nginx Information for VU#720951
OpenSSL TLS heartbeat extension read overflow discloses sensitive information
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
nginx for Windows is statically linked with the OpenSSL library. We have confirmed that nginx versions 1.2.9 through 1.4.7 on Windows provide a vulnerable OpenSSL version.
nginx 1.4.7, which was originally released on March 18, 2014, was silently repackaged with OpenSSL 1.0.1g on April 8, 2014.
nginx 1.5.13 was officially released on April 8, 2014, and it also includes OpenSSL 1.0.1g, despite not specifically mentioning this vulnerability.
If you have feedback, comments, or additional information about this vulnerability, please send us email.