March 15th 2012 Security Advisory

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

If anyone works on debdiffs for this, please also include the other CVEs with are currently unfixed:

http://people.canonical.com/~ubuntu-security/cve/pkg/nginx.html

Hi.

We are preparing a 1.1.17 package for Nginx which may be uploaded in Debian Unstable tomorrow.

We also plan to fix the 0.7.67 release (Debian Stable) in the next days.

For the other versions, I may try to apply the patch and propose the source packages, but if somebody has time to apply the patch and propose packages, don't hesitate :).

Thanks.

Hi.

So here is the patch adapted for nginx 0.7.67 (which is in maverick) : http://paste.davromaniak.eu/index.php?show=71

Thanks.

It looks like CVE-2009-4487 should be marked ignore. Upstream has no intention of ever touching this CVE and does not see it as legitimate issue.

Is there an ETA for when this patch will be available as a security update? Thanks.

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Debdiff for Lucid that includes fixes for the following CVEs:
CVE-2011-4315
CVE-2012-1180

--

Fixes not included for CVE-2009-4487, as it is being ignored upstream, and should accordingly be ignored in Ubuntu.

Debdiff for Natty that includes fixes for the following CVEs:
CVE-2011-4315
CVE-2012-1180

--

Fixes not included for CVE-2009-4487, as it is being ignored upstream, and should accordingly be ignored in Ubuntu.

Debdiff for Oneiric that includes fixes for the following CVEs:
CVE-2011-4315
CVE-2012-1180

--

Fixes not included for CVE-2009-4487, as it is being ignored upstream, and should accordingly be ignored in Ubuntu.

The following CVEs do not apply to Precise or Quantal, as the versions in Precise and Quantal already contain upstream code changes which fixed these CVEs:

CVE-2011-4315
CVE-2012-1180

------

The following CVE should be marked as 'Ignored' or similar for Ubuntu, as this CVE is being ignored upstream:

CVE-2009-4487

Additional Details (#11):

CVE-2009-4487
Considered a non-issue by the upstream developers, hence the requirement of marking as 'Ignore' or similar in Ubuntu

Thanks for the debdiffs! Unfortunately they do not follow the guidelines specified in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging. Specifically:
 * debian/changelog was not updated
 * the patches do not have DEP-3 comments that describe their origin and why they are needed
 * the 11.10 debdiff has an undocumented change to debian/modules/nginx-lua/.gitmodules. Was this intended?

Please update and resubmit. I am going to unsubscribe ubuntu-security-sponsors at this time. Please resubscribe after updating the debdiffs. Thanks again.

sbeattie already addressed that on IRC. I am working on fixing them.

Also note that I did not include change logs per previous SRU occurrences where I was told to omit the change log when possible.

The changes to git related items are unintended, as I did not modify them. I can add an exclude when I work on the changes.

------
Thomas

On May 30, 2012, at 2:16 PM, Jamie Strandboge <email address hidden> wrote:

> Thanks for the debdiffs! Unfortunately they do not follow the guidelines specified in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging. Specifically:
> * debian/changelog was not updated
> * the patches do not have DEP-3 comments that describe their origin and why they are needed
> * the 11.10 debdiff has an undocumented change to debian/modules/nginx-lua/.gitmodules. Was this intended?
>
> Please update and resubmit. I am going to unsubscribe ubuntu-security-
> sponsors at this time. Please resubscribe after updating the debdiffs.
> Thanks again.
>
> ** Changed in: nginx (Ubuntu Lucid)
> Status: Confirmed => In Progress
>
> ** Changed in: nginx (Ubuntu Natty)
> Status: Confirmed => In Progress
>
> ** Changed in: nginx (Ubuntu Oneiric)
> Status: Confirmed => In Progress
>
> --
> You received this bug notification because you are a member of Nginx,
> which is subscribed to nginx in Ubuntu.
> https://bugs.launchpad.net/bugs/956150
>
> Title:
> March 15th 2012 Security Advisory
>
> Status in “nginx” package in Ubuntu:
> Fix Released
> Status in “nginx” source package in Lucid:
> In Progress
> Status in “nginx” source package in Maverick:
> Won't Fix
> Status in “nginx” source package in Natty:
> In Progress
> Status in “nginx” source package in Oneiric:
> In Progress
> Status in “nginx” source package in Precise:
> Fix Released
>
> Bug description:
> Any chance nginx can be updated with this patch on oneiric ?
>
> http://mailman.nginx.org/pipermail/nginx-announce/2012/000076.html
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/956150/+subscriptions

Thanks. I think there might have been miscommunication on the changelog. While you do not want to include changes to the upstream changelog in SRUs or security updates, you do want to update debian/changelog.

