Nginx security update

Just a PSA for people running Debian servers: Subscribe to the debian-security-announce list[1] and you&#x27;ll get these notices in your inbox rather than at the top of Hacker News. I got an email Sunday afternoon so when I saw this I thought ... another vulnerability, already?!<p>[1] <a href="http://lists.debian.org/debian-security-announce/" rel="nofollow">http:&#x2F;&#x2F;lists.debian.org&#x2F;debian-security-announce&#x2F;</a>

Note that&#x27;s for Debian distribution.<p>Patched source was actually posted back on May 7th and 13th for people who compile their own builds.<p><pre><code> 2013-05-07 nginx-1.4.1 stable and nginx-1.5.0 development versions have been released, with the fix for the stack-based buffer overflow security problem in nginx 1.3.9 - 1.4.0, discovered by Greg MacManus, of iSIGHT Partners Labs (CVE-2013-2028). 2013-05-13 nginx-1.2.9 legacy version has been released, addressing the information disclosure security problem in some previous nginx versions (CVE-2013-2070).</code></pre>

The NGINX advisory is here: <a href="http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html" rel="nofollow">http:&#x2F;&#x2F;mailman.nginx.org&#x2F;pipermail&#x2F;nginx-announce&#x2F;2013&#x2F;00011...</a><p>This is almost 2 months old.

Am I right in interpreting this as only a vulnerability if you use Nginx to proxy to an untrusted server (i.e. not yours) where specially formatted responses can compromise your Nginx?<p>It would seem to me that this is a particularly rare use case of nginx?<p>I suppose shared web hosts and services like CloudFlare are the types of implementation that may be affected.

And, thankfully, all the current packages in Debian are either unaffected or it&#x27;s been patched :)

Anyone know of the Ubuntu packages that are safe here?