Re: qmail toaster for centos 6.x

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list
Subject: Re: qmail toaster for centos 6.x
Eric,

On Sat, Jun 1, 2013 at 7:23 AM, Eric Shubert <> wrote:

> On 05/31/2013 05:41 PM, Lisa Kachold wrote:
>
>> Nginx has some pretty serious security issues, so be sure that you
>> implement it with all the patches and complete recommendations:
>>
>> http://nginx.org/en/security_**advisories.htmlÂ<http://nginx.org/en/security_advisories.html%C3%82>
>>
>
> The current version in CentOS4 is not susceptible to any of these
> vulnerabilities. Good to check though.



Yes, Shubes! Don't even blink! Every day another exploit is announced!
excerpts:
Anonymous hackers behind the Cdorked malware that targets Apache servers
now have extended their exploit to infect open-source Nginx and Lighttpd
server software.
http://blog.solidshellsecurity.com/2013/04/29/nginx-ngx_http_close_connection-function-integer-overflow-exploit-patch/
This integer overflow fails over so you can do just about whatever you
like; especially with the right tools:

http://exploitsdownload.com/search/nginx/

Old stuff from 2010: "A noobs guide to hacking Nginx"
http://hoisie.com/2010/12/29/a-cool-example-of-hacking-nginx/

Nginx Tuesday announced the release of nginx-1.4.1 <http://nginx.org/en/> --
as well as "development version" nginx-1.5.0 -- to fix a buffer-overflow
vulnerability that attackers could exploit to execute arbitrary code on a
Ngnix server and completely compromise it. In a security
advisory<http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html>
issued
Tuesday, Nginx said the
bug<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028> is
present in Nginx versions 1.3.9 and 1.4.0. "The problem is fixed in nginx
1.5.0 [and] 1.4.1," it said.

Yes, installing from repo (with Redhat/CentOs/Fedora and uBuntu) means that
if a vulnerability exists with a patch available, the Nginx installed is
going to include that security fix.

CentOs/Redhat (and Ubuntu) are so fast with fixing vulnerabilities ( and
the Nginx security issues are all the standard browser stack vulns (stack
smash, XSS, remote code execution, escalated privs).    Of course there are
also a few implementation security issues - that seem like nice hacks on
the front side until - well, your site is defaced:
http://www.theadminzone.com/forums/showthread.php?t=99536


It's really rather outrageous that Apache has dominated this space for so
long, when slimmed down httpd servers and reverse proxies do the job so
much better, especially in 3/4 tiered environments with J2EE, is it not?

Nginx:

http://blog.solidshellsecurity.com/2013/04/29/nginx-ngx_http_close_connection-function-integer-overflow-exploit-patch/

I personally still favor the custom compiled Apache2 with vastly scaled
down binary size (dynamic module stripping) and custom server signature
[replacing "Apache2 $version" with "$customstring $version" which IS
allowed under the Apache2 license] (to reduce fingerprinting - and
therefore also limit script kiddies - if we can't mitigate everything let's
obfuscate!.

>
>
> --
> -Eric 'shubes'
> ------------------------------**---------------------
> PLUG-discuss mailing list - .**org<>
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/**mailman/listinfo/plug-discuss<http://lists.phxlinux.org/mailman/listinfo/plug-discuss>
>




--

(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com <http://it-clowns.com/d/>
Chief Clown
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss