CVE-2014-0133

Publication date 28 March 2014

Last updated 24 July 2024

Ubuntu priority

Heap-based buffer overflow in the SPDY implementation in nginx 1.3.15 before 1.4.7 and 1.5.x before 1.5.12 allows remote attackers to execute arbitrary code via a crafted request.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
nginx	13.10 saucy	Fixed 1.4.1-3ubuntu1.3
	12.10 quantal	Not affected
	12.04 LTS precise	Not affected
	10.04 LTS lucid	Not affected

How can I get the fixes?
What do statuses mean?
Patch details

Notes

mdeslaur

not affected as we build with --with-debug

seth-arnold

saucy was affected, not all flavors used --with-debug

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
nginx	Upstream: http://nginx.org/download/patch.2014.spdy2.txt

References

MITRE
NVD
Launchpad
Debian

Other references

http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html
https://www.cve.org/CVERecord?id=CVE-2014-0133