to Matthew Daley.


Maxim Dounin

____________________________________________________________________



Hello!

Matthew Daley recently discovered a security problem which may
lead to a disclosure of previously freed memory on specially
crafted response from an upstream server, potentially resulting in
sensitive information leak.

Patch for the problem can be found here:

http://nginx.org/download/patch.2012.memory.txt

The patch is not required for 1.1.17, 1.0.14.

Maxim Dounin

______________________________________________________________________




======================================================================

=========================================================
Les serveurs de référence du CERT-Renater
https://services.renater.fr/ssi/
http://www.renater.fr
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================