CVE-2012-1180

NameCVE-2012-1180
DescriptionUse-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2434-1
NVD severitymedium (attack range: remote)
Debian Bugs664137

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nginx (PTS)wheezy1.2.1-2.2+wheezy4fixed
wheezy (security)1.2.1-2.2+wheezy4+deb7u1fixed
jessie (security), jessie1.6.2-5+deb8u5fixed
stretch (security), stretch1.10.3-1+deb9u1fixed
buster, sid1.13.6-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nginxsource(unstable)1.1.17-1medium664137
nginxsourcesqueeze0.7.67-3+squeeze2mediumDSA-2434-1

Notes

http://seclists.org/oss-sec/2012/q1/644

Search for package or bug name: Reporting problems