Ubuntu

March 15th 2012 Security Advisory

Reported by Luis Arias on 2012-03-15
294
This bug affects 7 people
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
Medium
Thomas Ward
Lucid
Medium
Thomas Ward
Maverick
Medium
Thomas Ward
Natty
Medium
Thomas Ward
Oneiric
Medium
Thomas Ward
Precise
Medium
Thomas Ward

Bug Description

Any chance nginx can be updated with this patch on oneiric ?

http://mailman.nginx.org/pipermail/nginx-announce/2012/000076.html

Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

visibility: private → public
Marc Deslauriers (mdeslaur) wrote :

If anyone works on debdiffs for this, please also include the other CVEs with are currently unfixed:

http://people.canonical.com/~ubuntu-security/cve/pkg/nginx.html

Changed in nginx (Ubuntu Lucid):
status: New → Confirmed
Changed in nginx (Ubuntu Maverick):
status: New → Confirmed
Changed in nginx (Ubuntu Natty):
status: New → Confirmed
Changed in nginx (Ubuntu Oneiric):
status: New → Confirmed
Changed in nginx (Ubuntu Precise):
status: New → Confirmed
Changed in nginx (Ubuntu Lucid):
importance: Undecided → Medium
Changed in nginx (Ubuntu Maverick):
importance: Undecided → Medium
Changed in nginx (Ubuntu Natty):
importance: Undecided → Medium
Changed in nginx (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in nginx (Ubuntu Precise):
importance: Undecided → Medium
Cyril Lavier (davromaniak) wrote :

Hi.

We are preparing a 1.1.17 package for Nginx which may be uploaded in Debian Unstable tomorrow.

We also plan to fix the 0.7.67 release (Debian Stable) in the next days.

For the other versions, I may try to apply the patch and propose the source packages, but if somebody has time to apply the patch and propose packages, don't hesitate :).

Thanks.

Cyril Lavier (davromaniak) wrote :

Hi.

So here is the patch adapted for nginx 0.7.67 (which is in maverick) : http://paste.davromaniak.eu/index.php?show=71

Thanks.

Changed in nginx (Ubuntu Lucid):
assignee: nobody → Michael Lustfield (michaellustfield)
Changed in nginx (Ubuntu Maverick):
assignee: nobody → Michael Lustfield (michaellustfield)
Changed in nginx (Ubuntu Natty):
assignee: nobody → Michael Lustfield (michaellustfield)
Changed in nginx (Ubuntu Oneiric):
assignee: nobody → Michael Lustfield (michaellustfield)
Changed in nginx (Ubuntu Precise):
assignee: nobody → Michael Lustfield (michaellustfield)

It looks like CVE-2009-4487 should be marked ignore. Upstream has no intention of ever touching this CVE and does not see it as legitimate issue.

Andy Gayton (cablehead) wrote :

Is there an ETA for when this patch will be available as a security update? Thanks.

Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in nginx (Ubuntu Maverick):
status: Confirmed → Won't Fix
Thomas Ward (teward) on 2012-05-19
Changed in nginx (Ubuntu Precise):
assignee: Michael Lustfield (michaellustfield) → Thomas Ward (trekcaptainusa-tw)
Changed in nginx (Ubuntu Oneiric):
assignee: Michael Lustfield (michaellustfield) → Thomas Ward (trekcaptainusa-tw)
Changed in nginx (Ubuntu Natty):
assignee: Michael Lustfield (michaellustfield) → Thomas Ward (trekcaptainusa-tw)
Thomas Ward (teward) on 2012-05-19
Changed in nginx (Ubuntu Lucid):
assignee: Michael Lustfield (michaellustfield) → Thomas Ward (trekcaptainusa-tw)
Thomas Ward (teward) on 2012-05-20
Changed in nginx (Ubuntu Maverick):
assignee: Michael Lustfield (michaellustfield) → Thomas Ward (trekcaptainusa-tw)
Changed in nginx (Ubuntu):
assignee: Michael Lustfield (michaellustfield) → Thomas Ward (trekcaptainusa-tw)
Thomas Ward (teward) wrote :

Debdiff for Lucid that includes fixes for the following CVEs:
CVE-2011-4315
CVE-2012-1180

--

Fixes not included for CVE-2009-4487, as it is being ignored upstream, and should accordingly be ignored in Ubuntu.

