Package: nginx Version: 0.7.67-3+squeeze2 Severity: normal Tags: upstream security Control: found -1 1.2.1-2.2
When nginx is configured as a reverse proxy with an https origin server, it is vulnerable to a MITM attack, because it does not verify the certificate of the origin server. This is upstream's bug https://trac.nginx.org/nginx/ticket/13, and also CVE-2011-4968. It appears to have been known for over a year, but the proposed patches to resolve the problem appear to have never made it through the patch review process in upstream: http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html Regards, --dkg -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
