Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests.

Chris Ries discovered that nginx, a high-performance HTTP server, reverse proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when processing certain HTTP requests. An attacker can use this to execute arbitrary code with the rights of the worker process (www-data on Debian) or possibly perform denial of service attacks by repeatedly crashing worker processes via a specially crafted URL in an HTTP request.

- Fri Dec 4 2009 Jeremy Hinegardner <jeremy at hinegardner     dot org> - 0.7.64-1

    - update to 0.7.64

    - Thu Oct 29 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.7.63-1

    - update to 0.7.63

    - Mon Sep 14 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.7.62-1

    - update to 0.7.62

    - fixes CVE-2009-2629

    - Sun Aug 2 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.7.61-1

    - update to new stable 0.7.61

    - remove third-party module

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Fri Dec 4 2009 Jeremy Hinegardner <jeremy at hinegardner     dot org> - 0.7.64-1

    - update to 0.7.64

    - Thu Oct 29 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.7.63-1

    - update to 0.7.63

    - Mon Sep 14 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.7.62-1

    - update to 0.7.62

    - fixes CVE-2009-2629

    - Sun Aug 2 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.7.61-1

    - update to new stable 0.7.61

    - remove third-party module

    - Sat Apr 11 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> 0.6.36-1

    - update to 0.6.36

    - Wed Feb 25 2009 Fedora Release Engineering <rel-eng at       lists.fedoraproject.org> - 0.6.35-3

    - Rebuilt for       https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

    - Thu Feb 19 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.6.35-2

    - rebuild

    - Thu Feb 19 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.6.35-1

    - update to 0.6.35

    - Sat Jan 17 2009 Tomas Mraz <tmraz at redhat.com> -       0.6.34-2

    - rebuild with new openssl

    - Tue Dec 30 2008 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.6.34-1

    - update to 0.6.34

    - Thu Dec 4 2008 Michael Schwendt <mschwendt at       fedoraproject.org> - 0.6.33-2

    - Fix inclusion of /usr/share/nginx tree => no unowned       directories.

    - Sun Nov 23 2008 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.6.33-1

    - update to 0.6.33

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Fri Dec 4 2009 Jeremy Hinegardner <jeremy at hinegardner     dot org> - 0.7.64-1

    - Update to new stable 0.7.64

    - Thu Oct 29 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.7.63-1

    - Update to new stable 0.7.63

    - reinstate zlib dependency

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote web server is running nginx, a lightweight, high performance web server / reverse proxy and email (IMAP/POP3) proxy.

According to its Server response header, the installed version of nginx is affected by multiple vulnerabilities : - A remote buffer overflow attack related to its parsing of complex URIs.

  - A remote denial of service attack related to its parsing     of HTTP request headers.

The remote host is affected by the vulnerability described in GLSA-200909-18 (nginx: Remote execution of arbitrary code)

    Chris Ries reported a heap-based buffer underflow in the     ngx_http_parse_complex_uri() function in http/ngx_http_parse.c when     parsing the request URI.
  Impact :

    A remote attacker might send a specially crafted request URI to a nginx     server, possibly resulting in the remote execution of arbitrary code     with the privileges of the user running the server, or a Denial of     Service. NOTE: By default, nginx runs as the 'nginx' user.
  Workaround :

    There is no known workaround at this time.

- Mon Sep 14 2009 Jeremy Hinegardner <jeremy at     hinegardner dot org> - 0.7.62-1

    - update to 0.7.62

    - fixes CVE-2009-2629

    - Sun Aug 2 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.7.61-1

    - update to new stable 0.7.61

    - remove third-party module

    - Sat Apr 11 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> 0.6.36-1

    - update to 0.6.36

    - Wed Feb 25 2009 Fedora Release Engineering <rel-eng at       lists.fedoraproject.org> - 0.6.35-3

    - Rebuilt for       https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

    - Thu Feb 19 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.6.35-2

    - rebuild

    - Thu Feb 19 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.6.35-1

    - update to 0.6.35

    - Sat Jan 17 2009 Tomas Mraz <tmraz at redhat.com> -       0.6.34-2

    - rebuild with new openssl

    - Tue Dec 30 2008 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.6.34-1

    - update to 0.6.34

    - Thu Dec 4 2008 Michael Schwendt <mschwendt at       fedoraproject.org> - 0.6.33-2

    - Fix inclusion of /usr/share/nginx tree => no unowned       directories.

    - Sun Nov 23 2008 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.6.33-1

    - update to 0.6.33

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Mon Sep 14 2009 Jeremy Hinegardner <jeremy at     hinegardner dot org> - 0.7.62-1

    - update to 0.7.62

    - fixes CVE-2009-2629

    - Sun Aug 2 2009 Jeremy Hinegardner <jeremy at       hinegardner dot org> - 0.7.61-1

    - update to new stable 0.7.61

    - remove third-party module

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

nginx development team reports :

A segmentation fault might occur in worker process while specially crafted request handling.

The remote host is running a version of nginx web server that is potentially affected by a remote buffer overflow vulnerability.  Using a specially crafted HTTP request, an attacker can cause web server to crash, or potentially run arbitrary code subject to the privileges of the web server user.

ID	Name	Product	Family	Severity
44749	Debian DSA-1884-1 : nginx - buffer underflow	Nessus	Debian Local Security Checks	high
43034	Fedora 11 : nginx-0.7.64-1.fc11 (2009-12782)	Nessus	Fedora Local Security Checks	high
43033	Fedora 10 : nginx-0.7.64-1.fc10 (2009-12775)	Nessus	Fedora Local Security Checks	high
43032	Fedora 12 : nginx-0.7.64-1.fc12 (2009-12750)	Nessus	Fedora Local Security Checks	high
41608	nginx HTTP Request Multiple Vulnerabilities	Nessus	Web Servers	high
41022	GLSA-200909-18 : nginx: Remote execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
40996	Fedora 10 : nginx-0.7.62-1.fc10 (2009-9652)	Nessus	Fedora Local Security Checks	high
40995	Fedora 11 : nginx-0.7.62-1.fc11 (2009-9630)	Nessus	Fedora Local Security Checks	high
40978	FreeBSD : nginx -- remote denial of service vulnerability (152b27f0-a158-11de-990c-e5b1d4c882e0)	Nessus	FreeBSD Local Security Checks	high
5174	nginx HTTP Request Remote Buffer Overflow	Nessus Network Monitor	Web Servers	high

Detections

Analytics

CVE-2009-2629

critical

Tenable Plugins

high

high

high

high

high

high

high

high

high

high