Just a PSA for people running Debian servers: Subscribe to the debian-security-announce list[1] and you'll get these notices in your inbox rather than at the top of Hacker News. I got an email Sunday afternoon so when I saw this I thought ... another vulnerability, already?!<p>[1] <a href="http://lists.debian.org/debian-security-announce/" rel="nofollow">http://lists.debian.org/debian-security-announce/</a>
Note that's for Debian distribution.<p>Patched source was actually posted back on May 7th and 13th for people who compile their own builds.<p><pre><code> 2013-05-07 nginx-1.4.1 stable and nginx-1.5.0 development versions have been released,
with the fix for the stack-based buffer overflow security problem in nginx 1.3.9 - 1.4.0,
discovered by Greg MacManus, of iSIGHT Partners Labs (CVE-2013-2028).
2013-05-13 nginx-1.2.9 legacy version has been released, addressing the information
disclosure security problem in some previous nginx versions (CVE-2013-2070).</code></pre>
The NGINX advisory is here: <a href="http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html" rel="nofollow">http://mailman.nginx.org/pipermail/nginx-announce/2013/00011...</a><p>This is almost 2 months old.
Am I right in interpreting this as only a vulnerability if you use Nginx to proxy to an untrusted server (i.e. not yours) where specially formatted responses can compromise your Nginx?<p>It would seem to me that this is a particularly rare use case of nginx?<p>I suppose shared web hosts and services like CloudFlare are the types of implementation that may be affected.