Thomas Ward (teward) wrote :

Debdiff for Natty that includes fixes for the following CVEs:
CVE-2011-4315
CVE-2012-1180

--

Fixes not included for CVE-2009-4487, as it is being ignored upstream, and should accordingly be ignored in Ubuntu.

Thomas Ward (teward) wrote :

Debdiff for Oneiric that includes fixes for the following CVEs:
CVE-2011-4315
CVE-2012-1180

--

Fixes not included for CVE-2009-4487, as it is being ignored upstream, and should accordingly be ignored in Ubuntu.

Thomas Ward (teward) wrote :

The following CVEs do not apply to Precise or Quantal, as the versions in Precise and Quantal already contain upstream code changes which fixed these CVEs:

CVE-2011-4315
CVE-2012-1180

------

The following CVE should be marked as 'Ignored' or similar for Ubuntu, as this CVE is being ignored upstream:

CVE-2009-4487

Thomas Ward (teward) wrote :

Additional Details (#11):

CVE-2009-4487
Considered a non-issue by the upstream developers, hence the requirement of marking as 'Ignore' or similar in Ubuntu

Steve Beattie (sbeattie) on 2012-05-22
Changed in nginx (Ubuntu):
status: Confirmed → Fix Released
Changed in nginx (Ubuntu Precise):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiffs! Unfortunately they do not follow the guidelines specified in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging. Specifically:
 * debian/changelog was not updated
 * the patches do not have DEP-3 comments that describe their origin and why they are needed
 * the 11.10 debdiff has an undocumented change to debian/modules/nginx-lua/.gitmodules. Was this intended?

Please update and resubmit. I am going to unsubscribe ubuntu-security-sponsors at this time. Please resubscribe after updating the debdiffs. Thanks again.

Changed in nginx (Ubuntu Lucid):
status: Confirmed → In Progress
Changed in nginx (Ubuntu Natty):
status: Confirmed → In Progress
Changed in nginx (Ubuntu Oneiric):
status: Confirmed → In Progress

sbeattie already addressed that on IRC. I am working on fixing them.

Also note that I did not include change logs per previous SRU occurrences where I was told to omit the change log when possible.

The changes to git related items are unintended, as I did not modify them. I can add an exclude when I work on the changes.

------
Thomas

On May 30, 2012, at 2:16 PM, Jamie Strandboge <email address hidden> wrote:

> Thanks for the debdiffs! Unfortunately they do not follow the guidelines specified in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging. Specifically:
> * debian/changelog was not updated
> * the patches do not have DEP-3 comments that describe their origin and why they are needed
> * the 11.10 debdiff has an undocumented change to debian/modules/nginx-lua/.gitmodules. Was this intended?
>
> Please update and resubmit. I am going to unsubscribe ubuntu-security-
> sponsors at this time. Please resubscribe after updating the debdiffs.
> Thanks again.
>
> ** Changed in: nginx (Ubuntu Lucid)
> Status: Confirmed => In Progress
>
> ** Changed in: nginx (Ubuntu Natty)
> Status: Confirmed => In Progress
>
> ** Changed in: nginx (Ubuntu Oneiric)
> Status: Confirmed => In Progress
>
> --
> You received this bug notification because you are a member of Nginx,
> which is subscribed to nginx in Ubuntu.
> https://bugs.launchpad.net/bugs/956150
>
> Title:
> March 15th 2012 Security Advisory
>
> Status in “nginx” package in Ubuntu:
> Fix Released
> Status in “nginx” source package in Lucid:
> In Progress
> Status in “nginx” source package in Maverick:
> Won't Fix
> Status in “nginx” source package in Natty:
> In Progress
> Status in “nginx” source package in Oneiric:
> In Progress
> Status in “nginx” source package in Precise:
> Fix Released
>
> Bug description:
> Any chance nginx can be updated with this patch on oneiric ?
>
> http://mailman.nginx.org/pipermail/nginx-announce/2012/000076.html
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/956150/+subscriptions

Jamie Strandboge (jdstrand) wrote :

Thanks. I think there might have been miscommunication on the changelog. While you do not want to include changes to the upstream changelog in SRUs or security updates, you do want to update debian/changelog.

