PublicDateAtUSN: 2014-09-17
Candidate: CVE-2014-3616
PublicDate: 2014-12-08 11:59:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3616
 http://bh.ht.vc/vhost_confusion.pdf
 https://ubuntu.com/security/notices/USN-2351-1
Description:
 nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or
 ssl_session_ticket_key for multiple servers, can reuse a cached SSL session
 for an unrelated context, which allows remote attackers with certain
 privileges to conduct "virtual host confusion" attacks.
Ubuntu-Description: 
Notes: 
Bugs: 
 https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1370478
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761940
Priority: medium
Discovered-by: Antoine Delignat-Lavaud and Karthikeyan Bhargavan
Assigned-to: mdeslaur
CVSS: 

Patches_nginx:
 upstream: http://trac.nginx.org/nginx/changeset/1ee1db30c9b96e9e43e85ab0bfba42140af24966/nginx
upstream_nginx: released (1.7.5,1.6.2)
lucid_nginx: ignored (reached end-of-life)
precise_nginx: released (1.1.19-1ubuntu0.7)
trusty_nginx: released (1.4.6-1ubuntu3.1)
trusty/esm_nginx: released (1.4.6-1ubuntu3.1)
utopic_nginx: not-affected (1.6.2-1ubuntu1)
devel_nginx: not-affected (1.6.2-1ubuntu1)