I can't speak for the nginx team, but as noted by "Severity: none", I assume they agree with many other vendors that this is not actually a vulnerability in nginx itself.
For example, here is what the authors of Varnish said in response to this CVE: > This is not a security problem in Varnish or any other piece of software which writes a logfile. > > The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely. > >This is not a new issue. I first remember the issue with xterm(1)'s inadvisably implemented escape-sequences in a root-context, brought up heatedly, in 1988, possibly late 1987, at Copenhagens University Computer Science dept. (Diku.dk). Since then, nothing much have changed. > > The wisdom of terminal-response-escapes in general have been questioned at regular intervals, but still none of the major terminal emulation programs have seen fit to discard these sequences, probably in a misguided attempt at compatibility with no longer used 1970'es technology. > > I admit that listing "found a security hole in all HTTP-related programs that write logfiles" will look more impressive on a resume, but I think it is misguided and a sign of trophy-hunting having overtaken common sense. > > Instead of blaming any and all programs which writes logfiles, it would be much more productive, from a security point of view, to get the terminal emulation programs to stop doing stupid things, and thus fix this and other security problems once and for all. Moshe On Sun, Feb 13, 2022 at 11:46 AM Hritik Vijay <hritik...@gmail.com> wrote: > Hello > > The advisories page (https://nginx.org/en/security_advisories.html) for > nginx mentions the following: > An error log data are not sanitized > Severity: none > CVE-2009-4487 > Not vulnerable: none > Vulnerable: all > > Was this vulnerability ever fixed ? If so, can we please get the > advisory updated ? > > Hrtk > _______________________________________________ > nginx mailing list -- nginx@nginx.org > To unsubscribe send an email to nginx-le...@nginx.org >
_______________________________________________ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
