Security fix in recent release 0.6.39/DSA-1884-1

Bug #430064 reported by pwolanin on 2009-09-15
278
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
High
Unassigned
Nominated for Karmic by mdepot

Bug Description

Binary package hint: nginx

The release on 2009-09-14 contains a buffer underflow fix. Unpatched servers may be vulnerable to DoS or arbitrary code execution.

http://nginx.net/CHANGES-0.6

A fix has been applied to Debian packages. please update the Ubuntu packages to the latest code, or backport the fix.

- --------------------------------------------------------------------------
Debian Security Advisory DSA-1884-1 <email address hidden>
http://www.debian.org/security/ Nico Golde
September 14th, 2009 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : nginx
Vulnerability : buffer underflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2629

Chris Ries discovered that nginx, a high-performance HTTP server, reverse
proxy and IMAP/POP3 proxy server, is vulnerable to a buffer underflow when
processing certain HTTP requests. An attacker can use this to execute
arbitrary code with the rights of the worker process (www-data on Debian)
or possibly perform denial of service attacks by repeatedly crashing
worker processes via a specially crafted URL in an HTTP request.

For the oldstable distribution (etch), this problem has been fixed in
version 0.4.13-2+etch2.

For the stable distribution (lenny), this problem has been fixed in
version 0.6.32-3+lenny2.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 0.7.61-3.

pwolanin (pwolanin) on 2009-09-15
visibility: private → public
Voronin Viktor (wizard-wcs) wrote :

patch: http://sysoev.ru/nginx/patch.180065.txt
Affected 0.1.0-0.8.14.
Not affected 0.8.15, 0.7.62, 0.6.39 and 0.5.38

Changed in nginx (Ubuntu):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Andres E. Rodriguez Lazo (andreserl)
Changed in nginx (Ubuntu):
status: Confirmed → In Progress
usoltsev (usoltsev) wrote :

Dear Andres
Can you please change nginx version from 0.5.33 to 0.6.39 (which is patched one too) in 8.0.4 LTS
We're very interesting in this by using new nginx features and options
Thanks in advance, Max&Igor

pwolanin (pwolanin) wrote :

There is already a backports package that has 0.6: http://packages.ubuntu.com/hardy-backports/nginx

Kees Cook (kees) on 2009-09-16
Changed in nginx (Ubuntu):
status: In Progress → Triaged
Artur Rona (ari-tczew) on 2009-09-20
tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 0.7.61-1ubuntu2

---------------
nginx (0.7.61-1ubuntu2) karmic; urgency=low

  * Install html files.
    - debian/dirs: Add 'var/www/nginx-default'.
    - debian/nginx.install: Add 'html/* var/www/nginx-default'.
  * SECURITY UPDATE (CVE-2009-2629): Buffer underflow vulnerability, which
    allows remote attackers to execute arbitrary code via crafted HTTP
    request. (LP: #430064)
    - src/http/ngx_http_parse.c patched.

 -- Andres Rodriguez <email address hidden> Thu, 24 Sep 2009 17:28:34 -0400

Changed in nginx (Ubuntu):
status: Triaged → Fix Released
Andres Rodriguez (andreserl) wrote :

Attaching security update debdiff for Jaunty.

Andres Rodriguez (andreserl) wrote :

Attaching Security update debdiff for Intrepid.

Andres Rodriguez (andreserl) wrote :

Attaching Security Update debdiff for Hardy

Changed in nginx (Ubuntu):
status: Fix Released → In Progress
assignee: Andres E. Rodriguez Lazo (andreserl) → nobody
Andres Rodriguez (andreserl) wrote :

Test performed to this point where to verify the build and normal installation and operation of nginx, this far everything works as expected.

Built packages can be found at: https://launchpad.net/~andreserl/+archive/ha

Changed in nginx (Ubuntu):
status: In Progress → Fix Committed
Changed in nginx (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
mdepot (mdepot) wrote :

In prior comments it was said that this security problem was fixed in 0.7.61. According to http://nginx.net/CHANGES-0.7 it was actually fixed in 0.7.62. There were also a number of other bug fixes in 0.7.62. The karmic package page currently lists 0.7.61 as the distribution release. Please recheck the nginx release notes link included here, and consider if karmic should actually go out with 0.7.62 as opposed to 0.7.61.

mdepot (mdepot) wrote :

Regarding last comment, as of this writing Debian sid is at 0.7.62-1.

Daniel Hahler (blueyed) wrote :

mdepot: I think the fix has been backported to Ubuntu's 0.7.61-1ubuntu2 - at least that's what I understand from the changelog.

What's in progress now is probably the processing for previous Ubuntu releases, and it should get handled through tasks for the particular releases (i.e. a task for Hardy, Jaunty etc).

Getting 0.7.62 into Karmic would be a new bug, and given the bugfixes, I'd support it. There's only one new feature, and that will either work or not, and given the time passed since 0.7.62 has been released, did not cause a regression.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 0.6.35-0ubuntu1.1

---------------
nginx (0.6.35-0ubuntu1.1) jaunty-security; urgency=low

  * SECURITY UPDATE: Buffer underflow vulnerability, which allows remote
    attackers to execute arbitrary code via crafted HTTP request. (LP: #430064)
    - src/http/ngx_http_parse.c patched.
    - CVE-2009-2629.

 -- Andres Rodriguez <email address hidden> Sat, 26 Sep 2009 13:13:57 -0400

Changed in nginx (Ubuntu):
status: Fix Committed → Fix Released
Changed in nginx (Ubuntu):
assignee: Marc Deslauriers (mdeslaur) → nobody
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers