Version in base suite: 0.6.32-3
Version in overlay suite: 0.6.32-3+lenny2

Base version: nginx_0.6.32-3
Target version: nginx_0.6.32-3+lenny3
Base file: /org/ftp.debian.org/ftp/pool/main/n/nginx/nginx_0.6.32-3.dsc
Target file: /org/ftp.debian.org/queue/p-u-new/nginx_0.6.32-3+lenny3.dsc

 nginx-0.6.32/debian/changelog |   22 ++++++++++++++++++++++
 src/http/ngx_http_parse.c     |   16 ++++++++++------
 2 files changed, 32 insertions(+), 6 deletions(-)

diff -u nginx-0.6.32/debian/changelog nginx-0.6.32/debian/changelog
--- nginx-0.6.32/debian/changelog
+++ nginx-0.6.32/debian/changelog
@@ -1,3 +1,25 @@
+nginx (0.6.32-3+lenny3) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix remote denial of service (segmentation fault): Null pointer
+    dereference if request ends on buffer boundary. Closes: #552035
+
+ -- Stefan Fritsch <sf@debian.org>  Sat, 24 Oct 2009 11:44:57 +0200
+
+nginx (0.6.32-3+lenny2) stable-security; urgency=low
+
+  * Applying new patch for security issue VU#180065.
+
+ -- Jose Parrella <bureado@debian.org>  Thu, 10 Sep 2009 12:13:09 -0500
+
+nginx (0.6.32-3+lenny1) stable-security; urgency=high
+
+  * Fixed security issue "Nginx ngx_http_parse_complex_uri() Buffer
+    Underflow Vulnerability" reported by <cmries@andrew.cmu.edu>, see
+    VU#180065
+
+ -- Jose Parrella <bureado@debian.org>  Sat, 05 Sep 2009 20:02:57 -0500
+
 nginx (0.6.32-3) unstable; urgency=low
 
   * debian/control: build again on all the architectures, but use the switch
only in patch2:
unchanged:
--- nginx-0.6.32.orig/src/http/ngx_http_parse.c
+++ nginx-0.6.32/src/http/ngx_http_parse.c
@@ -738,6 +738,7 @@
 
         /* first char */
         case sw_start:
+            r->header_name_start = p;
             r->invalid_header = 0;
 
             switch (ch) {
@@ -750,7 +751,6 @@
                 goto header_done;
             default:
                 state = sw_name;
-                r->header_name_start = p;
 
                 c = lowcase[ch];
 
@@ -1123,11 +1123,15 @@
 #endif
             case '/':
                 state = sw_slash;
-                u -= 4;
-                if (u < r->uri.data) {
-                    return NGX_HTTP_PARSE_INVALID_REQUEST;
-                }
-                while (*(u - 1) != '/') {
+                u -= 5;
+                for ( ;; ) {
+                    if (u < r->uri.data) {
+                        return NGX_HTTP_PARSE_INVALID_REQUEST;
+                    }
+                    if (*u == '/') {
+                        u++;
+                        break;
+                    }
                     u--;
                 }
                 break;