Comment 0 for bug 1538165

This is listed as a Private Security bug as it contains some security content, but does not contain specifics due to Upstream not releasing them, and also at Upstream's request to keep notifications about issues not yet known to the public quiet.

It was told to me from NGINX Upstream by Andrew Hutchings (the Technical Product Manager at NGINX Inc, the company behind the nginx web server) that there is an update releasing for NGINX that addresses some security issues, with CVE information to be made available once the release is made. The releases containing fixes for these issues are 1.8.1 for the Stable branch, and 1.9.10 for the Mainline branch.

These issues are NOT yet available for me to review, and therefore security content of these issues remains secret to me.

This bug here is made as a tracker for pending state on this, as well as to have the information stored for the issues affecting NGINX in Ubuntu.

Without specific details, I can say with some certainty that NGINX 1.9.0 and later are affected, which means Wily and Xenial are both affected. Once more data is available, CVEs will be added here as well as other information related to these CVEs, and we can determine what needs to be fixed where after that information is available.

I am assigning myself currently to track this, as the NGINX release is expected today (January 26, 2016) at some time according to Andrew, and that release will have details available there as well as fixes.