nginx vulnerable to MITM Attack [CVE-2011-4968]
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Nginx |
Low
|
Unassigned | |||
| nginx (Debian) |
Fix Released
|
Unknown
|
|||
| nginx (Ubuntu) |
Low
|
Unassigned | |||
| Lucid |
Low
|
Unassigned | |||
| Oneiric |
Low
|
Unassigned | |||
| Precise |
Low
|
Unassigned | |||
| Quantal |
Low
|
Unassigned | |||
| Raring |
Low
|
Unassigned | |||
| Trusty |
Low
|
Unassigned | |||
| Utopic |
Low
|
Unassigned | |||
| Vivid |
Low
|
Unassigned | |||
| Wily |
Low
|
Unassigned | |||
Bug Description
I am reporting this bug so there's a bug to track this in within Launchpad. If/when a patch is approved upstream, this bug can be used as a reference point in the changelog when SRU-ing the fix into older releases.
Confirmed as Debian Bug 697940.
Confirmed as CVE-2011-4968.
This has already been added to the Ubuntu Security Team Tracker at http://
Information as follows comes from the Debian Bug:
"When nginx is configured as a reverse proxy with an https origin server, it is vulnerable to a MITM attack, because it does not verify the certificate of the origin server.
This is upstream's bug https:/
It appears to have been known for over a year, but the proposed patches to resolve the problem appear to have never made it through the patch review process in upstream."
Sept. 10, 2015: This was 'fixed' upstream in nginx 1.7.0, with a commit landing upstream about 17 months ago. (see the changeset located at https:/
CVE References
| Changed in nginx (Ubuntu Lucid): | |
| status: | New → Confirmed |
| Changed in nginx (Ubuntu Oneiric): | |
| status: | New → Confirmed |
| Changed in nginx (Ubuntu Precise): | |
| status: | New → Confirmed |
| Changed in nginx (Ubuntu Quantal): | |
| status: | New → Confirmed |
| Changed in nginx (Ubuntu Raring): | |
| status: | New → Confirmed |
| Changed in nginx (Ubuntu Lucid): | |
| importance: | Undecided → Low |
| Changed in nginx (Ubuntu Oneiric): | |
| importance: | Undecided → Low |
| Changed in nginx (Ubuntu Precise): | |
| importance: | Undecided → Low |
| Changed in nginx (Ubuntu Quantal): | |
| importance: | Undecided → Low |
| Changed in nginx (Ubuntu Raring): | |
| importance: | Undecided → Low |
| Changed in nginx (Debian): | |
| status: | Unknown → Confirmed |
| mik (therealmik) wrote : | #2 |
I think this has been incorrectly classified as 'low'. People requiring secure connectivity to a backend server are currently receiving a silent downgrade in security.
| Changed in nginx (Ubuntu Raring): | |
| status: | Confirmed → Won't Fix |
| Thomas Ward (teward) wrote : | #3 |
An upstream commit has been made addressing this issue.
Refer to http://
I'll check if the other versions of nginx not listed here are affected later, after work.
| Changed in nginx (Ubuntu Quantal): | |
| status: | Confirmed → Won't Fix |
| Changed in nginx (Debian): | |
| status: | Confirmed → Fix Released |
| Thomas Ward (teward) wrote : | #4 |
The nginx project tracker for this task was added to track the status in the PPAs. This has landed in the NGINX PPA for Mainline. It has not been backported to Stable at this time. (Was supposedly fixed in 1.7.0 per http://
| Changed in nginx: | |
| importance: | Undecided → Low |
| status: | New → Fix Released |
| Changed in nginx (Ubuntu Trusty): | |
| importance: | Undecided → Low |
| status: | New → Confirmed |
| Changed in nginx (Ubuntu Utopic): | |
| importance: | Undecided → Low |
| status: | New → Confirmed |
| Thomas Ward (teward) wrote : | #5 |
Note on the 'severity' per comment #2: The severity set is based on the severity of the CVE, partly per the Security Team's tracker.
As this has been classified as "low" there, the severity here was set to "Low".
| Rolf Leggewie (r0lf) wrote : | #6 |
lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".
| Changed in nginx (Ubuntu Lucid): | |
| status: | Confirmed → Won't Fix |
| Thomas Ward (teward) wrote : | #7 |
Ubuntu Utopic has gone End of Life as of today. As such, this bug is being marked Won't Fix against the Utopic package.
Refer to: https:/
| Changed in nginx (Ubuntu Utopic): | |
| status: | Confirmed → Won't Fix |
| Thomas Ward (teward) wrote : | #8 |
Ubuntu Wily has a fix for this included as part of the 1.9.3-1ubuntu1 merge. The fix for this issue was introduced in nginx 1.7.0.
| Changed in nginx (Ubuntu Wily): | |
| status: | Confirmed → Fix Released |
| description: | updated |
| Thomas Ward (teward) wrote : | #9 |
Per the notes on the CVE tracker:
sarnold> Backporting this fix is non-trivial and may break deployed
applications. Someone who really wanted this could use stunnel as a
work-around until 16.04 LTS is released.
This applies to Precise, Trusty, and Vivid.
| Changed in nginx (Ubuntu Precise): | |
| status: | Confirmed → Won't Fix |
| Changed in nginx (Ubuntu Trusty): | |
| status: | Confirmed → Won't Fix |
| Changed in nginx (Ubuntu Vivid): | |
| status: | Confirmed → Won't Fix |
Oneiric has reached EOL (End of Life) and is no longer supported. As a result, this bug (against Oneiric) is being marked "Won't Fix". Please see https:/
Please feel free to report any other bugs you may find.