Possibly. I will modify my system to correctly allow for the changelog to
be included. I will be adding an exclude rule for the git items you
mentioned, those shouldn't be changed, and that may have happened by pure
accident when my system was building the package.

------
Thomas
On Thu, May 31, 2012 at 1:54 PM, Jamie Strandboge <email address hidden> wrote:

> Thanks. I think there might have been miscommunication on the changelog.
> While you do not want to include changes to the upstream changelog in
> SRUs or security updates, you do want to update debian/changelog.
>
> --
> You received this bug notification because you are a member of Nginx,
> which is subscribed to nginx in Ubuntu.
> https://bugs.launchpad.net/bugs/956150
>
> Title:
> March 15th 2012 Security Advisory
>
> Status in “nginx” package in Ubuntu:
> Fix Released
> Status in “nginx” source package in Lucid:
> In Progress
> Status in “nginx” source package in Maverick:
> Won't Fix
> Status in “nginx” source package in Natty:
> In Progress
> Status in “nginx” source package in Oneiric:
> In Progress
> Status in “nginx” source package in Precise:
> Fix Released
>
> Bug description:
> Any chance nginx can be updated with this patch on oneiric ?
>
> http://mailman.nginx.org/pipermail/nginx-announce/2012/000076.html
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/956150/+subscriptions
>

Okay, lets try this again. I've changed my debdiff command to --exclude git, so git changes shouldnt exist anymore.

I am going to be uploading the updated debdiffs shortly.

This is an updated version of the previous Lucid debdiff uploaded.

Updated Natty debdiff

Updated Oneiric debdiff

Resubscribing the security sponsors team since there are new debdiffs uploaded.

ACK on the debdiffs. I've uploaded packages that are building now.

I slightly adjusted them:
- Oneiric had a change in debian/modules/nginx-lua/.gitmodules, which I removed
- I retargeted them to the security pocket (ie: oneiric-security instead of oneiric)
- I adjusted the version numbers as per the versioning guide here:
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging

Thanks!

This bug was fixed in the package nginx - 1.0.5-1ubuntu0.1

---------------
nginx (1.0.5-1ubuntu0.1) oneiric-security; urgency=low

  * Security update (closes LP: #956150):
     * Patch to fix 'Use-after-free vulnerability' (CVE-2012-1180).
     * Patch to fix 'Heap-based buffer overflow in compression-pointer
       processing in core/ngx_resolver.c' (CVE-2011-4315).
 -- Thomas Ward <email address hidden> Tue, 12 Jun 2012 12:52:27 -0400

This bug was fixed in the package nginx - 0.8.54-4ubuntu0.1

---------------
nginx (0.8.54-4ubuntu0.1) natty-security; urgency=low

  * Security update (closes LP: #956150):
    * Patch to fix 'Use-after-free vulnerability' (CVE-2012-1180).
    * Patch to fix 'Heap-based buffer overflow in compression-pointer
      processing in core/ngx_resolver.c' (CVE-2011-4315).
 -- Thomas Ward <email address hidden> Sun, 20 May 2012 13:05:42 -0400

This bug was fixed in the package nginx - 0.7.65-1ubuntu2.3

---------------
nginx (0.7.65-1ubuntu2.3) lucid-security; urgency=low

  * Security update (closes LP: #956150):
     * Patch to fix 'Use-after-free vulnerability' (CVE-2012-1180).
     * Patch to fix 'Heap-based buffer overflow in compression-pointer
       processing in core/ngx_resolver.c' (CVE-2011-4315).
 -- Thomas Ward <email address hidden> Tue, 12 Jun 2012 12:37:49 -0400