Opened 12 years ago
Closed 12 years ago
#228 closed defect (invalid)
TrustWave PCI scan reports CVE-2012-1180 for version 1.2.3
| Reported by: | Greg Dickie | Owned by: | somebody |
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | nginx-core | Version: | 1.2.x |
| Keywords: | CVE-2012-1180 pci fail | Cc: | greg@… |
| uname -a: | Linux lb-01.tribalnovakids.com 2.6.18-274.17.1.el5xen #1 SMP Tue Jan 10 18:06:37 EST 2012 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.2.3
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-52) TLS SNI support disabled configure arguments: --prefix=/etc/nginx/ --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -m64 -mtune=generic' |
||
Description
Using the RPM from the YUM repository.
Perhaps the fixed was not ported into the 1.2 branch?
Note:
See TracTickets
for help on using tickets.
This problem was fixed in nginx 1.1.17, which is before 1.2.x, and all versions in 1.2.x branch have the fix. The fix was also ported into 1.0.x branch, all versions starting from 1.0.14 have the fix. See http://nginx.org/en/security_advisories.html for details.