[CVE-2012-1180] nginx fix for malformed HTTP responses from upstream servers

Debian Bug report logs - #664137
[CVE-2012-1180] nginx fix for malformed HTTP responses from upstream servers

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: submit@bugs.debian.org

Subject: [CVE-2012-1180] nginx fix for malformed HTTP responses from upstream servers

Date: Thu, 15 Mar 2012 20:54:17 +0100

Package: nginx
Severity: grave
Tags: security patch

The following vulnerability had been reported against nginx: 
http://seclists.org/oss-sec/2012/q1/644

The patch can be found in the report.

Please use CVE-2012-1180 for this issue.

Can you check if the stable version is affected?

Cheers,
luciano

Message #10 received at 664137@bugs.debian.org (full text, mbox, reply):

From: Cyril Lavier <cyril.lavier@davromaniak.eu>

To: Luciano Bello <luciano@debian.org>, 664137@bugs.debian.org

Subject: Re: Bug#664137: [CVE-2012-1180] nginx fix for malformed HTTP responses from upstream servers

Date: Thu, 15 Mar 2012 21:07:13 +0100

On 03/15/2012 08:54 PM, Luciano Bello wrote:
> Package: nginx
> Severity: grave
> Tags: security patch
>
> The following vulnerability had been reported against nginx:
> http://seclists.org/oss-sec/2012/q1/644
>
> The patch can be found in the report.
>
> Please use CVE-2012-1180 for this issue.
>
> Can you check if the stable version is affected?
>
> Cheers,
> luciano
>
>
>
Hi Luciano.

The 1.1.17 will be uploaded tomorrow, we already done the needed test 
for the upload (build and functionality).

Thanks.

-- 
Cyril "Davromaniak" Lavier
KeyID 59E9A881
http://www.davromaniak.eu

Message #17 received at 664137@bugs.debian.org (full text, mbox, reply):

From: Cyril Lavier <cyril.lavier@davromaniak.eu>

To: Luciano Bello <luciano@debian.org>

Cc: 664137@bugs.debian.org

Subject: Re: Bug#664137: [CVE-2012-1180] nginx fix for malformed HTTP responses from upstream servers

Date: Thu, 15 Mar 2012 21:34:19 +0100

On 03/15/2012 09:28 PM, Luciano Bello wrote:
> On Thursday 15 March 2012, Cyril Lavier wrote:
>> The 1.1.17 will be uploaded tomorrow, we already done the needed test
>> for the upload (build and functionality).
> Great!
>
> Can you check if stable is affected? The bug looks quite important. Do you think
> that stable should be updated by a DSA?
>
> Thanks,
> -l
Apparently, stable (and oldstable) are affected by the issue.

I'm working on adapting the upstream patch to the nginx stable package.

I think stable should be updated by a DSA, and Kartik scheduled it when 
we talk about uploading the 1.1.17 to unstable.

Thanks.

-- 
Cyril "Davromaniak" Lavier
KeyID 59E9A881
http://www.davromaniak.eu

Message #22 received at 664137@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: Cyril Lavier <cyril.lavier@davromaniak.eu>

Cc: 664137@bugs.debian.org

Subject: Re: Bug#664137: [CVE-2012-1180] nginx fix for malformed HTTP responses from upstream servers

Date: Thu, 15 Mar 2012 21:28:42 +0100

On Thursday 15 March 2012, Cyril Lavier wrote:
> The 1.1.17 will be uploaded tomorrow, we already done the needed test 
> for the upload (build and functionality).

Great!

Can you check if stable is affected? The bug looks quite important. Do you think 
that stable should be updated by a DSA?

Thanks,
-l

Message #27 received at 664137@bugs.debian.org (full text, mbox, reply):

From: Cyril Lavier <cyril.lavier@davromaniak.eu>

To: 664137@bugs.debian.org

Cc: Luciano Bello <luciano@debian.org>

Subject: Re: Bug#664137: [CVE-2012-1180] nginx fix for malformed HTTP responses from upstream servers

Date: Thu, 15 Mar 2012 21:46:45 +0100

On 03/15/2012 09:34 PM, Cyril Lavier wrote:
> On 03/15/2012 09:28 PM, Luciano Bello wrote:
>> On Thursday 15 March 2012, Cyril Lavier wrote:
>>> The 1.1.17 will be uploaded tomorrow, we already done the needed test
>>> for the upload (build and functionality).
>> Great!
>>
>> Can you check if stable is affected? The bug looks quite important. 
>> Do you think
>> that stable should be updated by a DSA?
>>
>> Thanks,
>> -l
> Apparently, stable (and oldstable) are affected by the issue.
>
> I'm working on adapting the upstream patch to the nginx stable package.
>
> I think stable should be updated by a DSA, and Kartik scheduled it 
> when we talk about uploading the 1.1.17 to unstable.
>
> Thanks.
>
So I just finished adapting the patch. It builds and works well.

It's here : http://paste.davromaniak.eu/index.php?show=71

The source package including the patch is here (use dget to download it 
;)): http://sources.davromaniak.eu/nginx/nginx_0.7.67-3+squeeze2.dsc

For old-stable, I don't have time tonight, so if anybody is willing to 
do it, don't hesitate :).

Thanks.

-- 
Cyril "Davromaniak" Lavier
KeyID 59E9A881
http://www.davromaniak.eu

Message #32 received at 664137@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: Cyril Lavier <cyril.lavier@davromaniak.eu>

Cc: 664137@bugs.debian.org

Subject: Re: Bug#664137: [CVE-2012-1180] nginx fix for malformed HTTP responses from upstream servers

Date: Thu, 15 Mar 2012 22:19:57 +0100

On Thursday 15 March 2012, Cyril Lavier wrote:
> For old-stable, I don't have time tonight, so if anybody is willing to 
> do it, don't hesitate :).

Security does not support old-stable since Febrary.

Thanks a lot for your work!

-l

Message #37 received at 664137@bugs.debian.org (full text, mbox, reply):

From: Kartik Mistry <kartik.mistry@gmail.com>

To: Luciano Bello <luciano@debian.org>, 664137@bugs.debian.org

Cc: Cyril Lavier <cyril.lavier@davromaniak.eu>

Subject: Re: Bug#664137: [CVE-2012-1180] nginx fix for malformed HTTP responses from upstream servers

Date: Fri, 16 Mar 2012 10:03:43 +0530

On Fri, Mar 16, 2012 at 2:49 AM, Luciano Bello <luciano@debian.org> wrote:
> On Thursday 15 March 2012, Cyril Lavier wrote:
>> For old-stable, I don't have time tonight, so if anybody is willing to
>> do it, don't hesitate :).

Do you want me to upload it directly to stable or want to send email
to security with debdiff etc?

> Security does not support old-stable since Febrary.

:)

-- 
Kartik Mistry | IRC: kart_
{0x1f1f, kartikm}.wordpress.com

Message #42 received at 664137-close@bugs.debian.org (full text, mbox, reply):

From: Kartik Mistry <kartik@debian.org>

To: 664137-close@bugs.debian.org

Subject: Bug#664137: fixed in nginx 1.1.17-1

Date: Fri, 16 Mar 2012 05:49:40 +0000

Source: nginx
Source-Version: 1.1.17-1

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive:

