The NGINX developers released an updated stable version 1.4.1 and development version 1.5.0 to fix a major security flaw in the popular open source web server application.
Vulnerability, identified as CVE-2013-2028, allowed execution of an arbitrary code on the target system.
The bug can lead to rewriting the stack areas of the workflow when processing specially crafted HTTP chunked requests. Flaws appeared in NGINX 1.3.9 through 1.4.0.
Developers also issued corresponding update for the FreeBSD port with version 1.4.0.
As an additional method to fix the vulnerability, the vendor offers disabling the processing of HTTP chunked requests in each of the server blocks {}:
if ($ http_transfer_encoding ~ * chunked) {
444 return;
}
NakedSecurity recommends fixing the vulnerability as soon as possible.
Detailed description of the vulnerability is accessible here.
