[arch-security] [ASA-201606-1] nginx: denial of service
Arch Linux Security Advisory ASA-201606-1 ========================================= Severity: Medium Date : 2016-06-01 CVE-ID : CVE-2016-4450 Package : nginx Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package nginx before version 1.10.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 1.10.1-1. # pacman -Syu "nginx>=1.10.1-1" The problem has been fixed upstream in version 1.10.1. Workaround ========== None. Description =========== A vulnerability was found in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while handling the client request body. Impact ====== A remote attacker is able to use a specially crafted request to crash the worker resulting in denial of service. References ========== http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html https://access.redhat.com/security/cve/CVE-2016-4450
participants (1)
-
Levente Polyak