[SRU] Please update nginx in Xenial and Yakkety to 1.10.3

Bug #1663937 reported by Thomas Ward on 2017-02-11
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
nginx (Ubuntu)
Wishlist
Unassigned
Xenial
Wishlist
Unassigned
Yakkety
Wishlist
Unassigned

Bug Description

[Impact]

Two releases are affected: Xenial and Yakkety.

There are a bunch of bugfixes in 1.10.3, including HTTP/2 fixes, that should be included in Ubuntu. This is detailed here in the upstream changelog from nginx:

Changes with nginx 1.10.3 (31 Jan 2017)

    *) Bugfix: in the "add_after_body" directive when used with the
       "sub_filter" directive.

    *) Bugfix: unix domain listen sockets might not be inherited during
       binary upgrade on Linux.

    *) Bugfix: graceful shutdown of old worker processes might require
       infinite time when using HTTP/2.

    *) Bugfix: when using HTTP/2 and the "limit_req" or "auth_request"
       directives client request body might be corrupted; the bug had
       appeared in 1.10.2.

    *) Bugfix: a segmentation fault might occur in a worker process when
       using HTTP/2; the bug had appeared in 1.10.2.

    *) Bugfix: an incorrect response might be returned when using the
       "sendfile" directive on FreeBSD and macOS; the bug had appeared in
       1.7.8.

    *) Bugfix: a truncated response might be stored in cache when using the
       "aio_write" directive.

    *) Bugfix: a socket leak might occur when using the "aio_write"
       directive.

[Test Case]

No test cases available as there are no bugs filed for any of these in Ubuntu. However, due to HTTP/2, any 'bugs' in these which may corrupt data or not kill worker processes correctly, or segfault, should be addressed.

[Regression Potential]

All these bugfixes were tested upstream by the nginx team, and do not pose a regression risk to the existing software versions or features of Ubuntu in affected releases.

[Other Info]

I will be uploading nginx 1.10.3 directly to Zesty today, and then have a merge ready by the end of the week for Zesty from Debian, which pulls in dynamic module support, etc. This SRU is written here ahead of having the Zesty update done, because this happens to be on my list of things to get done before the Zesty update.

CVE References

Thomas Ward (teward) on 2017-02-11
description: updated
summary: - Please update nginx in Xenial and Yakkety to 1.10.3
+ [SRU] Please update nginx in Xenial and Yakkety to 1.10.3
Thomas Ward (teward) wrote :

For Xenial, also take into account the changes done between 1.10.0 and 1.10.3. Note the CVE issue is already fixed in the Security repository, but other bugfixes should probably be included.

Changes with nginx 1.10.3 31 Jan 2017

    *) Bugfix: in the "add_after_body" directive when used with the
       "sub_filter" directive.

    *) Bugfix: unix domain listen sockets might not be inherited during
       binary upgrade on Linux.

    *) Bugfix: graceful shutdown of old worker processes might require
       infinite time when using HTTP/2.

    *) Bugfix: when using HTTP/2 and the "limit_req" or "auth_request"
       directives client request body might be corrupted; the bug had
       appeared in 1.10.2.

    *) Bugfix: a segmentation fault might occur in a worker process when
       using HTTP/2; the bug had appeared in 1.10.2.

    *) Bugfix: an incorrect response might be returned when using the
       "sendfile" directive on FreeBSD and macOS; the bug had appeared in
       1.7.8.

    *) Bugfix: a truncated response might be stored in cache when using the
       "aio_write" directive.

    *) Bugfix: a socket leak might occur when using the "aio_write"
       directive.

Changes with nginx 1.10.2 18 Oct 2016

    *) Change: the "421 Misdirected Request" response now used when
       rejecting requests to a virtual server different from one negotiated
       during an SSL handshake; this improves interoperability with some
       HTTP/2 clients when using client certificates.

    *) Change: HTTP/2 clients can now start sending request body
       immediately; the "http2_body_preread_size" directive controls size of
       the buffer used before nginx will start reading client request body.

    *) Bugfix: a segmentation fault might occur in a worker process when
       using HTTP/2 and the "proxy_request_buffering" directive.

    *) Bugfix: the "Content-Length" request header line was always added to
       requests passed to backends, including requests without body, when
       using HTTP/2.

    *) Bugfix: "http request count is zero" alerts might appear in logs when
       using HTTP/2.

    *) Bugfix: unnecessary buffering might occur when using the "sub_filter"
       directive; the issue had appeared in 1.9.4.

    *) Bugfix: socket leak when using HTTP/2.

    *) Bugfix: an incorrect response might be returned when using the "aio
       threads" and "sendfile" directives; the bug had appeared in 1.9.13.

    *) Workaround: OpenSSL 1.1.0 compatibility.

Changes with nginx 1.10.1 31 May 2016

    *) Security: a segmentation fault might occur in a worker process while
       writing a specially crafted request body to a temporary file
       (CVE-2016-4450); the bug had appeared in 1.3.9.

description: updated
Thomas Ward (teward) wrote :

For Yakkety, the only missing additional changelog would be 1.10.2's changelog:

Changes with nginx 1.10.2 18 Oct 2016

    *) Change: the "421 Misdirected Request" response now used when
       rejecting requests to a virtual server different from one negotiated
       during an SSL handshake; this improves interoperability with some
       HTTP/2 clients when using client certificates.

    *) Change: HTTP/2 clients can now start sending request body
       immediately; the "http2_body_preread_size" directive controls size of
       the buffer used before nginx will start reading client request body.

    *) Bugfix: a segmentation fault might occur in a worker process when
       using HTTP/2 and the "proxy_request_buffering" directive.

    *) Bugfix: the "Content-Length" request header line was always added to
       requests passed to backends, including requests without body, when
       using HTTP/2.

    *) Bugfix: "http request count is zero" alerts might appear in logs when
       using HTTP/2.

    *) Bugfix: unnecessary buffering might occur when using the "sub_filter"
       directive; the issue had appeared in 1.9.4.

    *) Bugfix: socket leak when using HTTP/2.

    *) Bugfix: an incorrect response might be returned when using the "aio
       threads" and "sendfile" directives; the bug had appeared in 1.9.13.

    *) Workaround: OpenSSL 1.1.0 compatibility.

Changed in nginx (Ubuntu):
status: Triaged → New
description: updated
Thomas Ward (teward) on 2017-02-11
Changed in nginx (Ubuntu):
status: New → Invalid
Changed in nginx (Ubuntu Xenial):
status: New → Triaged
Changed in nginx (Ubuntu Yakkety):
status: New → Incomplete
status: Incomplete → Triaged
Changed in nginx (Ubuntu Xenial):
importance: Undecided → Wishlist
Changed in nginx (Ubuntu Yakkety):
importance: Undecided → Wishlist
Changed in nginx (Ubuntu):
assignee: Thomas Ward (teward) → nobody
description: updated
Thomas Ward (teward) wrote :

Proposed SRU packages have been uploaded for review in the queues.

Attached here shortly will be the debdiffs.

Thomas Ward (teward) wrote :
Thomas Ward (teward) wrote :
Jeremy Bicha (jbicha) wrote :

I'm unsubscribing ubuntu-sponsors since there's nothing to sponsor here. (Subscribing ubuntu-sponsors is usually done when you don't have upload rights for the proposed change, but that's not the case here since you already uploaded the updates.)

Also, the SRU team will subscribe themselves when they accept the SRU; you don't need to do that.

https://wiki.ubuntu.com/StableReleaseUpdates#Procedure
https://wiki.ubuntu.com/StableReleaseUpdates#Reviewing_procedure_and_tools

Changed in nginx (Ubuntu):
status: Invalid → Fix Released
Brian Murray (brian-murray) wrote :

The Zesty update is still stuck in -proposed, so I'm not accepting the SRU at this point in time.

Robie Basak (racb) wrote :

1.10.3 is still stuck in zesty-proposed.

Hello Thomas, or anyone else affected,

Accepted nginx into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nginx/1.10.3-0ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in nginx (Ubuntu Xenial):
status: Triaged → Fix Committed
tags: added: verification-needed
Changed in nginx (Ubuntu Yakkety):
status: Triaged → Fix Committed
Chris J Arges (arges) wrote :

Hello Thomas, or anyone else affected,

Accepted nginx into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nginx/1.10.3-0ubuntu0.16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

The fix for this bug has been awaiting testing feedback in the -proposed repository for xenial for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate
Simon Déziel (sdeziel) wrote :

I just tested an upgrade to 1.10.3-0ubuntu0.16.04.1 on Xenial. Works well in general and HTTP/2 keeps working.

tags: added: verification-done-xenial verification-needed-yakkety
removed: verification-needed

As part of a recent change in the Stable Release Update verification policy we would like to inform that for a bug to be considered verified for a given release a verification-done-$RELEASE tag needs to be added to the bug where $RELEASE is the name of the series the package that was tested (e.g. verification-done-xenial). Please note that the global 'verification-done' tag can no longer be used for this purpose.

Thank you!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nginx - 1.10.3-0ubuntu0.16.04.1

---------------
nginx (1.10.3-0ubuntu0.16.04.1) xenial; urgency=medium

  * Stable Release Update (LP: #1663937)
  * New upstream release (1.10.3) - full changelog available at upstream
    website - http://nginx.org/en/CHANGES-1.10
  * All Ubuntu specific changes from 1.10.0-0ubuntu1 through
    1.10.0-0ubuntu0.16.04.4 remain included.
  * Additional changes:
    * debian/patches/ubuntu-branding.patch: Refreshed Ubuntu Branding patch.
    * debian/patches/cve-2016-4450.patch: Drop CVE patch as it is already
      included in the upstream source code in this upload.

 -- Thomas Ward <email address hidden> Sat, 11 Feb 2017 16:18:21 -0500

Changed in nginx (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for nginx has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers