On 04/30/14 14:05, Валентин Бартенев wrote:
On Wednesday 30 April 2014 13:18:21 Anton Yuzhaninov wrote:
Подвержен ли nginx этой уязвимости в openssl:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
?
grep по исходникам показывает наличие
SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
Если верить описанию "in a multithreaded environment",
а nginx к таковым не относится.
Во FreeBSD-шном SA формулировка более общая:
The buffer may be released before the library have finished using it. It is
possible that a different SSL connection in the same process would use the
released buffer and write data into it.
_______________________________________________
nginx-ru mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx-ru
