Opened 12 years ago

Closed 12 years ago

#228 closed defect (invalid)

TrustWave PCI scan reports CVE-2012-1180 for version 1.2.3

Reported by: Greg Dickie Owned by: somebody
Priority: critical Milestone:
Component: nginx-core Version: 1.2.x
Keywords: CVE-2012-1180 pci fail Cc: greg@…
uname -a: Linux 2.6.18-274.17.1.el5xen #1 SMP Tue Jan 10 18:06:37 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.2.3
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-52)
TLS SNI support disabled
configure arguments: --prefix=/etc/nginx/ --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -m64 -mtune=generic'


Using the RPM from the YUM repository.

Perhaps the fixed was not ported into the 1.2 branch?

Change History (1)

comment:1 by Maxim Dounin, 12 years ago

Resolution: invalid
Status: newclosed

This problem was fixed in nginx 1.1.17, which is before 1.2.x, and all versions in 1.2.x branch have the fix. The fix was also ported into 1.0.x branch, all versions starting from 1.0.14 have the fix. See for details.

Note: See TracTickets for help on using tickets.