Security Issues Impacting NGINX: 1.8.x, 1.9.x

Bug #1538165 reported by Thomas Ward on 2016-01-26
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nginx (Debian)
Fix Released
Unknown
nginx (Ubuntu)
Medium
Thomas Ward
Precise
Medium
Unassigned
Trusty
Medium
Unassigned
Vivid
Medium
Unassigned
Wily
Medium
Unassigned
Xenial
Medium
Thomas Ward

Bug Description

This is listed as a Public Security bug as the CVEs and fixes have been announced by NGINX Upstream officially.

There are 3 CVEs impacting all versions of NGINX in Ubuntu. The following is taken from the upstream security announcement on the nginx-announce mailing list (http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html):

- Invalid pointer dereference might occur during DNS server response
 processing, allowing an attacker who is able to forge UDP
 packets from the DNS server to cause worker process crash
 (CVE-2016-0742).

- Use-after-free condition might occur during CNAME response
 processing. This problem allows an attacker who is able to trigger
 name resolution to cause worker process crash, or might
 have potential other impact (CVE-2016-0746).

- CNAME resolution was insufficiently limited, allowing an attacker who
 is able to trigger arbitrary name resolution to cause excessive resource
 consumption in worker processes (CVE-2016-0747).

The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive
is used in a configuration file.

The problems are fixed in nginx 1.9.10, 1.8.1.

------

As stated prior, all versions of Ubuntu have an affected version of nginx. There are many commits done by upstream to fix these issues. There are at least 17 of which will need to be examined; as I examine the commits in the upstream commit logs, I will provide links to each commit here.

Xenial will very quickly get a fix, after I push an upload containing nginx 1.9.10 to the repositories.

Wily, having nginx 1.9.3, may be more receptive to patching without any type of changing of the patch to match code changes. This remains to be determined however.

Older versions of Ubuntu, Vivid and earlier, are likely less receptive to the patches, and may need re-engineered to apply to those code bases, given the age of those versions of nginx.

------

This is tracked in Debian as Debian Bug 812806:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812806

Thomas Ward (teward) on 2016-01-26
Changed in nginx (Ubuntu Wily):
assignee: nobody → Thomas Ward (teward)
Thomas Ward (teward) wrote :

All versions of nginx in Ubuntu are affected.

------

This went out over the nginx-announce list:

Hello!

Several problems in nginx resolver were identified, which might
allow an attacker to cause worker process crash, or might have
potential other impact:

- Invalid pointer dereference might occur during DNS server response
 processing, allowing an attacker who is able to forge UDP
 packets from the DNS server to cause worker process crash
 (CVE-2016-0742).

- Use-after-free condition might occur during CNAME response
 processing. This problem allows an attacker who is able to trigger
 name resolution to cause worker process crash, or might
 have potential other impact (CVE-2016-0746).

- CNAME resolution was insufficiently limited, allowing an attacker who
 is able to trigger arbitrary name resolution to cause excessive resource
 consumption in worker processes (CVE-2016-0747).

The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive
is used in a configuration file.

The problems are fixed in nginx 1.9.10, 1.8.1.

--
Maxim Dounin
http://nginx.org/

Changed in nginx (Ubuntu Vivid):
assignee: nobody → Thomas Ward (teward)
Changed in nginx (Ubuntu Trusty):
assignee: nobody → Thomas Ward (teward)
Thomas Ward (teward) on 2016-01-26
Changed in nginx (Ubuntu Precise):
assignee: nobody → Thomas Ward (teward)
Thomas Ward (teward) on 2016-01-26
Changed in nginx (Ubuntu Precise):
status: New → Confirmed
Changed in nginx (Ubuntu Trusty):
status: New → Confirmed
Changed in nginx (Ubuntu Vivid):
status: New → Confirmed
Changed in nginx (Ubuntu Wily):
status: New → Confirmed
Changed in nginx (Ubuntu Xenial):
status: New → Confirmed
Thomas Ward (teward) on 2016-01-26
description: updated
information type: Private Security → Public Security
Changed in nginx (Ubuntu Xenial):
status: Confirmed → In Progress
Thomas Ward (teward) on 2016-01-26
description: updated
Thomas Ward (teward) wrote :

Debian actually was faster, and uploaded 1.9.10 today. As soon as that is available, I will merge it into Xenial.

tags: added: trusty
tags: added: precise
Changed in nginx (Ubuntu Precise):
importance: Undecided → High
Changed in nginx (Ubuntu Trusty):
importance: Undecided → High
Changed in nginx (Ubuntu Vivid):
importance: Undecided → High
Changed in nginx (Ubuntu Wily):
importance: Undecided → High
Changed in nginx (Ubuntu Xenial):
importance: Undecided → High
Thomas Ward (teward) wrote :

Importance reset to Medium per Ubuntu Security Team stating the CVEs would be Medium level. (Bug importance set to match)

Changed in nginx (Ubuntu Precise):
importance: High → Medium
Changed in nginx (Ubuntu Trusty):
importance: High → Medium
Changed in nginx (Ubuntu Vivid):
importance: High → Medium
Changed in nginx (Ubuntu Wily):
importance: High → Medium
Changed in nginx (Ubuntu Xenial):
importance: High → Medium
Thomas Ward (teward) wrote :

An upload of NGINX 1.9.10 has been done for Xenial, and is now building; marking Fix Committed for Xenial.

