Debian Security Advisory

DLA-55-1 nginx -- LTS security update

Date Reported:
17 Sep 2014
Affected Packages:
nginx
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2014-3616.
More information:

Antoine Delignat-Lavaud discovered that it was possible to reuse SSL sessions in unrelated contexts if a shared SSL session cache or the same TLS session ticket key was used for multiple server blocks.

For Debian 6 Squeeze, these issues have been fixed in nginx version 0.7.67-3+squeeze4