FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

nginx -- inject commands into SSL session vulnerability

Affected packages
0.6.0 <= nginx < 1.6.2,2
0.5.6 <= nginx-devel < 1.7.5

Details

VuXML ID 77b784bb-3dc6-11e4-b191-f0def16c5c1b
Discovery 2014-09-16
Entry 2014-09-16

The nginx project reports:

Security: it was possible to reuse SSL sessions in unrelated contexts if a shared SSL session cache or the same TLS session ticket key was used for multiple "server" blocks (CVE-2014-3616).

References

CVE Name CVE-2014-3616
URL http://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html