Specially crafted request URI permits security restriction bypass [CVE-2013-4547]

For records:

The problem affects nginx 0.8.41 - 1.5.6.

The problem is fixed in nginx 1.5.7, 1.4.4.

------

Precise, Quantal, Raring, Saucy, and Trusty are currently affected.

Confirmed / High set after consulting with #ubuntu-hardened on IRC in regards for how the status and importance are to be set.

Precise debdiff for this bug.

Quantal debdiff for this bug.

Raring debdiff for this bug.

Saucy debdiff for this bug

cjwatson has told me that they will merge 1.4.4 from Debian into Trusty, once it's listed in `rmadison -u debian nginx`. Since nginx 1.4.4 has a fix for this CVE included in it, that should fix this bug for Trusty. (nginx 1.4.4 from Debian also addresses other bugs and issues in the Debian package, and is not yet displayed in rmadison because it was only uploaded today)

This bug was fixed in the package nginx - 1.2.1-2.2ubuntu0.2

---------------
nginx (1.2.1-2.2ubuntu0.2) quantal-security; urgency=low

  * SECURITY UPDATE: ACL bypass via space character (LP: #1253691)
    - debian/patches/cve-2013-4547.patch: modify src/http/ngx_http_parse.c
      to account for a space character, fixing an issue which could result in
      security restrictions being bypassed
    - CVE-2013-4547
 -- Thomas Ward <email address hidden> Thu, 21 Nov 2013 13:19:37 -0500

This bug was fixed in the package nginx - 1.2.6-1ubuntu3.3

---------------
nginx (1.2.6-1ubuntu3.3) raring-security; urgency=low

  * SECURITY UPDATE: ACL bypass via space character (LP: #1253691)
    - debian/patches/cve-2013-4547.patch: modify src/http/ngx_http_parse.c
      to account for a space character, fixing an issue which could result in
      security restrictions being bypassed
    - CVE-2013-4547
 -- Thomas Ward <email address hidden> Thu, 21 Nov 2013 13:24:46 -0500

This bug was fixed in the package nginx - 1.1.19-1ubuntu0.5

---------------
nginx (1.1.19-1ubuntu0.5) precise-security; urgency=low

  * SECURITY UPDATE: ACL bypass via space character (LP: #1253691)
    - debian/patches/cve-2013-4547.patch: modify src/http/ngx_http_parse.c
      to account for a space character, fixing an issue which could result in
      security restrictions being bypassed
    - CVE-2013-4547
 -- Thomas Ward <email address hidden> Thu, 21 Nov 2013 13:02:22 -0500

This bug was fixed in the package nginx - 1.4.1-3ubuntu1.1

---------------
nginx (1.4.1-3ubuntu1.1) saucy-security; urgency=low

  * SECURITY UPDATE: ACL bypass via space character (LP: #1253691)
    - debian/patches/cve-2013-4547.patch: modify src/http/ngx_http_parse.c
      to account for a space character, fixing an issue which could result in
      security restrictions being bypassed
    - CVE-2013-4547
 -- Thomas Ward <email address hidden> Thu, 21 Nov 2013 13:27:20 -0500

This bug was fixed in the package nginx - 1.4.4-1ubuntu1

---------------
nginx (1.4.4-1ubuntu1) trusty; urgency=low

  * Resynchronise with Debian (LP: #1253691). Remaining changes:
    - debian/patches/ubuntu-branding.patch:
      + Add Ubuntu branding to server_tokens.

nginx (1.4.4-1) unstable; urgency=low

  [ Christos Trochalakis ]
  * New upstream release. (Closes: #730012)
  * debian/nginx-*.postinst:
    + Wait for the new master to write its pid file before sending QUIT to the
      old master. This solves an issue with systemd and the upgrade mechanism.
      Systemd receives the SIGCHLD from the old master but it can't see the new
      pid because the new master has not written it yet. As a result, it kills
      everything inside the cgroup, including the new master.
  * debian/modules/ngx-fancyindex:
    + Upgrade Fancy Index module to v0.3.3 (Closes: #728721)
  * debian/control:
    + Remove Upload module from nginx-extras description (Closes: #729003)

  [ Michael Lustfield ]
  * debian/control:
    + Added spdy to package description (Closes: #728038)
  * debian/nginx-common.nginx.init:
    + Showing better start/stop messages. Thanks Pim van den Berg.
      (Closes: #728103)
 -- Colin Watson <email address hidden> Fri, 22 Nov 2013 12:23:25 +0000