Mercurial > hg > nginx-site

changeset 899:012feca3d85f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx-1.5.0, nginx-1.4.1
author Maxim Dounin <mdounin@mdounin.ru>
date Tue, 07 May 2013 15:06:38 +0400
parents c0359977e2b6
children da102c9c7e36
files text/en/CHANGES text/en/CHANGES-1.4 text/ru/CHANGES.ru text/ru/CHANGES.ru-1.4 xml/en/security_advisories.xml xml/index.xml xml/versions.xml
diffstat 7 files changed, 60 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/text/en/CHANGES	Sat May 04 23:04:53 2013 +0400
+++ b/text/en/CHANGES	Tue May 07 15:06:38 2013 +0400
@@ -1,4 +1,13 @@
 
+Changes with nginx 1.5.0                                         07 May 2013
+
+    *) Security: a stack-based buffer overflow might occur in a worker
+       process while handling a specially crafted request, potentially
+       resulting in arbitrary code execution (CVE-2013-2028); the bug had
+       appeared in 1.3.9.
+       Thanks to Greg MacManus, iSIGHT Partners Labs.
+
+
 Changes with nginx 1.4.0                                         24 Apr 2013
 
     *) Bugfix: nginx could not be built with the ngx_http_perl_module if the
--- a/text/en/CHANGES-1.4	Sat May 04 23:04:53 2013 +0400
+++ b/text/en/CHANGES-1.4	Tue May 07 15:06:38 2013 +0400
@@ -1,4 +1,13 @@
 
+Changes with nginx 1.4.1                                         07 May 2013
+
+    *) Security: a stack-based buffer overflow might occur in a worker
+       process while handling a specially crafted request, potentially
+       resulting in arbitrary code execution (CVE-2013-2028); the bug had
+       appeared in 1.3.9.
+       Thanks to Greg MacManus, iSIGHT Partners Labs.
+
+
 Changes with nginx 1.4.0                                         24 Apr 2013
 
     *) Bugfix: nginx could not be built with the ngx_http_perl_module if the
--- a/text/ru/CHANGES.ru	Sat May 04 23:04:53 2013 +0400
+++ b/text/ru/CHANGES.ru	Tue May 07 15:06:38 2013 +0400
@@ -1,4 +1,13 @@
 
+Изменения в nginx 1.5.0                                           07.05.2013
+
+    *) Безопасность: при обработке специально созданного запроса мог
+       перезаписываться стек рабочего процесса, что могло приводить к
+       выполнению произвольного кода (CVE-2013-2028); ошибка появилась в
+       1.3.9.
+       Спасибо Greg MacManus, iSIGHT Partners Labs.
+
+
 Изменения в nginx 1.4.0                                           24.04.2013
 
     *) Исправление: nginx не собирался с модулем ngx_http_perl_module, если
--- a/text/ru/CHANGES.ru-1.4	Sat May 04 23:04:53 2013 +0400
+++ b/text/ru/CHANGES.ru-1.4	Tue May 07 15:06:38 2013 +0400
@@ -1,4 +1,13 @@
 
+Изменения в nginx 1.4.1                                           07.05.2013
+
+    *) Безопасность: при обработке специально созданного запроса мог
+       перезаписываться стек рабочего процесса, что могло приводить к
+       выполнению произвольного кода (CVE-2013-2028); ошибка появилась в
+       1.3.9.
+       Спасибо Greg MacManus, iSIGHT Partners Labs.
+
+
 Изменения в nginx 1.4.0                                           24.04.2013
 
     *) Исправление: nginx не собирался с модулем ngx_http_perl_module, если
--- a/xml/en/security_advisories.xml	Sat May 04 23:04:53 2013 +0400
+++ b/xml/en/security_advisories.xml	Tue May 07 15:06:38 2013 +0400
@@ -24,6 +24,13 @@
 
 <security>
 
+<item name="Stack-based buffer overflow with specially crafted request"
+      severity="major"
+      cve="2013-2028"
+      good="1.5.0+, 1.4.1+"
+      vulnerable="1.3.9-1.4.0"
+      patch="patch.2013.chunked.txt" />
+
 <item name="Vulnerabilities with Windows directory aliases"
       severity="medium"
       cve="2011-4963"
--- a/xml/index.xml	Sat May 04 23:04:53 2013 +0400
+++ b/xml/index.xml	Tue May 07 15:06:38 2013 +0400
@@ -7,6 +7,21 @@
 
 <news name="nginx news" link="/" lang="en">
 
+<event date="2013-05-07">
+<para>
+<link doc="en/download.xml">nginx-1.4.1</link>
+stable and
+<link doc="en/download.xml">nginx-1.5.0</link>
+development versions have been released,
+with the fix for the
+<link doc="en/security_advisories.xml">stack-based buffer overflow</link>
+security problem in nginx 1.3.9 - 1.4.0,
+discovered by Greg MacManus, of
+<link url="http://isightpartners.com">iSIGHT Partners</link> Labs
+(CVE-2013-2028).
+</para>
+</event>
+
 <event date="2013-04-25">
 <para>
 Source code <link url="http://hg.nginx.org/nginx/">repository</link>
--- a/xml/versions.xml	Sat May 04 23:04:53 2013 +0400
+++ b/xml/versions.xml	Tue May 07 15:06:38 2013 +0400
@@ -9,13 +9,14 @@
 
 <download tag="development" changes="">
 
-<item ver="1.4.0" />
+<item ver="1.5.0" />
 
 </download>
 
 
 <download tag="stable" changes="1.4">
 
+<item ver="1.4.1" />
 <item ver="1.4.0" />
 <item ver="1.3.16" />
 <item ver="1.3.16" />