CVE-2013-2070 nginx: denial of service or memory disclosure when using proxy_pass
A security problem related to CVE-2013-2028 was identified,
affecting some previous nginx versions if proxy_pass to
untrusted upstream HTTP servers is used.
The problem may lead to a denial of service or a disclosure of a
worker process memory on a specially crafted response from an
upstream proxied server.
The problem affects nginx 1.1.4 - 1.2.8, 1.3.0 - 1.4.0.
The problem is already fixed in nginx 1.5.0, 1.4.1. Version 1.2.9
was released to address the issue in the 1.2.x legacy branch.
Patch for nginx 1.3.9 - 1.4.0 is the same as for CVE-2013-2028:
Patch for older nginx versions (1.1.4 - 1.2.8, 1.3.0 - 1.3.8)
can be found here:
(from redmine: issue id 1867, created on 2013-05-15, closed on 2013-05-16)