Debian Bug report logs -
#742059
nginx: CVE-2014-0133: SPDY heap buffer overflow
Reported by: Henri Salo <henri@nerv.fi>
Date: Tue, 18 Mar 2014 18:06:02 UTC
Severity: grave
Tags: fixed-upstream, security
Found in version nginx/1.4.6-1
Fixed in version nginx/1.4.7-1
Done: Christos Trochalakis <yatiohi@ideopolis.gr>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>
:
Bug#742059
; Package src:nginx
.
(Tue, 18 Mar 2014 18:06:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
New Bug report received and forwarded. Copy sent to Kartik Mistry <kartik@debian.org>
.
(Tue, 18 Mar 2014 18:06:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: nginx
Version: 1.4.6-1
Severity: grave
Tags: security, fixed-upstream
http://nginx.org/en/security_advisories.html
http://nginx.org/download/patch.2014.spdy2.txt
Not vulnerable: 1.5.12+, 1.4.7+
Vulnerable: 1.3.15-1.5.11
---
Henri Salo
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>
:
Bug#742059
; Package src:nginx
.
(Tue, 18 Mar 2014 20:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to yatiohi@ideopolis.gr
:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>
.
(Tue, 18 Mar 2014 20:18:04 GMT) (full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
Hello Henri,
On Tue, Mar 18, 2014 at 08:02:25PM +0200, Henri Salo wrote:
>Source: nginx
>Version: 1.4.6-1
>Severity: grave
>Tags: security, fixed-upstream
>
>http://nginx.org/en/security_advisories.html
>http://nginx.org/download/patch.2014.spdy2.txt
>
>Not vulnerable: 1.5.12+, 1.4.7+
>Vulnerable: 1.3.15-1.5.11
>
>---
>Henri Salo
Thank you for the quick bug report,
we are not vulnerable since nginx is compiled with the --with-debug
configure option. Although, we will release 1.4.7-1 shortly to follow
upstream and include a few module updates as well.
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>
:
Bug#742059
; Package src:nginx
.
(Tue, 18 Mar 2014 20:18:12 GMT) (full text, mbox, link).
Acknowledgement sent
to yatiohi@ideopolis.gr
:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>
.
(Tue, 18 Mar 2014 20:18:12 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Christos Trochalakis <yatiohi@ideopolis.gr>
to control@bugs.debian.org
.
(Tue, 18 Mar 2014 21:45:04 GMT) (full text, mbox, link).
Reply sent
to Christos Trochalakis <yatiohi@ideopolis.gr>
:
You have taken responsibility.
(Tue, 18 Mar 2014 21:45:39 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>
:
Bug acknowledged by developer.
(Tue, 18 Mar 2014 21:45:39 GMT) (full text, mbox, link).
Message #22 received at 742059-close@bugs.debian.org (full text, mbox, reply):
Source: nginx
Source-Version: 1.4.7-1
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742059@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christos Trochalakis <yatiohi@ideopolis.gr> (supplier of updated nginx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 18 Mar 2014 22:03:47 +0200
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-full-dbg nginx-light nginx-light-dbg nginx-extras nginx-extras-dbg nginx-naxsi nginx-naxsi-dbg nginx-naxsi-ui
Architecture: source all amd64
Version: 1.4.7-1
Distribution: unstable
Urgency: medium
Maintainer: Kartik Mistry <kartik@debian.org>
Changed-By: Christos Trochalakis <yatiohi@ideopolis.gr>
Description:
nginx - small, powerful, scalable web/proxy server
nginx-common - small, powerful, scalable web/proxy server - common files
nginx-doc - small, powerful, scalable web/proxy server - documentation
nginx-extras - nginx web/proxy server (extended version)
nginx-extras-dbg - nginx web/proxy server (extended version) - debugging symbols
nginx-full - nginx web/proxy server (standard version)
nginx-full-dbg - nginx web/proxy server (standard version) - debugging symbols
nginx-light - nginx web/proxy server (basic version)
nginx-light-dbg - nginx web/proxy server (basic version) - debugging symbols
nginx-naxsi - nginx web/proxy server (version with naxsi)
nginx-naxsi-dbg - nginx web/proxy server (version with naxsi) - debugging symbols
nginx-naxsi-ui - nginx web/proxy server - naxsi configuration front-end
Closes: 732251 742059
Changes:
nginx (1.4.7-1) unstable; urgency=medium
.
[ Christos Trochalakis ]
* New upstream release. (Closes: #742059)
+ Fixes pottential arbitrary code execution (CVE-2014-0133)
Debian build was not vulnerable since it was compiled
with the --with-debug configure option.
* debian/modules/nginx-http-push:
+ Update to v0.711 (Closes: #732251)
* debian/modules/headers-more-nginx-module:
+ Update to v0.25, containing several bugfixes.
* debian/modules/nginx-echo:
+ Update to v0.51, containing several bugfixes.
* debian/modules/nginx-dav-ext-module:
+ Update to v0.0.3, containing some uri encoding fixes.
* debian/modules/ngx_http_substitutions_filter_module:
+ Update to v0.6.4, containing some enhancements.
* debian/modules/nginx-auth-pam:
+ Update to v1.3.
