Engine Yard Developer Center

May 14, 2013 - nginx security advisory (CVE-2013-2070)

Updated: May 29th, 2013

Note: This issue has been addressed with the May 29th, 2013 stack upgrades.


Risk Assessment: Low – when not using proxy_pass to untrusted upstream HTTP servers

Vulnerable versions: nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0. if proxy_pass to untrusted upstream HTTP servers is used. 



A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used.  The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server.  The problem affects nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0.  The problem is already fixed in nginx 1.5.0, 1.4.1.  Version 1.2.9 was released to address the issue in the 1.2.x legacy branch. 



Update to the latest cookbook by clicking Upgrade to get the May 29th, 2013 stack.


If you have any questions or concerns, please open a ticket here: https://support.cloud.engineyard.com/tickets/new

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.

Powered by Zendesk