Mailinglist Archive: opensuse-updates (200 mails)

< Previous Next >
openSUSE-SU-2013:1015-1: moderate: version update for nginx
openSUSE Security Update: version update for nginx
______________________________________________________________________________

Announcement ID: openSUSE-SU-2013:1015-1
Rating: moderate
References: #821184
Cross-References: CVE-2013-2070
Affected Products:
openSUSE 12.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:


This version update for nginx to 1.2.9 includes a security
fix and several bugfixes and feature enhancements.
(bnc#821184)
*) Security: contents of worker process memory might be
sent to a client if HTTP backend returned specially
crafted response (CVE-2013-2070); the bug had appeared
in 1.1.4.
- changes with 1.2.8:
*) Bugfix: new sessions were not always stored if the
"ssl_session_cache shared" directive was used and there
was no free space in shared memory.
*) Bugfix: responses might hang if subrequests were used
and a DNS error happened during subrequest processing.
*) Bugfix: in the ngx_http_mp4_module.
*) Bugfix: in backend usage accounting.
- changes with nginx 1.2.7
*) Change: now if the "include" directive with mask is
used on Unix systems, included files are sorted in
alphabetical order.
*) Change: the "add_header" directive adds headers to 201
responses.
*) Feature: the "geo" directive now supports IPv6
addresses in CIDR notation.
*) Feature: the "flush" and "gzip" parameters of the
"access_log" directive.
*) Feature: variables support in the "auth_basic"
directive.
*) Feature: the $pipe, $request_length, $time_iso8601,
and $time_local variables can now be used not only in
the "log_format" directive.
*) Feature: IPv6 support in the ngx_http_geoip_module.
*) Bugfix: nginx could not be built with the
ngx_http_perl_module in some cases.
*) Bugfix: a segmentation fault might occur in a worker
process if the ngx_http_xslt_module was used.
*) Bugfix: nginx could not be built on MacOSX in some
cases.
*) Bugfix: the "limit_rate" directive with high rates
might result in truncated responses on 32-bit platforms.
*) Bugfix: a segmentation fault might occur in a worker
process if the "if" directive was used.
*) Bugfix: a "100 Continue" response was issued with "413
Request Entity Too Large" responses.
*) Bugfix: the "image_filter",
"image_filter_jpeg_quality" and "image_filter_sharpen"
directives might be inherited incorrectly.
*) Bugfix: "crypt_r() failed" errors might appear if the
"auth_basic" directive was used on Linux.
*) Bugfix: in backup servers handling.
*) Bugfix: proxied HEAD requests might return incorrect
response if the "gzip" directive was used.
*) Bugfix: a segmentation fault occurred on start or
during reconfiguration if the "keepalive" directive was
specified more than once in a single upstream block.
*) Bugfix: in the "proxy_method" directive.
*) Bugfix: a segmentation fault might occur in a worker
process if resolver was used with the poll method.
*) Bugfix: nginx might hog CPU during SSL handshake with
a backend if the select, poll, or /dev/poll methods were
used.
*) Bugfix: the "[crit] SSL_write() failed (SSL:)" error.
*) Bugfix: in the "fastcgi_keep_conn" directive.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 12.3:

zypper in -t patch openSUSE-2013-484

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 12.3 (i586 x86_64):

nginx-1.2.9-3.4.1
nginx-debuginfo-1.2.9-3.4.1
nginx-debugsource-1.2.9-3.4.1


References:

http://support.novell.com/security/cve/CVE-2013-2070.html
https://bugzilla.novell.com/821184


< Previous Next >
This Thread
  • No further messages