Changes with NginX 1.4.7 - High | Knowledge eXchange

TL;DR — Quick Summary

Review the essential security updates and bug fixes introduced in Nginx version 1.4.7, including a critical patch for a heap memory buffer overflow.

Note: This article was originally published in 2014. Some steps, commands, or software versions may have changed. Check the current General documentation for the latest information.

Changes with (https://nginx.org/ “Nginx”) 1.4.7

Below are the list of changes from the 1.4.6 release of NginX to version 1.4.7 This is provided as reference only and was obtained from: https://nginx.org/en/CHANGES. This update addresses a bug fix and a security issue. Because of the security issue we rate this update of high priority.

Changes with nginx 1.4.7                                         18 Mar 2014

    *) Security: a heap memory buffer overflow might occur in a worker
       process while handling a specially crafted request by
       ngx_http_spdy_module, potentially resulting in arbitrary code
       execution (CVE-2014-0133).
       Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr.
       Manuel Sadosky, Buenos Aires, Argentina.

    *) Bugfix: in the "fastcgi_next_upstream" directive.
       Thanks to Lucas Molas.

Frequently Asked Questions

What security vulnerability is fixed in Nginx 1.4.7?

Nginx 1.4.7 patches CVE-2014-0133, a heap memory buffer overflow vulnerability in the ngx_http_spdy_module that could potentially lead to arbitrary code execution.

What bug is fixed in Nginx 1.4.7?

In addition to the security fix, Nginx 1.4.7 includes a bugfix resolving issues with the 'fastcgi_next_upstream' directive.

Who discovered the vulnerabilities patched in 1.4.7?

Both the SPDY module vulnerability and the fastcgi_next_upstream bug were discovered and reported by Lucas Molas.

Changes with (https://nginx.org/ “Nginx”) 1.4.7

Related Articles

Frequently Asked Questions

Related Articles

Changes with NginX 1.4.5

Changes with NginX 1.5.9

Changes with NginX 1.4.6 - Moderate