-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi.
I uploaded new packages for nginx which fixed the following security
problems:
CVE-2012-2089 - nginx -- arbitrary code execution in mp4
pseudo-streaming module
A flaw was reported in the nginx standard mp4 pseudo-streaming module. A
specially-crafted mp4 file could allow for the overwriting of memory
locations in a worker process if ngx_http_mp4_module were used. This
could potentially result in arbitrary code execution with the privileges
of the unprivileged nginx user.
This has been corrected in upstream 1.0.15 and 1.1.9 versions, and only
affected versions newer than 1.1.3 and 1.0.7 when built with the
ngx_http_mp4_module and had the "mp4" directive set in the configuration
file.
For the squeeze-backports distribution the problems have been fixed in
version
1.1.19-1~bpo60+1
For wheezy (testing) and sid (unstable) this was fixed in version
1.1.19-1
Squeeze (stable) is not vulnerable to this security issue.
Thanks.
- --
Cyril "Davromani