Hello community, here is the log from the commit of package nginx-0.8 for openSUSE:11.4 checked in at Mon Nov 21 18:35:02 CET 2011. -------- --- old-versions/11.4/all/nginx-0.8/nginx-0.8.changes 2011-02-09 11:43:40.000000000 +0100 +++ 11.4/nginx-0.8/nginx-0.8.changes 2011-11-21 16:19:07.000000000 +0100 @@ -1,0 +2,6 @@ +Mon Nov 21 15:17:45 UTC 2011 - schubi@suse.com + +- Fixed VUL-0: CVE-2011-4315: nginx: heap overflow (bnc #731084) + nginx_heap_overflow_4315.patch + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/nginx-0.8 Destination is old-versions/11.4/UPDATES/all/nginx-0.8 calling whatdependson for 11.4-i586 New: ---- nginx_heap_overflow_4315.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nginx-0.8.spec ++++++ --- /var/tmp/diff_new_pack.AwJhqE/_old 2011-11-21 18:34:01.000000000 +0100 +++ /var/tmp/diff_new_pack.AwJhqE/_new 2011-11-21 18:34:01.000000000 +0100 @@ -19,7 +19,7 @@ Name: nginx-0.8 Version: 0.8.53 -Release: 4.<RELEASE3> +Release: 4.<RELEASE9> # %define pkg_name nginx # @@ -57,6 +57,9 @@ Patch3: nginx-0.4.0-perl_vendor_install.patch # PATCH-FIX-UPSTREAM nginx-0.6.31_default_config.patch Patch4: nginx-0.6.31_default_config.patch +# PATCH-FIX-UPSTREAM +Patch5: nginx_heap_overflow_4315.patch + BuildRequires: dos2unix BuildRequires: gd-devel BuildRequires: libxslt-devel @@ -93,6 +96,7 @@ %patch2 %patch3 %patch4 +%patch5 dos2unix contrib/geo2nginx.pl %build ++++++ nginx_heap_overflow_4315.patch ++++++ --- src/core/ngx_resolver.c +++ src/core/ngx_resolver.c @@ -1922,7 +1922,12 @@ n = *src++; for ( ;; ) { - if (n != 0xc0) { + if (n & 0xc0) { + n = ((n & 0x3f) << 8) + *src; + src = &buf[n]; + + n = *src++; + } else { ngx_memcpy(dst, src, n); dst += n; src += n; @@ -1932,12 +1937,6 @@ if (n != 0) { *dst++ = '.'; } - - } else { - n = ((n & 0x3f) << 8) + *src; - src = &buf[n]; - - n = *src++; } if (n == 0) { continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org