var-200909-0576
Vulnerability from variot
Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests. Nginx A web server contains a buffer underrun vulnerability. Nginx Is offered for various platforms HTTP Server and mail proxy server. Nginx Is ngx_http_parse_complex_uri() There was a problem with the function and it was crafted URI A buffer underrun may occur when processing.nginx Consists of a privileged master process and an unprivileged worker process. Arbitrary code execution or denial of service by a remote third party with the authority of a worker process (DoS) There is a possibility of being attacked. The 'nginx' program is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-servers/nginx < 0.7.62 >= 0.5.38 >= 0.6.39 >= 0.7.62
Description
Chris Ries reported a heap-based buffer underflow in the ngx_http_parse_complex_uri() function in http/ngx_http_parse.c when parsing the request URI. NOTE: By default, nginx runs as the "nginx" user.
Workaround
There is no known workaround at this time.
Resolution
All nginx 0.5.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose =www-servers/nginx-0.5.38
All nginx 0.6.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose =www-servers/nginx-0.6.39
All nginx 0.7.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose =www-servers/nginx-0.7.62
References
[ 1 ] CVE-2009-2629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2629
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200909-18.xml
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Debian Security Advisory DSA-1884-1 security@debian.org http://www.debian.org/security/ Nico Golde September 14th, 2009 http://www.debian.org/security/faq
Package : nginx Vulnerability : buffer underflow Problem type : remote Debian-specific: no CVE ID : CVE-2009-2629
Chris Ries discovered that nginx, a high-performance HTTP server, reverse proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when processing certain HTTP requests.
For the oldstable distribution (etch), this problem has been fixed in version 0.4.13-2+etch2.
For the stable distribution (lenny), this problem has been fixed in version 0.6.32-3+lenny2.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in version 0.7.61-3.
We recommend that you upgrade your nginx packages.
Upgrade instructions
wget url will fetch the file for you dpkg -i file.deb will install the referenced file.
If you are using the apt-get package manager, use the line for sources.list as given below:
apt-get update will update the internal database apt-get upgrade will install corrected packages
You may use an automated update by adding the resources from the footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
Debian (oldstable)
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13.orig.tar.gz Size/MD5 checksum: 436610 d385a1e7a23020d421531818d5606b5b http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2.diff.gz Size/MD5 checksum: 6578 db07ea3610574b7561cbedef09a51bf2 http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2.dsc Size/MD5 checksum: 618 12706d3c92e0c225dd47367aae43115e
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_alpha.deb Size/MD5 checksum: 211310 5e7efe11eca1aea2f6611cd913bf519d
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_amd64.deb Size/MD5 checksum: 195352 3fc58e180fca1465a360f37bad3da7db
arm architecture (ARM)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_arm.deb Size/MD5 checksum: 187144 6e49d62ee4efa11f9b75292bcb3be1d7
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_hppa.deb Size/MD5 checksum: 205204 7f8f76147eccbf489c900831782806c0
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_i386.deb Size/MD5 checksum: 184912 7dc5e3672666d1b5666f6ce79f4c755b
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_ia64.deb Size/MD5 checksum: 278490 669e8d9e43a123367c429ca34927e22a
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_mips.deb Size/MD5 checksum: 208238 2e6f25c4bc053d1bb1ac82bec398624d
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_mipsel.deb Size/MD5 checksum: 207640 e6b0e0e8148d1786274cf9a4b7f9d060
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_powerpc.deb Size/MD5 checksum: 186542 5b1460ab8707b1ccb3cf0b75c8ea2548
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_s390.deb Size/MD5 checksum: 199720 8ecde48c393df02819c45bc966f73eae
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_sparc.deb Size/MD5 checksum: 185032 15212749985501b223af7888447fc433
Debian GNU/Linux 5.0 alias lenny
Debian (stable)
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2.dsc Size/MD5 checksum: 1238 41197ff9eca3cb3707ca5eff5e431183 http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2.diff.gz Size/MD5 checksum: 10720 b2c8f555b7de4ac17b2c98247fd2ae6b http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32.orig.tar.gz Size/MD5 checksum: 522183 c09a2ace3c91f45dabbb608b11e48ed1
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_alpha.deb Size/MD5 checksum: 297782 dc05cbf94712134298acdedad2a4e85d
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_amd64.deb Size/MD5 checksum: 268518 58dc10022dd7b20ff58a4b839be62a43
arm architecture (ARM)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_arm.deb Size/MD5 checksum: 251688 7f5a9499de8ba40ae2caea7de183b966
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_hppa.deb Size/MD5 checksum: 282324 f0264b98d0564f51692292c0ec269a19
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_i386.deb Size/MD5 checksum: 253060 a64340fa3a9a5b58e23267f13abfeeed
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_ia64.deb Size/MD5 checksum: 420004 a2e6de141194e41a60893b0b2c457f28
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_mips.deb Size/MD5 checksum: 283220 04407318230621467ea3a42bfb11d724
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_mipsel.deb Size/MD5 checksum: 283444 0bd0eb1e415d7d6877a95e21ddb91fa7
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_powerpc.deb Size/MD5 checksum: 276056 fae6451ab5ac767f93d3229a9e01f3bf
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_sparc.deb Size/MD5 checksum: 256778 df6a47fe174736468910a4166fe0a064
These files will probably be moved into the stable distribution on its next update.
For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkquZwIACgkQHYflSXNkfP+2zACghwt2Hx3UoREEb7p697sYiPSl pZQAn1WWgFTERwdFo5uw5KuZ7hN09KuH =Xrul -----END PGP SIGNATURE-----
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-200909-0576", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "linux", scope: "eq", trust: 1.3, vendor: "debian", version: "5.0", }, { model: "nginx", scope: "lt", trust: 1, vendor: "f5", version: "0.6.39", }, { model: "nginx", scope: "lt", trust: 1, vendor: "f5", version: "0.5.38", }, { model: "fedora", scope: "eq", trust: 1, vendor: "fedoraproject", version: "10", }, { model: "nginx", scope: "gte", trust: 1, vendor: "f5", version: "0.6.0", }, { model: "nginx", scope: "lt", trust: 1, vendor: "f5", version: "0.8.15", }, { model: "fedora", scope: "eq", trust: 1, vendor: "fedoraproject", version: "11", }, { model: "fedora", scope: "eq", trust: 1, vendor: "fedoraproject", version: "12", }, { model: "nginx", scope: "gte", trust: 1, vendor: "f5", version: "0.1.0", }, { model: "nginx", scope: "gte", trust: 1, vendor: "f5", version: "0.8.0", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "6.0", }, { model: "nginx", scope: "lt", trust: 1, vendor: "f5", version: "0.7.62", }, { model: "nginx", scope: "gte", trust: 1, vendor: "f5", version: "0.7.0", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "4.0", }, { model: null, scope: null, trust: 0.8, vendor: "debian gnu linux", version: null, }, { model: null, scope: null, trust: 0.8, vendor: "gentoo linux", version: null, }, { model: null, scope: null, trust: 0.8, vendor: "nginx", version: null, }, { model: "nginx", scope: "lte", trust: 0.8, vendor: "igor sysoev", version: "0.1.0 from 0.5.37", }, { model: "nginx", scope: "lt", trust: 0.8, vendor: "igor sysoev", version: "0.6.39 earlier", }, { model: "nginx", scope: "lt", trust: 0.8, vendor: "igor sysoev", version: "0.7.62 earlier", }, { model: "nginx", scope: "lt", trust: 0.8, vendor: "igor sysoev", version: "0.8.15 earlier", }, { model: "nginx", scope: "eq", trust: 0.6, vendor: "nginx", version: "0.1.5", }, { model: "nginx", scope: "eq", trust: 0.6, vendor: "nginx", version: "0.1.4", }, { model: "nginx", scope: "eq", trust: 0.6, vendor: "nginx", version: "0.1.8", }, { model: "nginx", scope: "eq", trust: 0.6, vendor: "nginx", version: "0.1.7", }, { model: "nginx", scope: "eq", trust: 0.6, vendor: "nginx", version: "0.1.6", }, { model: "nginx", scope: "eq", trust: 0.6, vendor: "nginx", version: "0.1.9", }, { model: "nginx", scope: "eq", trust: 0.6, vendor: "nginx", version: "0.1.1", }, { model: "nginx", scope: "eq", trust: 0.6, vendor: "nginx", version: "0.1.2", }, { model: "nginx", scope: "eq", trust: 0.6, vendor: "nginx", version: "0.1.3", }, { model: "nginx", scope: "eq", trust: 0.6, vendor: "nginx", version: "0.1.10", }, { model: "sysoev nginx", scope: "eq", trust: 0.3, vendor: "igor", version: "0.8.14", }, { model: "sysoev nginx", scope: "eq", trust: 0.3, vendor: "igor", version: "0.7.61", }, { model: "sysoev nginx", scope: "eq", trust: 0.3, vendor: "igor", version: "0.6.38", }, { model: "sysoev nginx", scope: "eq", trust: 0.3, vendor: "igor", version: "0.5.37", }, { model: "sysoev nginx", scope: "eq", trust: 0.3, vendor: "igor", version: "0", }, { model: "linux", scope: null, trust: 0.3, vendor: "gentoo", version: null, }, { model: "linux sparc", scope: "eq", trust: 0.3, vendor: "debian", version: "5.0", }, { model: "linux s/390", scope: "eq", trust: 0.3, vendor: "debian", version: "5.0", }, { model: "linux powerpc", scope: "eq", trust: 0.3, vendor: "debian", version: "5.0", }, { model: "linux mipsel", scope: "eq", trust: 0.3, vendor: "debian", version: "5.0", }, { model: "linux mips", scope: "eq", trust: 0.3, vendor: "debian", version: "5.0", }, { model: "linux m68k", scope: "eq", trust: 0.3, vendor: "debian", version: "5.0", }, { model: "linux ia-64", scope: "eq", trust: 0.3, vendor: "debian", version: "5.0", }, { model: "linux ia-32", scope: "eq", trust: 0.3, vendor: "debian", version: "5.0", }, { model: "linux hppa", scope: "eq", trust: 0.3, vendor: "debian", version: "5.0", }, { model: "linux armel", scope: "eq", trust: 0.3, vendor: "debian", version: "5.0", }, { model: "linux arm", scope: "eq", trust: 0.3, vendor: "debian", version: "5.0", }, { model: "linux amd64", scope: "eq", trust: 0.3, vendor: "debian", version: "5.0", }, { model: "linux alpha", scope: "eq", trust: 0.3, vendor: "debian", version: "5.0", }, { model: "linux sparc", scope: "eq", trust: 0.3, vendor: "debian", version: "4.0", }, { model: "linux s/390", scope: "eq", trust: 0.3, vendor: "debian", version: "4.0", }, { model: "linux powerpc", scope: "eq", trust: 0.3, vendor: "debian", version: "4.0", }, { model: "linux mipsel", scope: "eq", trust: 0.3, vendor: "debian", version: "4.0", }, { model: "linux mips", scope: "eq", trust: 0.3, vendor: "debian", version: "4.0", }, { model: "linux m68k", scope: "eq", trust: 0.3, vendor: "debian", version: "4.0", }, { model: "linux ia-64", scope: "eq", trust: 0.3, vendor: "debian", version: "4.0", }, { model: "linux ia-32", scope: "eq", trust: 0.3, vendor: "debian", version: "4.0", }, { model: "linux hppa", scope: "eq", trust: 0.3, vendor: "debian", version: "4.0", }, { model: "linux armel", scope: "eq", trust: 0.3, vendor: "debian", version: "4.0", }, { model: "sysoev nginx", scope: "ne", trust: 0.3, vendor: "igor", version: "0.8.15", }, { model: "sysoev nginx", scope: "ne", trust: 0.3, vendor: "igor", version: "0.7.62", }, { model: "sysoev nginx", scope: "ne", trust: 0.3, vendor: "igor", version: "0.6.39", }, { model: "sysoev nginx", scope: "ne", trust: 0.3, vendor: "igor", version: "0.5.38", }, ], sources: [ { db: "CERT/CC", id: "VU#180065", }, { db: "BID", id: "36384", }, { db: "JVNDB", id: "JVNDB-2009-002152", }, { db: "CNNVD", id: "CNNVD-200909-302", }, { db: "NVD", id: "CVE-2009-2629", }, ], }, configurations: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", children: { "@container": "@list", }, cpe_match: { "@container": "@list", }, data: { "@container": "@list", }, nodes: { "@container": "@list", }, }, data: [ { CVE_data_version: "4.0", nodes: [ { cpe_match: [ { cpe22Uri: "cpe:/a:igor_sysoev:nginx", vulnerable: true, }, ], operator: "OR", }, ], }, ], sources: [ { db: "JVNDB", id: "JVNDB-2009-002152", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Chris Ries", sources: [ { db: "BID", id: "36384", }, { db: "CNNVD", id: "CNNVD-200909-302", }, ], trust: 0.9, }, cve: "CVE-2009-2629", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "CVE-2009-2629", impactScore: 6.4, integrityImpact: "PARTIAL", severity: "HIGH", trust: 1.8, vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "VHN-40075", impactScore: 6.4, integrityImpact: "PARTIAL", severity: "HIGH", trust: 0.1, vectorString: "AV:N/AC:L/AU:N/C:P/I:P/A:P", version: "2.0", }, ], cvssV3: [], severity: [ { author: "nvd@nist.gov", id: "CVE-2009-2629", trust: 1, value: "HIGH", }, { author: "CARNEGIE MELLON", id: "VU#180065", trust: 0.8, value: "4.22", }, { author: "NVD", id: "CVE-2009-2629", trust: 0.8, value: "High", }, { author: "CNNVD", id: "CNNVD-200909-302", trust: 0.6, value: "HIGH", }, { author: "VULHUB", id: "VHN-40075", trust: 0.1, value: "HIGH", }, ], }, ], sources: [ { db: "CERT/CC", id: "VU#180065", }, { db: "VULHUB", id: "VHN-40075", }, { db: "JVNDB", id: "JVNDB-2009-002152", }, { db: "CNNVD", id: "CNNVD-200909-302", }, { db: "NVD", id: "CVE-2009-2629", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests. Nginx A web server contains a buffer underrun vulnerability. Nginx Is offered for various platforms HTTP Server and mail proxy server. Nginx Is ngx_http_parse_complex_uri() There was a problem with the function and it was crafted URI A buffer underrun may occur when processing.nginx Consists of a privileged master process and an unprivileged worker process. Arbitrary code execution or denial of service by a remote third party with the authority of a worker process (DoS) There is a possibility of being attacked. The 'nginx' program is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. \n\nAffected packages\n=================\n\n -------------------------------------------------------------------\n Package / Vulnerable / Unaffected\n -------------------------------------------------------------------\n 1 www-servers/nginx < 0.7.62 *>= 0.5.38\n *>= 0.6.39\n >= 0.7.62\n\nDescription\n===========\n\nChris Ries reported a heap-based buffer underflow in the\nngx_http_parse_complex_uri() function in http/ngx_http_parse.c when\nparsing the request URI. NOTE: By default, nginx runs as the \"nginx\" user. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll nginx 0.5.x users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose =www-servers/nginx-0.5.38\n\nAll nginx 0.6.x users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose =www-servers/nginx-0.6.39\n\nAll nginx 0.7.x users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose =www-servers/nginx-0.7.62\n\nReferences\n==========\n\n [ 1 ] CVE-2009-2629\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2629\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n http://security.gentoo.org/glsa/glsa-200909-18.xml\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2009 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n- --------------------------------------------------------------------------\nDebian Security Advisory DSA-1884-1 security@debian.org\nhttp://www.debian.org/security/ Nico Golde\nSeptember 14th, 2009 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : nginx\nVulnerability : buffer underflow\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2009-2629\n\nChris Ries discovered that nginx, a high-performance HTTP server, reverse\nproxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when\nprocessing certain HTTP requests. \n\n\nFor the oldstable distribution (etch), this problem has been fixed in\nversion 0.4.13-2+etch2. \n\nFor the stable distribution (lenny), this problem has been fixed in\nversion 0.6.32-3+lenny2. \n\nFor the testing distribution (squeeze), this problem will be fixed soon. \n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 0.7.61-3. \n\n\nWe recommend that you upgrade your nginx packages. \n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file. \n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration. \n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nDebian (oldstable)\n- ------------------\n\nOldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. \n\nSource archives:\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13.orig.tar.gz\n Size/MD5 checksum: 436610 d385a1e7a23020d421531818d5606b5b\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2.diff.gz\n Size/MD5 checksum: 6578 db07ea3610574b7561cbedef09a51bf2\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2.dsc\n Size/MD5 checksum: 618 12706d3c92e0c225dd47367aae43115e\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_alpha.deb\n Size/MD5 checksum: 211310 5e7efe11eca1aea2f6611cd913bf519d\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_amd64.deb\n Size/MD5 checksum: 195352 3fc58e180fca1465a360f37bad3da7db\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_arm.deb\n Size/MD5 checksum: 187144 6e49d62ee4efa11f9b75292bcb3be1d7\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_hppa.deb\n Size/MD5 checksum: 205204 7f8f76147eccbf489c900831782806c0\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_i386.deb\n Size/MD5 checksum: 184912 7dc5e3672666d1b5666f6ce79f4c755b\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_ia64.deb\n Size/MD5 checksum: 278490 669e8d9e43a123367c429ca34927e22a\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_mips.deb\n Size/MD5 checksum: 208238 2e6f25c4bc053d1bb1ac82bec398624d\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_mipsel.deb\n Size/MD5 checksum: 207640 e6b0e0e8148d1786274cf9a4b7f9d060\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_powerpc.deb\n Size/MD5 checksum: 186542 5b1460ab8707b1ccb3cf0b75c8ea2548\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_s390.deb\n Size/MD5 checksum: 199720 8ecde48c393df02819c45bc966f73eae\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_sparc.deb\n Size/MD5 checksum: 185032 15212749985501b223af7888447fc433\n\n\nDebian GNU/Linux 5.0 alias lenny\n- --------------------------------\n\nDebian (stable)\n- ---------------\n\nStable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. \n\nSource archives:\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2.dsc\n Size/MD5 checksum: 1238 41197ff9eca3cb3707ca5eff5e431183\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2.diff.gz\n Size/MD5 checksum: 10720 b2c8f555b7de4ac17b2c98247fd2ae6b\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32.orig.tar.gz\n Size/MD5 checksum: 522183 c09a2ace3c91f45dabbb608b11e48ed1\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_alpha.deb\n Size/MD5 checksum: 297782 dc05cbf94712134298acdedad2a4e85d\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_amd64.deb\n Size/MD5 checksum: 268518 58dc10022dd7b20ff58a4b839be62a43\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_arm.deb\n Size/MD5 checksum: 251688 7f5a9499de8ba40ae2caea7de183b966\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_hppa.deb\n Size/MD5 checksum: 282324 f0264b98d0564f51692292c0ec269a19\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_i386.deb\n Size/MD5 checksum: 253060 a64340fa3a9a5b58e23267f13abfeeed\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_ia64.deb\n Size/MD5 checksum: 420004 a2e6de141194e41a60893b0b2c457f28\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_mips.deb\n Size/MD5 checksum: 283220 04407318230621467ea3a42bfb11d724\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_mipsel.deb\n Size/MD5 checksum: 283444 0bd0eb1e415d7d6877a95e21ddb91fa7\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_powerpc.deb\n Size/MD5 checksum: 276056 fae6451ab5ac767f93d3229a9e01f3bf\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_sparc.deb\n