From a1b66faf4aa5bff110cac0f93bbb77abb78658b2 Mon Sep 17 00:00:00 2001
From: nginx <nginx@nginx.org>
Date: Mon, 13 May 2013 11:30:14 +0000
Subject: Changes with nginx 1.2.9                                         13
 May 2013

*) Security: contents of worker process memory might be sent to a client
if HTTP backend returned specially crafted response (CVE-2013-2070);
the bug had appeared in 1.1.4.
---
 CHANGES                                  | 7 +++++++
 CHANGES.ru                               | 7 +++++++
 src/core/nginx.h                         | 4 ++--
 src/http/modules/ngx_http_proxy_module.c | 4 ++++
 src/http/modules/perl/nginx.pm           | 2 +-
 5 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 7de0d710d..e8422c2dd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,11 @@
 
+Changes with nginx 1.2.9                                         13 May 2013
+
+    *) Security: contents of worker process memory might be sent to a client
+       if HTTP backend returned specially crafted response (CVE-2013-2070);
+       the bug had appeared in 1.1.4.
+
+
 Changes with nginx 1.2.8                                         02 Apr 2013
 
     *) Bugfix: new sessions were not always stored if the "ssl_session_cache
diff --git a/CHANGES.ru b/CHANGES.ru
index 9d3187fe2..33490f76d 100644
--- a/CHANGES.ru
+++ b/CHANGES.ru
@@ -1,4 +1,11 @@
 
+Изменения в nginx 1.2.9                                           13.05.2013
+
+    *) Безопасность: содержимое памяти рабочего процесса могло быть
+       отправлено клиенту, если HTTP-бэкенд возвращал специально созданный
+       ответ (CVE-2013-2070); ошибка появилась в 1.1.4.
+
+
 Изменения в nginx 1.2.8                                           02.04.2013
 
     *) Исправление: при использовании директивы "ssl_session_cache shared"
diff --git a/src/core/nginx.h b/src/core/nginx.h
index a14187fe6..3d6e756f2 100644
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1002008
-#define NGINX_VERSION      "1.2.8"
+#define nginx_version      1002009
+#define NGINX_VERSION      "1.2.9"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #define NGINX_VAR          "NGINX"
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index 977bed73c..0566213db 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -1865,6 +1865,10 @@ data:
 
     }
 
+    if (ctx->size < 0 || ctx->length < 0) {
+        goto invalid;
+    }
+
     return rc;
 
 done:
diff --git a/src/http/modules/perl/nginx.pm b/src/http/modules/perl/nginx.pm
index 27a6f55a4..32684feac 100644
--- a/src/http/modules/perl/nginx.pm
+++ b/src/http/modules/perl/nginx.pm
@@ -50,7 +50,7 @@ our @EXPORT = qw(
     HTTP_INSUFFICIENT_STORAGE
 );
 
-our $VERSION = '1.2.8';
+our $VERSION = '1.2.9';
 
 require XSLoader;
 XSLoader::load('nginx', $VERSION);
-- 
cgit v1.2.1