Changed in nginx (Ubuntu Xenial):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.9.10-0ubuntu1

---------------
nginx (1.9.10-0ubuntu1) xenial; urgency=medium

  * New upstream release.
  * debian/patches/ubuntu-branding.patch: Refreshed Ubuntu Branding patch
  * Security content of this upload addresses the following vulnerabilities
    and CVE-numbered Security issues: (LP: #1538165)
    - Invalid pointer dereference might occur during DNS server response
      processing, allowing an attacker who is able to forge UDP
      packets from the DNS server to cause worker process crash
      (CVE-2016-0742).
    - Use-after-free condition might occur during CNAME response
      processing. This problem allows an attacker who is able to trigger
      name resolution to cause worker process crash, or might
      have potential other impact (CVE-2016-0746).
    - CNAME resolution was insufficiently limited, allowing an attacker who
      is able to trigger arbitrary name resolution to cause excessive resource
      consumption in worker processes (CVE-2016-0747).

 -- Thomas Ward <email address hidden> Tue, 26 Jan 2016 14:53:01 -0500

Changed in nginx (Ubuntu Xenial):
status: Fix Committed → Fix Released
Thomas Ward (teward) on 2016-01-26
Changed in nginx (Ubuntu Vivid):
assignee: Thomas Ward (teward) → nobody
Changed in nginx (Ubuntu Trusty):
assignee: Thomas Ward (teward) → nobody
Changed in nginx (Ubuntu Precise):
assignee: Thomas Ward (teward) → nobody
Thomas Ward (teward) on 2016-01-27
Changed in nginx (Ubuntu Wily):
assignee: Thomas Ward (teward) → nobody
Thomas Ward (teward) wrote :

As Vivid reaches End of Life tomorrow, and that provides insufficient time for a fix to be produced for that version of the package, we are marking this as "Won't Fix" on Vivid.

Changed in nginx (Ubuntu Vivid):
status: Confirmed → Won't Fix
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.9.3-1ubuntu1.1

---------------
nginx (1.9.3-1ubuntu1.1) wily-security; urgency=medium

  * SECURITY UPDATE: multiple resolver security issues (LP: #1538165)
    - debian/patches/CVE-2016-074x-1.patch: fix possible segmentation fault
      on DNS format error.
    - debian/patches/CVE-2016-074x-2.patch: fix crashes in timeout handler.
    - debian/patches/CVE-2016-074x-3.patch: fixed CNAME processing for
      several requests.
    - debian/patches/CVE-2016-074x-4.patch: change the
      ngx_resolver_create_*_query() arguments.
    - debian/patches/CVE-2016-074x-5.patch: fix use-after-free memory
      accesses with CNAME.
    - debian/patches/CVE-2016-074x-6.patch: limited CNAME recursion.
    - CVE-2016-0742
    - CVE-2016-0743
    - CVE-2016-0744

 -- Marc Deslauriers <email address hidden> Wed, 03 Feb 2016 08:38:22 -0500

Changed in nginx (Ubuntu Wily):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.4.6-1ubuntu3.4

---------------
nginx (1.4.6-1ubuntu3.4) trusty-security; urgency=medium

  * SECURITY UPDATE: multiple resolver security issues (LP: #1538165)
    - debian/patches/CVE-2016-074x-1.patch: fix possible segmentation fault
      on DNS format error.
    - debian/patches/CVE-2016-074x-2.patch: fix crashes in timeout handler.
    - debian/patches/CVE-2016-074x-3.patch: fixed CNAME processing for
      several requests.
    - debian/patches/CVE-2016-074x-4.patch: change the
      ngx_resolver_create_*_query() arguments.
    - debian/patches/CVE-2016-074x-5.patch: fix use-after-free memory
      accesses with CNAME.
    - debian/patches/CVE-2016-074x-6.patch: limited CNAME recursion.
    - CVE-2016-0742
    - CVE-2016-0743
    - CVE-2016-0744

 -- Marc Deslauriers <email address hidden> Wed, 03 Feb 2016 09:12:00 -0500

Changed in nginx (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in nginx (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.