Size/MD5 checksum: 256778 df6a47fe174736468910a4166fe0a064\n\n\n These files will probably be moved into the stable distribution on\n its next update. \n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.9 (GNU/Linux)\n\niEYEARECAAYFAkquZwIACgkQHYflSXNkfP+2zACghwt2Hx3UoREEb7p697sYiPSl\npZQAn1WWgFTERwdFo5uw5KuZ7hN09KuH\n=Xrul\n-----END PGP SIGNATURE-----\n", sources: [ { db: "NVD", id: "CVE-2009-2629", }, { db: "CERT/CC", id: "VU#180065", }, { db: "JVNDB", id: "JVNDB-2009-002152", }, { db: "BID", id: "36384", }, { db: "VULHUB", id: "VHN-40075", }, { db: "PACKETSTORM", id: "81454", }, { db: "PACKETSTORM", id: "81284", }, ], trust: 2.88, }, exploit_availability: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { reference: "https://www.scap.org.cn/vuln/vhn-40075", trust: 0.1, type: "unknown", }, ], sources: [ { db: "VULHUB", id: "VHN-40075", }, ], }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "CERT/CC", id: "VU#180065", trust: 3.6, }, { db: "NVD", id: "CVE-2009-2629", trust: 3, }, { db: "JVNDB", id: "JVNDB-2009-002152", trust: 0.8, }, { db: "CNNVD", id: "CNNVD-200909-302", trust: 0.7, }, { db: "BID", id: "36384", trust: 0.4, }, { db: "PACKETSTORM", id: "81454", trust: 0.2, }, { db: "PACKETSTORM", id: "81284", trust: 0.2, }, { db: "SEEBUG", id: "SSVID-87569", trust: 0.1, }, { db: "SEEBUG", id: "SSVID-69732", trust: 0.1, }, { db: "EXPLOIT-DB", id: "14830", trust: 0.1, }, { db: "VULHUB", id: "VHN-40075", trust: 0.1, }, ], sources: [ { db: "CERT/CC", id: "VU#180065", }, { db: "VULHUB", id: "VHN-40075", }, { db: "BID", id: "36384", }, { db: "JVNDB", id: "JVNDB-2009-002152", }, { db: "PACKETSTORM", id: "81454", }, { db: "PACKETSTORM", id: "81284", }, { db: "CNNVD", id: "CNNVD-200909-302", }, { db: "NVD", id: "CVE-2009-2629", }, ], }, id: "VAR-200909-0576", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-40075", }, ], trust: 0.01, }, last_update_date: "2024-11-23T23:06:37.602000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "Top Page", trust: 0.8, url: "http://nginx.net/", }, ], sources: [ { db: "JVNDB", id: "JVNDB-2009-002152", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-787", trust: 1.1, }, { problemtype: "CWE-119", trust: 0.9, }, ], sources: [ { db: "VULHUB", id: "VHN-40075", }, { db: "JVNDB", id: "JVNDB-2009-002152", }, { db: "NVD", id: "CVE-2009-2629", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 2.8, url: "http://www.kb.cert.org/vuls/id/180065", }, { trust: 2.5, url: "http://www.debian.org/security/2009/dsa-1884", }, { trust: 2, url: "http://nginx.net/changes-0.5", }, { trust: 2, url: "http://nginx.net/changes-0.6", }, { trust: 2, url: "http://nginx.net/changes-0.7", }, { trust: 1.7, url: "http://sysoev.ru/nginx/patch.180065.txt", }, { trust: 1.7, url: "https://www.redhat.com/archives/fedora-package-announce/2009-december/msg00428.html", }, { trust: 1.7, url: "https://www.redhat.com/archives/fedora-package-announce/2009-december/msg00442.html", }, { trust: 1.7, url: "https://www.redhat.com/archives/fedora-package-announce/2009-december/msg00449.html", }, { trust: 1.4, url: "http://nginx.net/changes", }, { trust: 0.9, url: "http://security.gentoo.org/glsa/glsa-200909-18.xml", }, { trust: 0.9, url: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2629", }, { trust: 0.8, url: "about vulnerability notes", }, { trust: 0.8, url: "contact us about this vulnerability", }, { trust: 0.8, url: "provide a vendor statement", }, { trust: 0.8, url: "http://jvn.jp/cert/jvnvu180065/", }, { trust: 0.8, url: "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-2629", }, { trust: 0.3, url: "http://nginx.org/", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2009-2629", }, { trust: 0.1, url: "http://creativecommons.org/licenses/by-sa/2.5", }, { trust: 0.1, url: "http://security.gentoo.org/", }, { trust: 0.1, url: "https://bugs.gentoo.org.", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_i386.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32.orig.tar.gz", }, { trust: 0.1, url: "http://www.debian.org/security/faq", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_arm.