openSUSE Security Update : nginx (openSUSE-SU-2013:1015-1)
Medium Nessus Plugin ID 75025
SynopsisThe remote openSUSE host is missing a security update.
DescriptionThis version update for nginx to 1.2.9 includes a security fix and several bugfixes and feature enhancements. (bnc#821184)
*) Security: contents of worker process memory might be sent to a client if HTTP backend returned specially crafted response (CVE-2013-2070); the bug had appeared in 1.1.4.
- changes with 1.2.8 :
*) Bugfix: new sessions were not always stored if the 'ssl_session_cache shared' directive was used and there was no free space in shared memory.
*) Bugfix: responses might hang if subrequests were used and a DNS error happened during subrequest processing.
*) Bugfix: in the ngx_http_mp4_module.
*) Bugfix: in backend usage accounting.
- changes with nginx 1.2.7
*) Change: now if the 'include' directive with mask is used on Unix systems, included files are sorted in alphabetical order.
*) Change: the 'add_header' directive adds headers to 201 responses.
*) Feature: the 'geo' directive now supports IPv6 addresses in CIDR notation.
*) Feature: the 'flush' and 'gzip' parameters of the 'access_log' directive.
*) Feature: variables support in the 'auth_basic' directive.
*) Feature: the $pipe, $request_length, $time_iso8601, and $time_local variables can now be used not only in the 'log_format' directive.
*) Feature: IPv6 support in the ngx_http_geoip_module.
*) Bugfix: nginx could not be built with the ngx_http_perl_module in some cases.
*) Bugfix: a segmentation fault might occur in a worker process if the ngx_http_xslt_module was used.
*) Bugfix: nginx could not be built on MacOSX in some cases.
*) Bugfix: the 'limit_rate' directive with high rates might result in truncated responses on 32-bit platforms.
*) Bugfix: a segmentation fault might occur in a worker process if the 'if' directive was used.
*) Bugfix: a '100 Continue' response was issued with '413 Request Entity Too Large' responses.
*) Bugfix: the 'image_filter', 'image_filter_jpeg_quality' and 'image_filter_sharpen' directives might be inherited incorrectly.
*) Bugfix: 'crypt_r() failed' errors might appear if the 'auth_basic' directive was used on Linux.
*) Bugfix: in backup servers handling.
*) Bugfix: proxied HEAD requests might return incorrect response if the 'gzip' directive was used.
*) Bugfix: a segmentation fault occurred on start or during reconfiguration if the 'keepalive' directive was specified more than once in a single upstream block.
*) Bugfix: in the 'proxy_method' directive.
*) Bugfix: a segmentation fault might occur in a worker process if resolver was used with the poll method.
*) Bugfix: nginx might hog CPU during SSL handshake with a backend if the select, poll, or /dev/poll methods were used.
*) Bugfix: the '[crit] SSL_write() failed (SSL:)' error.
*) Bugfix: in the 'fastcgi_keep_conn' directive.
SolutionUpdate the affected nginx packages.