nginx-common_1.1.17-1_all.deb
  to main/n/nginx/nginx-common_1.1.17-1_all.deb
nginx-doc_1.1.17-1_all.deb
  to main/n/nginx/nginx-doc_1.1.17-1_all.deb
nginx-extras-dbg_1.1.17-1_amd64.deb
  to main/n/nginx/nginx-extras-dbg_1.1.17-1_amd64.deb
nginx-extras_1.1.17-1_amd64.deb
  to main/n/nginx/nginx-extras_1.1.17-1_amd64.deb
nginx-full-dbg_1.1.17-1_amd64.deb
  to main/n/nginx/nginx-full-dbg_1.1.17-1_amd64.deb
nginx-full_1.1.17-1_amd64.deb
  to main/n/nginx/nginx-full_1.1.17-1_amd64.deb
nginx-light-dbg_1.1.17-1_amd64.deb
  to main/n/nginx/nginx-light-dbg_1.1.17-1_amd64.deb
nginx-light_1.1.17-1_amd64.deb
  to main/n/nginx/nginx-light_1.1.17-1_amd64.deb
nginx_1.1.17-1.debian.tar.gz
  to main/n/nginx/nginx_1.1.17-1.debian.tar.gz
nginx_1.1.17-1.dsc
  to main/n/nginx/nginx_1.1.17-1.dsc
nginx_1.1.17-1_all.deb
  to main/n/nginx/nginx_1.1.17-1_all.deb
nginx_1.1.17.orig.tar.gz
  to main/n/nginx/nginx_1.1.17.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 664137@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kartik Mistry <kartik@debian.org> (supplier of updated nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 16 Mar 2012 10:27:38 +0530
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-full-dbg nginx-light nginx-light-dbg nginx-extras nginx-extras-dbg
Architecture: source all amd64
Version: 1.1.17-1
Distribution: unstable
Urgency: medium
Maintainer: Kartik Mistry <kartik@debian.org>
Changed-By: Kartik Mistry <kartik@debian.org>
Description: 
 nginx      - small, but very powerful and efficient web server and mail proxy
 nginx-common - small, but very powerful and efficient web server (common files)
 nginx-doc  - small, but very powerful and efficient web server (documentation)
 nginx-extras - nginx web server with full set of core modules and extras
 nginx-extras-dbg - Debugging symbols for nginx (extras)
 nginx-full - nginx web server with full set of core modules
 nginx-full-dbg - Debugging symbols for nginx (full)
 nginx-light - nginx web server with minimal set of core modules
 nginx-light-dbg - Debugging symbols for nginx (light)
Closes: 662799 662997 664090 664137
Changes: 
 nginx (1.1.17-1) unstable; urgency=medium
 .
   [Kartik Mistry]
   * New upstream release. (Closes: #664137)
     + Fixed malformed HTTP responses. See: CVE-2012-1180 for more details.
   * Set urgency to medium due to security issue.
 .
   [Cyril Lavier]
   * debian/rules:
     + Set NUMJOBS to 1 if no value is given
     + Added Auth PAM module to nginx-extras
     + Enable hardened flags for perl module (Thanks to Simon Ruderich for
       the patch) (Closes: #664090).
   * debian/conf/sites-available/default:
     + Added the fastcgi_pass for php5-fpm. (Closes: #662997)
   * debian/nginx-common.postrm, debian/rules, debian/nginx-common.postinst,
     debian/nginx-common.prerm, debian/nginx-common.service:
     + Added the systemd support. Thanks to Michael Stapelberg for the patch.
       (Closes: #662799)
Checksums-Sha1: 
 0ba5d591067d6fc7f9a273e3d0b51743221c04fb 1913 nginx_1.1.17-1.dsc
 60c02ddc7e742d8aa959531f5a63684380e798e8 712619 nginx_1.1.17.orig.tar.gz
 ea9262a1f0a3d180712322d8f039d5031fc58af8 567283 nginx_1.1.17-1.debian.tar.gz
 de1f00d37d9af48c103538b01c33a8009c9f5b4b 57078 nginx_1.1.17-1_all.deb
 6912ac57565860ceb800ecfe68077e866c978042 71148 nginx-doc_1.1.17-1_all.deb
 941f01012c7dc54a0da0d09b808488fdcc8e087f 67582 nginx-common_1.1.17-1_all.deb
 f26e24c01b63379dd31c3af65171d7cf80f15ae0 425748 nginx-full_1.1.17-1_amd64.deb
 8542c7dd1751f23ec58c6cccb6162cb2ddb71c31 2745830 nginx-full-dbg_1.1.17-1_amd64.deb
 bd64e49df797bccca570c98be18aa48fb94398a4 314018 nginx-light_1.1.17-1_amd64.deb
 866e651270147ee95c81a459a53585a5ee1ec3dc 1945608 nginx-light-dbg_1.1.17-1_amd64.deb
 63ee134a533e54e06b08711baeab6d1eab5e5011 574770 nginx-extras_1.1.17-1_amd64.deb
 8352e16b057aaad14479da5ca01c05206bc95d29 4032964 nginx-extras-dbg_1.1.17-1_amd64.deb
Checksums-Sha256: 
 9814be83f688e370a7f7931077fe4c1fd64396ad7044a9410ff598cd5d8fb20c 1913 nginx_1.1.17-1.dsc
 bcca95b2c5ad56c07940c5afc5848c10089ca5e1d79a3ebf23fa408996aba28a 712619 nginx_1.1.17.orig.tar.gz
 4466016d975d10da7660f0c70ed8cff96f975f1a45fffc2055f187f2a5edc355 567283 nginx_1.1.17-1.debian.tar.gz
 7bef2714225588b6db378dfb5e624d2fb52483c9ad09339dae3e0ca9207701de 57078 nginx_1.1.17-1_all.deb
 b97e72793af43f0fea7f38c517516234f848225ea8a3e18bb1e83df749e18ffb 71148 nginx-doc_1.1.17-1_all.deb
 607b8cffc1afd60196e83f71497151c63bc5bdb83f578c283fab720a2ed22793 67582 nginx-common_1.1.17-1_all.deb
 7b11b37f2ca438cc80c818a18d4075c5f1eac52d7e235a2139b1667be10df796 425748 nginx-full_1.1.17-1_amd64.deb
 cc2a073f0411ca1fc6daffc827742b1e69dd12eae2f069b14e4fa7cc93b409b8 2745830 nginx-full-dbg_1.1.17-1_amd64.deb
 1a79d12d0852bf44d77bd4262370e9846356a5458b22ff1b124f4e9d9f04a33f 314018 nginx-light_1.1.17-1_amd64.deb
 d78a9cec256d6627c1687813d7ff3b1f1137106c6f2ff406cc55c6f9f16e3e76 1945608 nginx-light-dbg_1.1.17-1_amd64.deb
 9d3c3202e569fc3f6d7bd19f21af9a6bf0475733272575ca51e1ab3acc140f67 574770 nginx-extras_1.1.17-1_amd64.deb
 a2cea44fa659e748b257e462a1e19889d071850f317f47fad45d453ac9fc7699 4032964 nginx-extras-dbg_1.1.17-1_amd64.deb
Files: 
 4342f3e894ac22693f01242a1f156846 1913 httpd optional nginx_1.1.17-1.dsc
 b4c1c855d130352586ffc9a945ea6c00 712619 httpd optional nginx_1.1.17.orig.tar.gz
 e8b708474b0424f42c70e9abd293f89b 567283 httpd optional nginx_1.1.17-1.debian.tar.gz
 36c3d4dd22f324c818ccea0dbbbb7d06 57078 httpd optional nginx_1.1.17-1_all.deb
 b4173514e080b90ef498be40ed435bd8 71148 doc optional nginx-doc_1.1.17-1_all.deb
 2d5d8fddf54afc0c38771701bfb34a08 67582 httpd optional nginx-common_1.1.17-1_all.deb
 c2b71f00f32b0f10735d93b7fbefd65c 425748 httpd optional nginx-full_1.1.17-1_amd64.deb
 cac590f9c489a55597c4de985c661ba5 2745830 debug extra nginx-full-dbg_1.1.17-1_amd64.deb
 63b5d38c9819c2b7bff488254429944c 314018 httpd extra nginx-light_1.1.17-1_amd64.deb
 7d5787fd48e450dd38b1a7988792789a 1945608 debug extra nginx-light-dbg_1.1.17-1_amd64.deb
 891f1013af24998ee5e081030797c9c7 574770 httpd extra nginx-extras_1.1.17-1_amd64.deb
 b4c408abf5d522b96d25b235eb88112c 4032964 debug extra nginx-extras-dbg_1.1.17-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk9i0c4ACgkQoRg/jtECjI3JaQCfS2pcvJ+BWyzVicwrrCuuRFcA
RtcAnAqiwvpvhSMUfIKn/s1E4tqh4Xaq
=Cglo
-----END PGP SIGNATURE-----