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_ia64.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_s390.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_alpha.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_mips.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2.dsc", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_mips.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_sparc.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_sparc.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_ia64.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_mipsel.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2.diff.gz", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_mipsel.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2.dsc", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_alpha.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_hppa.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_amd64.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_powerpc.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_i386.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_hppa.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_arm.deb", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13.orig.tar.gz", }, { trust: 0.1, url: "http://security.debian.org/", }, { trust: 0.1, url: "http://packages.debian.org/<pkg>", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2.diff.gz", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch2_amd64.deb", }, { trust: 0.1, url: "http://www.debian.org/security/", }, { trust: 0.1, url: "http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny2_powerpc.deb", }, ], sources: [ { db: "CERT/CC", id: "VU#180065", }, { db: "VULHUB", id: "VHN-40075", }, { db: "BID", id: "36384", }, { db: "JVNDB", id: "JVNDB-2009-002152", }, { db: "PACKETSTORM", id: "81454", }, { db: "PACKETSTORM", id: "81284", }, { db: "CNNVD", id: "CNNVD-200909-302", }, { db: "NVD", id: "CVE-2009-2629", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "CERT/CC", id: "VU#180065", }, { db: "VULHUB", id: "VHN-40075", }, { db: "BID", id: "36384", }, { db: "JVNDB", id: "JVNDB-2009-002152", }, { db: "PACKETSTORM", id: "81454", }, { db: "PACKETSTORM", id: "81284", }, { db: "CNNVD", id: "CNNVD-200909-302", }, { db: "NVD", id: "CVE-2009-2629", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2009-09-15T00:00:00", db: "CERT/CC", id: "VU#180065", }, { date: "2009-09-15T00:00:00", db: "VULHUB", id: "VHN-40075", }, { date: "2009-09-14T00:00:00", db: "BID", id: "36384", }, { date: "2009-10-28T00:00:00", db: "JVNDB", id: "JVNDB-2009-002152", }, { date: "2009-09-19T16:50:46", db: "PACKETSTORM", id: "81454", }, { date: "2009-09-15T04:05:55", db: "PACKETSTORM", id: "81284", }, { date: "2009-09-15T00:00:00", db: "CNNVD", id: "CNNVD-200909-302", }, { date: "2009-09-15T22:30:00.233000", db: "NVD", id: "CVE-2009-2629", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2009-09-21T00:00:00", db: "CERT/CC", id: "VU#180065", }, { date: "2021-11-10T00:00:00", db: "VULHUB", id: "VHN-40075", }, { date: "2015-05-07T17:02:00", db: "BID", id: "36384", }, { date: "2009-10-28T00:00:00", db: "JVNDB", id: "JVNDB-2009-002152", }, { date: "2023-05-15T00:00:00", db: "CNNVD", id: "CNNVD-200909-302", }, { date: "2024-11-21T01:05:20.130000", db: "NVD", id: "CVE-2009-2629", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "PACKETSTORM", id: "81454", }, { db: "CNNVD", id: "CNNVD-200909-302", }, ], trust: 0.7, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Nginx ngx_http_parse_complex_uri() buffer underflow vulnerability", sources: [ { db: "CERT/CC", id: "VU#180065", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "buffer error", sources: [ { db: "CNNVD", id: "CNNVD-200909-302", }, ], trust: 0.6, }, }
Log in or create an account to share your comment.
This schema specifies the format of a comment related to a security advisory.
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.