Opened 10 years ago

Closed 10 years ago

#535 closed defect (invalid)

Windows Distribution Vulnerable Due to OpenSSL Bug

Reported by: Aaron Riesbeck Owned by:
Priority: major Milestone:
Component: nginx-package Version: 1.5.x
Keywords: vulnerability Cc:
uname -a: N/A (Windows)
nginx -V: nginx version: nginx/1.5.13
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= -
-conf-path=conf/nginx.conf --pid-path=logs/ --http-log-path=logs/access
.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-te
mp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fast
cgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsg
i-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msv
c8/lib/pcre-8.34 --with-zlib=objs.msvc8/lib/zlib-1.2.8 --with-select_module --wi
th-http_realip_module --with-http_addition_module --with-http_sub_module --with-
http_dav_module --with-http_stub_status_module --with-http_flv_module --with-htt
p_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-htt
p_auth_request_module --with-http_random_index_module --with-http_secure_link_mo
dule --with-mail --with-openssl=objs.msvc8/lib/openssl-1.0.1g --with-openssl-opt
=enable-tlsext --with-http_ssl_module --with-mail_ssl_module --with-ipv6


Due to the major security vulnerability in OpenSSL the windows binary offered on the website needs to have its version of OpenSSL updated. The current release (1.5.13) from 4/8 is using OpenSSL 1.0.1g which is vulnerable.


Change History (1)

comment:1 by Sergey Budnevitch, 10 years ago

Resolution: invalid
Status: newclosed

openssl 1.0.1g is not vulnerable (to this bug at least).

Note: See TracTickets for help on using tickets.