Opened 7 years ago

Closed 7 years ago

#535 closed defect (invalid)

Windows Distribution Vulnerable Due to OpenSSL Bug

Reported by: Aaron Riesbeck Owned by:
Priority: major Milestone:
Component: nginx-package Version: 1.5.x
Keywords: vulnerability Cc:
uname -a: N/A (Windows)
nginx -V: nginx version: nginx/1.5.13
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= -
-conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access
.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-te
mp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fast
cgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsg
i-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msv
c8/lib/pcre-8.34 --with-zlib=objs.msvc8/lib/zlib-1.2.8 --with-select_module --wi
th-http_realip_module --with-http_addition_module --with-http_sub_module --with-
http_dav_module --with-http_stub_status_module --with-http_flv_module --with-htt
p_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-htt
p_auth_request_module --with-http_random_index_module --with-http_secure_link_mo
dule --with-mail --with-openssl=objs.msvc8/lib/openssl-1.0.1g --with-openssl-opt
=enable-tlsext --with-http_ssl_module --with-mail_ssl_module --with-ipv6

Description

Due to the major security vulnerability in OpenSSL the windows binary offered on the nginx.org website needs to have its version of OpenSSL updated. The current release (1.5.13) from 4/8 is using OpenSSL 1.0.1g which is vulnerable.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Thanks,
Aaron

Change History (1)

comment:1 by Sergey Budnevitch, 7 years ago

Resolution: invalid
Status: newclosed

openssl 1.0.1g is not vulnerable (to this bug at least).

Note: See TracTickets for help on using tickets.