chunkin-nginx-module and CVE-2013-2028

fgtham · 2013-05-08T15:35:38+00:00

On Tuesday, May 7, 2013 3:10:58 AM UTC+2, agentzh wrote:For Nginx, it's not possible to control which request is served by which worker. All the workers are...

chunkin-nginx-module and CVE-2013-2028

fgtham

Hi,

I'm using chunkin-nginx-module v0.23 with nginx v1.2.3. Is this combination also vulnerable to the issue referenced in CVE-2013-2028, or does this really only affect the chunked transfer encoding support in nginx v1.3.9 and onwards?

Best regards,

Florian

agentzh

Hello!

On Wed, May 8, 2013 at 12:35 AM, Florian Tham wrote:
> I'm using chunkin-nginx-module v0.23 with nginx v1.2.3. Is this combination
> also vulnerable to the issue referenced in CVE-2013-2028, or does this
> really only affect the chunked transfer encoding support in nginx v1.3.9 and
> onwards?
>

ngx_chunkin has a very different implementation from nginx's builtin
one. And I don't think this affects ngx_chunkin.

Best regards,
-agentzh

fgtham

Thanks for the clarification.

Best regards,

Florian

On Wednesday, May 8, 2013 8:33:08 PM UTC+2, agentzh wrote:

Hello!

On Wed, May 8, 2013 at 12:35 AM, Florian Tham wrote:
> I'm using chunkin-nginx-module v0.23 with nginx v1.2.3. Is this combination
> also vulnerable to the issue referenced in CVE-2013-2028, or does this
> really only affect the chunked transfer encoding support in nginx v1.3.9 and
> onwards?
>

ngx_chunkin has a very different implementation from nginx's builtin
one. And I don't think this affects ngx_chunkin.

Best regards,
-agentzh