Nginx 1.4.1 and 1.5.0 have been released to address a security hole that could have been exploited by an attacker to execute arbitrary code. Nginx 1.3.9 – 1.4.0 are impacted.
“A stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution,” reads the advisory published by the developer.
The vulnerability, CVE-2013-2028, has been identified by Greg MacManus, of iSIGHT Partners Labs.
Users are advised to update their installations as soon as possible. In addition, a patch for the security hole has also been made available by the developer.
Nginx is available for download here.
As a temporary workaround, customers can write the following configuration in each “server{}” block:
return 444;
}