[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Nginx ngx_http_close_connection function integer overflow - can anyone confirm th
From: Andrew Alexeev <andrew () nginx ! com>
Date: 2013-04-29 13:41:27
Message-ID: 14476AB1-6B53-48D7-B4A4-51E7699F454D () nginx ! com
[Download RAW message or body]
On Apr 26, 2013, at 11:15 AM, Andrew Alexeev <andrew@nginx.com> wrote:
> On Apr 26, 2013, at 9:48 AM, Alistair Crooks wrote:
>
>> On Thu, Apr 25, 2013 at 11:36:17PM -0600, Kurt Seifried wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> - From Bugtraq:
>>>
>>> http://www.securityfocus.com/archive/1/526439/30/0/threaded
>>>
>>> Website: http://safe3.com.cn
>>
>> Is this legit?
>>
>> I downloaded the index.html file with curl, and embedded around line 87
>> was a flash file:
>
> Unfortunately we weren't approached by "Qihoo 360 Web Security Research Team"
> before this publication went out through bugtraq.
>
> We are now trying to obtain more information from that team without much success.
>
> We've also analyzed their report and we can't conclude this is a real vulnerability yet.
> From the descriptions provided it still looks like it's somewhat spurious.
>
> We are trying to continue investigation though.
>
> Regrettably responsible disclosure isn't always the case. However, we can't yet confirm
> it's a full one either.
We've been also directly approached by Qihoo team couple of days ago.
After a thorough examination we can tell the following:
http://mailman.nginx.org/pipermail/nginx/2013-April/038701.html
Basically, we believe that nginx code distributed by Nginx Inc. is not affected by
the above mentioned report.
>> <table width="930" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
>> <tr><td>
>> <object type="application/x-shockwave-flash" data="/banner.swf?xml=/banner.xml" width="930" height="180">
>> <param name="movie" value="/banner.swf?xml=/banner.xml"/>
>> </object>
>> </td></tr>
>> <tr>
>>
>> so I took it to be an attempt at phishing.
>>
>> Maybe I'm just too paranoid in my old age?
>>
>> Regards,
>> Alistair
>>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic