nginx: CVE-2014-3556 STARTTLS command injection

Debian Bug report logs - #757196
nginx: CVE-2014-3556 STARTTLS command injection

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christos Trochalakis <yatiohi@ideopolis.gr>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nginx: CVE-2014-3556 STARTTLS command injection

Date: Wed, 6 Aug 2014 10:01:17 +0300

Source: nginx
Severity: important
Tags: security

A bug in nginx SMTP proxy was found, which allows an attacker in a
privileged network position to inject commands into SSL sessions started
with the STARTTLS command, potentially making it possible to steal
sensitive information sent by clients (CVE-2014-3556).

The problem affects nginx 1.5.6 - 1.7.3.

The problem is fixed in nginx 1.7.4, 1.6.1.

http://mailman.nginx.org/pipermail/nginx-announce/2014/000144.html

Message #12 received at 757196-close@bugs.debian.org (full text, mbox, reply):

From: Christos Trochalakis <yatiohi@ideopolis.gr>

To: 757196-close@bugs.debian.org

Subject: Bug#757196: fixed in nginx 1.6.1-1

Date: Wed, 06 Aug 2014 09:39:26 +0000

Source: nginx
Source-Version: 1.6.1-1

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 757196@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christos Trochalakis <yatiohi@ideopolis.gr> (supplier of updated nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 06 Aug 2014 10:05:08 +0300
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-full-dbg nginx-light nginx-light-dbg nginx-extras nginx-extras-dbg nginx-naxsi nginx-naxsi-dbg nginx-naxsi-ui
Architecture: source all amd64
Version: 1.6.1-1
Distribution: unstable
Urgency: medium
Maintainer: Kartik Mistry <kartik@debian.org>
Changed-By: Christos Trochalakis <yatiohi@ideopolis.gr>
Description:
 nginx      - small, powerful, scalable web/proxy server
 nginx-common - small, powerful, scalable web/proxy server - common files
 nginx-doc  - small, powerful, scalable web/proxy server - documentation
 nginx-extras - nginx web/proxy server (extended version)
 nginx-extras-dbg - nginx web/proxy server (extended version) - debugging symbols
 nginx-full - nginx web/proxy server (standard version)
 nginx-full-dbg - nginx web/proxy server (standard version) - debugging symbols
 nginx-light - nginx web/proxy server (basic version)
 nginx-light-dbg - nginx web/proxy server (basic version) - debugging symbols
 nginx-naxsi - nginx web/proxy server (version with naxsi)
 nginx-naxsi-dbg - nginx web/proxy server (version with naxsi) - debugging symbols
 nginx-naxsi-ui - nginx web/proxy server - naxsi configuration front-end
Closes: 757196
Changes:
 nginx (1.6.1-1) unstable; urgency=medium
 .
   [ Christos Trochalakis ]
   * New upstream release.
     Handle CVE-2014-3556 SMTP STARTTLS vulnerability (Closes: #757196)
     http://mailman.nginx.org/pipermail/nginx-announce/2014/000144.html
Checksums-Sha1:
 9db54a57213155972c6ac5970fce216958d0772e 2877 nginx_1.6.1-1.dsc
 e58c865f67b580541ed4eadf69d1676762bf50ab 803301 nginx_1.6.1.orig.tar.gz
 6a0d8eca4285213741825f3d983f46c9eb2ff280 868412 nginx_1.6.1-1.debian.tar.xz
 edf88c0c845bcdb424a39e8d58952cb709777c69 70804 nginx_1.6.1-1_all.deb
 065b5c193dc65e1788b2e8852e7e6816b4ea61ed 82022 nginx-doc_1.6.1-1_all.deb
 cd00af722dc4882aa62f26d7105b26ec745fc6c6 83634 nginx-common_1.6.1-1_all.deb
 7a2ce6d0d3b851dda3c45b6eee87c730c77e37fe 424286 nginx-full_1.6.1-1_amd64.deb
 cb42a968c603bc411a9f595c1ee0e97b7b0190ad 3118220 nginx-full-dbg_1.6.1-1_amd64.deb
 34aca2ac00967c55c69f76c10d1d6a8c83a04280 328036 nginx-light_1.6.1-1_amd64.deb
 0ced7095a96398dffdcdd00f9649f5d502d326ab 2159510 nginx-light-dbg_1.6.1-1_amd64.deb
 29b2d2fa354cda3ea8a287de0697dae851196c94 579828 nginx-extras_1.6.1-1_amd64.deb
 5feced22b5201c69150591bf26fc83dbb00cccf1 4792864 nginx-extras-dbg_1.6.1-1_amd64.deb
 25433b78ecd432eb87cd59620e206cdabd34da99 364928 nginx-naxsi_1.6.1-1_amd64.deb
 1ff62f66d9b05c9fafb206453a1a048194eacbe2 2277204 nginx-naxsi-dbg_1.6.1-1_amd64.deb
 13d35573230cb63c4ac621efef0561ae18e66b3f 312974 nginx-naxsi-ui_1.6.1-1_all.deb
Checksums-Sha256:
 1adabb23b149ce175eff5a322ecaa73e036d2ec78da8d2a7d70eab97b5d2ff76 2877 nginx_1.6.1-1.dsc
 f5cfe682a1aeef4602c2ca705402d5049b748f946563f41d8256c18674836067 803301 nginx_1.6.1.orig.tar.gz
 cbca415979b47645c6685d3409f09e31776e6c555e0ea58a5270ae1c27ff0adc 868412 nginx_1.6.1-1.debian.tar.xz
 2e358ff49376758e43aa8e59e8d182b9fa6a31db5874fa339d2b7dbba569a6df 70804 nginx_1.6.1-1_all.deb
 e0ffc4f70f8d9f693638ea1a445700cf4ffced4741038f093b698bcfe946ab0e 82022 nginx-doc_1.6.1-1_all.deb
 8c10a0f745d5b32c22d355a8c1da96f4ecbc55ba65e5a4aaf0a7c6481814916d 83634 nginx-common_1.6.1-1_all.deb
 b353bbc7a786d74500bf882a68b199695ecc7b42631ca9a06dac2a73ebc9ef6d 424286 nginx-full_1.6.1-1_amd64.deb
 4bff54746a1c3480a0c6e5942c1945d8300dc49919225db5a7ec7ef2b1e4775c 3118220 nginx-full-dbg_1.6.1-1_amd64.deb
 f609988b43fe84d38f79a42003fc4ae96f62f0bcb3a523e2f70fc0d38578a37a 328036 nginx-light_1.6.1-1_amd64.deb
 061e2d6e77e4cf1e04d9bb7b6e7e81dd8c1ec240deb0cba2c8385a6b9c92c1e5 2159510 nginx-light-dbg_1.6.1-1_amd64.deb
 5515dcedd777c79e51026b2bb0a36c9d9df052589dd6731594189b3ca937a968 579828 nginx-extras_1.6.1-1_amd64.deb
 66f6af15591abb734f9f3e331fb4dfe280b9eb5c9785791c8c16e3e8e419b1fe 4792864 nginx-extras-dbg_1.6.1-1_amd64.deb
 57ab74cc3d9ca7029b20ac1761328330b878bd124161c5e67603ee259a3dd548 364928 nginx-naxsi_1.6.1-1_amd64.deb
 f081d803b94055470b7619bd57b4787295024ea4881c977e326b955d3d2056ea 2277204 nginx-naxsi-dbg_1.6.1-1_amd64.deb
 d094e3e26a2b7c8dae5a5c0551b50d3292cb2719a3ef17ed4909d7bc7fc6acd8 312974 nginx-naxsi-ui_1.6.1-1_all.deb
Files:
 373b53454e027746b66a6dfcfd36e3f8 70804 httpd optional nginx_1.6.1-1_all.deb
 35bff7c9744633cf180818456166157b 82022 doc optional nginx-doc_1.6.1-1_all.deb
 3c0f835fe56ef27be77f056e3fb80f9f 83634 httpd optional nginx-common_1.6.1-1_all.deb
 081e95c0d4afcd762c6b5bad2139c49b 424286 httpd optional nginx-full_1.6.1-1_amd64.deb
 a560e04855bcb88e7c55ebde350bc958 3118220 debug extra nginx-full-dbg_1.6.1-1_amd64.deb
 00584b19545fe16a5f4569a5cf803952 328036 httpd extra nginx-light_1.6.1-1_amd64.deb
 525af7d48374e024ad8ed20ae8d735b2 2159510 debug extra nginx-light-dbg_1.6.1-1_amd64.deb
 9a5aefc961e4117120c0caba0b6474a3 579828 httpd extra nginx-extras_1.6.1-1_amd64.deb
 c4ddceeee227c176989eebde2de73959 4792864 debug extra nginx-extras-dbg_1.6.1-1_amd64.deb
 5d0b4a9a9ee36ffb371ccc2b7e452aa6 364928 httpd extra nginx-naxsi_1.6.1-1_amd64.deb
 3fabf34474124c568e10ce780b1c0fe5 2277204 debug extra nginx-naxsi-dbg_1.6.1-1_amd64.deb
 7c7da21654b399be930349283860f191 312974 httpd extra nginx-naxsi-ui_1.6.1-1_all.deb
 aeb0abe7bdab575cc136215a5c4ea079 2877 httpd optional nginx_1.6.1-1.dsc
 45e5a11f48b001644676f7767980a2bf 803301 httpd optional nginx_1.6.1.orig.tar.gz
 ca2c8a80ac1aa48b69f606cc887e5295 868412 httpd optional nginx_1.6.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJT4dl6AAoJEBE2JgCnR+zZh58QAMljnI5BrrIIA87OsFkpUk7W
j3VeEqv6QaAKhPdZxt9fo0nR2mjMZei4g/0m3aigc2m+lQG4XgCtvNyn++npRyNs
zt/7rDIwJ7Mtnw87Di44a/pBG0bdgJMbb4Gccyq7B0jCvvWpsZlsAd5MshmPndZy
fhtAgi2j/8/K3EKrcuLfOBg4N3X+3rJYAxHvBfk0f0Y8X09zG7yPSNZvoDVKoTsE
yIVAs1972iT48RT7uY5tUeZ3FhmNe6FgGJVne+uoLSnwaVhVKvD3OUizJ/LILqkW
4H4qZty/o4gxNUTlmmpQfl+mJjgs5aQI9y1l7x7GIdezujr9BwGgwbhNRM6SXVuT
1qrwIwUlG5lDVdMFsjaK4xJburs+UtTs3er/k3m702+uUtD9+NzfX9P2njJS/Xh6
dcGCyDNQLsy5vm9YTixcTzdRWob0U4C9fJjgMgeyRsy19MCCZd3EojHz67zOwChB
Lduu5ZgjD5/ejy1R7JhHBwjOuRwT0BF5SsO7qpTw2CwW517MCT8DgM4seBbH8KHr
d+9iumkXCs5QEUSyAAnT1d3ZWY+9Mk1fB3kJvp46PH0vW/+yf//9sSY9eFZXlnhd
8uYRE9QurIrEwYooNsa29sHeTuMXWyT5vrROqLL8B9EHh4SJ+QUvglb/fqED0E2P
laz8JVmIo7QiAn3yUDe0
=gyUE
-----END PGP SIGNATURE-----

