CVE-2014-3616

EPSS 2.4%

nginx - security update

Published: 12/8/2014Modified: 4/28/2026

Description

nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks.

Affected packages (3)

Debian/nginxfrom 0, < 1.6.2-1
Debian/nginxfrom 0, < 0.7.67-3+squeeze4
Debian/nginxfrom 0, < 1.2.1-2.2+wheezy3

References (1)

ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2014-3616