*** This bug is a security vulnerability *** Public security bug reported:
I am reporting this bug so there's a bug to track this in within Launchpad. If/when a patch is approved upstream, this bug can be used as a reference point in the changelog when SRU-ing the fix into older releases. Confirmed as Debian Bug 697940. Confirmed as CVE-2011-4968. This has already been added to the Ubuntu Security Team Tracker at http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4968.html Information as follows comes from the Debian Bug: "When nginx is configured as a reverse proxy with an https origin server, it is vulnerable to a MITM attack, because it does not verify the certificate of the origin server. This is upstream's bug https://trac.nginx.org/nginx/ticket/13, and also CVE-2011-4968. It appears to have been known for over a year, but the proposed patches to resolve the problem appear to have never made it through the patch review process in upstream." ** Affects: nginx (Ubuntu) Importance: Undecided Status: New ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-4968 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1098654 Title: nginx vulnerable to MITM Attack [CVE-2011-4968] To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1098654/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