Message #17 received at 757196-submitter@bugs.debian.org (full text, mbox, reply):

From: Christos Trochalakis <yatiohi@ideopolis.gr>

To: 757196-submitter@bugs.debian.org

Subject: Bug#757196 marked as pending

Date: Wed, 06 Aug 2014 09:55:34 +0000

tag 757196 pending
thanks

Hello,

Bug #757196 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/nginx.git;a=commitdiff;h=793a370

---
commit 793a370c66fdfdfb5506a6a9b6fbdd1b1066b53e
Author: Christos Trochalakis <yatiohi@ideopolis.gr>
Date:   Wed Aug 6 10:05:18 2014 +0300

    Release 1.6.1-1

diff --git a/debian/changelog b/debian/changelog
index e0ca5aa..d68abb1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+nginx (1.6.1-1) unstable; urgency=medium
+
+  [ Christos Trochalakis ]
+  * New upstream release.
+    Handle CVE-2014-3556 SMTP STARTTLS vulnerability (Closes: #757196)
+    http://mailman.nginx.org/pipermail/nginx-announce/2014/000144.html
+
+ -- Christos Trochalakis <yatiohi@ideopolis.gr>  Wed, 06 Aug 2014 10:05:08 +0300
+
 nginx (1.6.0-2) unstable; urgency=medium
 
   [ gregor herrmann ]

Send a report that this bug log contains spam.