Ubuntu
nginx package

nginx ubuntu package possibly affected by CVE 2014-0160

Bug #1304304 reported by Kai Jauslin on 2014-04-08

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	nginx (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

Checked nginx ssl offloading with package 1.1.19-1ubuntu0.6 and openssl package 1.0.1-4ubuntu5.12 on Ubuntu 12.04 LTS.

Testing heartbleed according to https://blog.ipredator.se/2014/04/how-to-test-if-your-openssl-heartbleeds.html (with patched openssl client) shows vulnerability on system with updated openssl package.

Is openssl statically linked to nginx@1.1.19-1ubuntu0.6? If yes, the package might need to be updated.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2014-04-08:

#1

Did you restart nginx or reboot your system after applying the update?

Thanks

information type:	Private Security → Public Security
Changed in nginx (Ubuntu):
status:	New → Incomplete

Revision history for this message

Kai Jauslin (kjauslin) wrote on 2014-04-08:

#2

Yes, I did restart the system. I think I've found the solution in the meantime: it's not sufficient to just update the openssl package, it's also necessary to update libssl1.0.0. After doing this and restarting nginx, the system does not respond to heartbeat requests anymore. Sorry, this was not clear for me just by reading the security note.

Revision history for this message

Thomas Ward (teward) wrote on 2014-04-08:

#3

Correct me if I'm wrong, but doesn't this bug affect OpenSSL? The Security team released a fix for this in OpenSSL.

I will check to see if it's statically linked, but the last I checked it was not. I haven't recently checked this though.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2014-04-08:

#4

Kai, thanks, that makes more sense. Have fun!

Changed in nginx (Ubuntu):
status:	Incomplete → Invalid

Revision history for this message

Thomas Ward (teward) wrote on 2014-04-08:

#5

Refer to USN-2165-1 for the OpenSSL notice on this vulnerability, and about it being fixed. This applies to libssl as well.

I am almost certain nginx doesn't static-link to libssl. Again, I'll double check this.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.