On Fri, Jan 11, 2013 at 11:37:07AM -0500, Daniel Kahn Gillmor wrote:
> Package: nginx
> Version: 0.7.67-3+squeeze2
> Severity: normal
> Tags: upstream security
> Control: found -1 1.2.1-2.2
>
> When nginx is configured as a reverse proxy with an https origin
> server, it is vulnerable to a MITM attack, because it does not verify
> the certificate of the origin server.
>
> This is upstream's bug https://trac.nginx.org/nginx/ticket/13, and
> also CVE-2011-4968.
>
> It appears to have been known for over a year, but the proposed
> patches to resolve the problem appear to have never made it through
> the patch review process in upstream:
>
> http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html
nginx maintainers, what's the status?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
