[-]
[+]
|
Changed |
nginx.spec
|
|
[-]
[+]
|
Changed |
nginx-1.4.7.tar.bz2/CHANGES
^
|
@@ -1,4 +1,17 @@
+Changes with nginx 1.4.7 18 Mar 2014
+
+ *) Security: a heap memory buffer overflow might occur in a worker
+ process while handling a specially crafted request by
+ ngx_http_spdy_module, potentially resulting in arbitrary code
+ execution (CVE-2014-0133).
+ Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr.
+ Manuel Sadosky, Buenos Aires, Argentina.
+
+ *) Bugfix: in the "fastcgi_next_upstream" directive.
+ Thanks to Lucas Molas.
+
+
Changes with nginx 1.4.6 04 Mar 2014
*) Bugfix: the "client_max_body_size" directive might not work when
|
[-]
[+]
|
Changed |
nginx-1.4.7.tar.bz2/CHANGES.ru
^
|
@@ -1,4 +1,17 @@
+Изменения в nginx 1.4.7 18.03.2014
+
+ *) Безопасность: при обработке специально созданного запроса модулем
+ ngx_http_spdy_module могло происходить переполнение буфера в рабочем
+ процессе, что потенциально могло приводить к выполнению произвольного
+ кода (CVE-2014-0133).
+ Спасибо Lucas Molas из Programa STIC, Fundación Dr. Manuel Sadosky,
+ Buenos Aires, Argentina.
+
+ *) Исправление: в директиве fastcgi_next_upstream.
+ Спасибо Lucas Molas.
+
+
Изменения в nginx 1.4.6 04.03.2014
*) Исправление: директива client_max_body_size могла не работать при
|
[-]
[+]
|
Changed |
nginx-1.4.7.tar.bz2/src/core/nginx.h
^
|
@@ -9,8 +9,8 @@
#define _NGINX_H_INCLUDED_
-#define nginx_version 1004006
-#define NGINX_VERSION "1.4.6"
+#define nginx_version 1004007
+#define NGINX_VERSION "1.4.7"
#define NGINX_VER "nginx/" NGINX_VERSION
#define NGINX_VAR "NGINX"
|
[-]
[+]
|
Changed |
nginx-1.4.7.tar.bz2/src/http/modules/ngx_http_fastcgi_module.c
^
|
@@ -1195,6 +1195,10 @@
f->fastcgi_stdout = 0;
f->large_stderr = 0;
+ if (f->split_parts) {
+ f->split_parts->nelts = 0;
+ }
+
r->state = 0;
return NGX_OK;
@@ -1475,6 +1479,13 @@
rc = ngx_http_parse_header_line(r, &buf, 1);
+ if (rc != NGX_OK) {
+ ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
+ "invalid header after joining "
+ "FastCGI records");
+ return NGX_ERROR;
+ }
+
h->key.len = r->header_name_end - r->header_name_start;
h->key.data = r->header_name_start;
h->key.data[h->key.len] = '\0';
|
[-]
[+]
|
Changed |
nginx-1.4.7.tar.bz2/src/http/ngx_http_spdy.c
^
|
@@ -1465,7 +1465,7 @@
ngx_http_spdy_state_save(ngx_http_spdy_connection_t *sc,
u_char *pos, u_char *end, ngx_http_spdy_handler_pt handler)
{
-#if (NGX_DEBUG)
+#if 1
if (end - pos > NGX_SPDY_STATE_BUFFER_SIZE) {
ngx_log_error(NGX_LOG_ALERT, sc->connection->log, 0,
"spdy state buffer overflow: "
|