Thomas Ward (teward) wrote :

Possibly. I will modify my system to correctly allow for the changelog to
be included. I will be adding an exclude rule for the git items you
mentioned, those shouldn't be changed, and that may have happened by pure
accident when my system was building the package.

------
Thomas
On Thu, May 31, 2012 at 1:54 PM, Jamie Strandboge <email address hidden> wrote:

> Thanks. I think there might have been miscommunication on the changelog.
> While you do not want to include changes to the upstream changelog in
> SRUs or security updates, you do want to update debian/changelog.
>
> --
> You received this bug notification because you are a member of Nginx,
> which is subscribed to nginx in Ubuntu.
> https://bugs.launchpad.net/bugs/956150
>
> Title:
> March 15th 2012 Security Advisory
>
> Status in “nginx” package in Ubuntu:
> Fix Released
> Status in “nginx” source package in Lucid:
> In Progress
> Status in “nginx” source package in Maverick:
> Won't Fix
> Status in “nginx” source package in Natty:
> In Progress
> Status in “nginx” source package in Oneiric:
> In Progress
> Status in “nginx” source package in Precise:
> Fix Released
>
> Bug description:
> Any chance nginx can be updated with this patch on oneiric ?
>
> http://mailman.nginx.org/pipermail/nginx-announce/2012/000076.html
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/956150/+subscriptions
>

Thomas Ward (teward) wrote :

Okay, lets try this again. I've changed my debdiff command to --exclude git, so git changes shouldnt exist anymore.

I am going to be uploading the updated debdiffs shortly.

Thomas Ward (teward) wrote :

This is an updated version of the previous Lucid debdiff uploaded.

Thomas Ward (teward) wrote :

Resubscribing the security sponsors team since there are new debdiffs uploaded.

Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs. I've uploaded packages that are building now.

I slightly adjusted them:
- Oneiric had a change in debian/modules/nginx-lua/.gitmodules, which I removed
- I retargeted them to the security pocket (ie: oneiric-security instead of oneiric)
- I adjusted the version numbers as per the versioning guide here:
https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging

Thanks!

Changed in nginx (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in nginx (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in nginx (Ubuntu Oneiric):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.0.5-1ubuntu0.1

---------------
nginx (1.0.5-1ubuntu0.1) oneiric-security; urgency=low

  * Security update (closes LP: #956150):
     * Patch to fix 'Use-after-free vulnerability' (CVE-2012-1180).
     * Patch to fix 'Heap-based buffer overflow in compression-pointer
       processing in core/ngx_resolver.c' (CVE-2011-4315).
 -- Thomas Ward <email address hidden> Tue, 12 Jun 2012 12:52:27 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 0.8.54-4ubuntu0.1

---------------
nginx (0.8.54-4ubuntu0.1) natty-security; urgency=low

  * Security update (closes LP: #956150):
    * Patch to fix 'Use-after-free vulnerability' (CVE-2012-1180).
    * Patch to fix 'Heap-based buffer overflow in compression-pointer
      processing in core/ngx_resolver.c' (CVE-2011-4315).
 -- Thomas Ward <email address hidden> Sun, 20 May 2012 13:05:42 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 0.7.65-1ubuntu2.3

---------------
nginx (0.7.65-1ubuntu2.3) lucid-security; urgency=low

  * Security update (closes LP: #956150):
     * Patch to fix 'Use-after-free vulnerability' (CVE-2012-1180).
     * Patch to fix 'Heap-based buffer overflow in compression-pointer
       processing in core/ngx_resolver.c' (CVE-2011-4315).
 -- Thomas Ward <email address hidden> Tue, 12 Jun 2012 12:37:49 -0400

Changed in nginx (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in nginx (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in nginx (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.