Message #47 received at 664137@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: Kartik Mistry <kartik.mistry@gmail.com>

Cc: 664137@bugs.debian.org, Cyril Lavier <cyril.lavier@davromaniak.eu>

Subject: Re: Bug#664137: [CVE-2012-1180] nginx fix for malformed HTTP responses from upstream servers

Date: Fri, 16 Mar 2012 15:05:00 +0100

[Message part 1 (text/plain, inline)]

On Friday 16 March 2012, Kartik Mistry wrote:
> Do you want me to upload it directly to stable or want to send email
> to security with debdiff etc?

Yes, please.

Thank you :)

/luciano

[signature.asc (application/pgp-signature, inline)]

Message #52 received at 664137@bugs.debian.org (full text, mbox, reply):

From: Kartik Mistry <kartik.mistry@gmail.com>

To: Luciano Bello <luciano@debian.org>

Cc: 664137@bugs.debian.org, Cyril Lavier <cyril.lavier@davromaniak.eu>

Subject: Re: Bug#664137: [CVE-2012-1180] nginx fix for malformed HTTP responses from upstream servers

Date: Fri, 16 Mar 2012 20:18:31 +0530

On Fri, Mar 16, 2012 at 7:35 PM, Luciano Bello <luciano@debian.org> wrote:
> On Friday 16 March 2012, Kartik Mistry wrote:
>> Do you want me to upload it directly to stable or want to send email
>> to security with debdiff etc?
>
> Yes, please.

Which one? :)

-- 
Kartik Mistry | IRC: kart_
{0x1f1f, kartikm}.wordpress.com

Message #57 received at 664137@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: Kartik Mistry <kartik.mistry@gmail.com>

Cc: 664137@bugs.debian.org, Cyril Lavier <cyril.lavier@davromaniak.eu>

Subject: Re: Bug#664137: [CVE-2012-1180] nginx fix for malformed HTTP responses from upstream servers

Date: Fri, 16 Mar 2012 16:00:02 +0100

[Message part 1 (text/plain, inline)]

On Friday 16 March 2012, Kartik Mistry wrote:
> Which one? :)

Hehhe... please, upload.

-l

[signature.asc (application/pgp-signature, inline)]

Message #62 received at 664137@bugs.debian.org (full text, mbox, reply):

From: Kartik Mistry <kartik.mistry@gmail.com>

To: Luciano Bello <luciano@debian.org>

Cc: 664137@bugs.debian.org, Cyril Lavier <cyril.lavier@davromaniak.eu>

Subject: Re: Bug#664137: [CVE-2012-1180] nginx fix for malformed HTTP responses from upstream servers

Date: Fri, 16 Mar 2012 21:08:25 +0530

On Fri, Mar 16, 2012 at 8:30 PM, Luciano Bello <luciano@debian.org> wrote:
> On Friday 16 March 2012, Kartik Mistry wrote:
>> Which one? :)
>
> Hehhe... please, upload.

Done. Thanks!

-- 
Kartik Mistry | IRC: kart_
{0x1f1f, kartikm}.wordpress.com

Send a report that this bug log contains spam.