openSUSE Security Update: nginx: fixed restriction bypass problem ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:1745-1 Rating: moderate References: #851295 Cross-References: CVE-2013-4547 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: The nginx webserver was fixed to avoid a restriction bypass when a space in not correctly escaped. (CVE-2013-4547) On openSUSE 12.2, nginx was updated to version 1.4.4 stable * CVE-2013-4547 a character following an unescaped space in a request line was handled incorrectly [bnc#851295] * bugfix: segmentation fault might occur in the spdy module * bugfix: segmentation fault might occur on start if if the "try_files" directive was used with an empty parameter. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2013-882 - openSUSE 12.3: zypper in -t patch openSUSE-2013-882 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): nginx-1.4.4-3.5.1 nginx-debuginfo-1.4.4-3.5.1 nginx-debugsource-1.4.4-3.5.1 - openSUSE 12.3 (i586 x86_64): nginx-1.2.9-3.8.1 nginx-debuginfo-1.2.9-3.8.1 nginx-debugsource-1.2.9-3.8.1 References: http://support.novell.com/security/cve/CVE-2013-4547.html https://bugzilla.novell.com/851295