This version contains our downstream patch (See: #721702)
Checksums-Sha1:
4f9cf827d459aa2915af72c28aea541482b53730 2773 nginx_1.4.7-1.dsc
e13b5b23f9be908b69652b0c394a95e9029687e3 769153 nginx_1.4.7.orig.tar.gz
72bce3651c7e436fe758aa50a53ec3141cdc4fbb 867988 nginx_1.4.7-1.debian.tar.xz
ebe6f8634f1dd6f3bb89c885525e1ee3f960e663 68168 nginx_1.4.7-1_all.deb
9ebae887c8feb8261f7347b3108ee1cf879d1ae4 79380 nginx-doc_1.4.7-1_all.deb
7db9fc033adcb745c526cd87e8b91b0a19295430 80978 nginx-common_1.4.7-1_all.deb
a119a99d0c867ba9d3b07d1791252170b4265f33 310336 nginx-naxsi-ui_1.4.7-1_all.deb
0dfe44b0ee67040c70316042d3d0a928a9ff1116 406536 nginx-full_1.4.7-1_amd64.deb
cb86125375934d50fb8dead1df54b86bd3ea2e2f 3154358 nginx-full-dbg_1.4.7-1_amd64.deb
b7fce01952803a901e5a01a3da39a98f34592297 315150 nginx-light_1.4.7-1_amd64.deb
a9999fcda71815671f936951fe3222ac5b0d446b 2159764 nginx-light-dbg_1.4.7-1_amd64.deb
3e6e75af8f53c6d03d8f86c24a66cadffc67d5bf 560092 nginx-extras_1.4.7-1_amd64.deb
3ceb722e00216611655738bd3c21679804ffd59b 4850416 nginx-extras-dbg_1.4.7-1_amd64.deb
9dfe0e6d6aa2f39afe29d51baecdc11a98fc57bd 351072 nginx-naxsi_1.4.7-1_amd64.deb
f8e8ef8012eb92e429a1ed00dd7a85fa5082ae30 2303046 nginx-naxsi-dbg_1.4.7-1_amd64.deb
Checksums-Sha256:
9991a18e71622134b37d50366af02857468b7776ae727abca3c82e59ef178fc1 2773 nginx_1.4.7-1.dsc
23b8ff4a76817090678f91b0efbfcef59a93492f6612dc8370c44c1f1ce1b626 769153 nginx_1.4.7.orig.tar.gz
d392b6103e8f1c170b4a48ab0b9dc08dd0b1b2d25b04f24548e78511c3be5068 867988 nginx_1.4.7-1.debian.tar.xz
102ae7eefd5d350377f7f0869ac4faaf180b8b364afba5f4cad4ba7c8fe19e4f 68168 nginx_1.4.7-1_all.deb
c8728eb145f4a6992b865d354192f4cd448383530e07c788bc5d446f0c8eed75 79380 nginx-doc_1.4.7-1_all.deb
ed7c1f02ae4fe8245f46084ceccebd6c2beeb3b891ba6186f5c0d2710876a5cf 80978 nginx-common_1.4.7-1_all.deb
71a1add0e8b950f1e30a80b0de510b8b77f5c67926f79c3b70d2f20989d521da 310336 nginx-naxsi-ui_1.4.7-1_all.deb
ec761b87dddccb08f358081ff8d1042778b5dd0ae36c9f149cb98e829c5093a1 406536 nginx-full_1.4.7-1_amd64.deb
ed81fb4d8c290aa79bf80fcfa9b9434941ed2f7a5e6c80b7e88398ce84a36696 3154358 nginx-full-dbg_1.4.7-1_amd64.deb
a73753d5a2f4e146d0e4273d0d5a541928ab4f7d4fa5b4cd30da0494919a00d5 315150 nginx-light_1.4.7-1_amd64.deb
29c86a516033a07fa6e850bc6ef15cf0f0c792570e0b6a74d439def051e997d1 2159764 nginx-light-dbg_1.4.7-1_amd64.deb
193ebecb13a1edb35b7ffe8cef9297d6afa9fbc1947930a6a954c7fbec599a00 560092 nginx-extras_1.4.7-1_amd64.deb
98ecc7b4fcdc28f0161e295e5f055d76568527fb48ea5714e0afc88d6639a5c3 4850416 nginx-extras-dbg_1.4.7-1_amd64.deb
5eb63539d672123a53f0a906f2f849a8f1091355a66c76c4863ad7cd04cac43f 351072 nginx-naxsi_1.4.7-1_amd64.deb
4e86783d9102a8dcda15ced66d5a02d948f2bcb1e4b6aa3eec925ed3fa13ec4a 2303046 nginx-naxsi-dbg_1.4.7-1_amd64.deb
Files:
4451ec0ba1f1aac73b3adcd8da25c06b 2773 httpd optional nginx_1.4.7-1.dsc
aee151d298dcbfeb88b3f7dd3e7a4d17 769153 httpd optional nginx_1.4.7.orig.tar.gz
b59ea48f28019103c7e6c3e4034d5495 867988 httpd optional nginx_1.4.7-1.debian.tar.xz
4c6384bedd2533345f6c001809623745 68168 httpd optional nginx_1.4.7-1_all.deb
235daf15d707ee36f2f04acc0bb3f5a2 79380 doc optional nginx-doc_1.4.7-1_all.deb
ba62ecb56bf8a4a9cc6199ca4406e93f 80978 httpd optional nginx-common_1.4.7-1_all.deb
93fe6da54a3f02a5258457297af0dd74 310336 httpd extra nginx-naxsi-ui_1.4.7-1_all.deb
72053413eac8e4b12ff4d88802fa3748 406536 httpd optional nginx-full_1.4.7-1_amd64.deb
1156ec9ed874ef116deaab096dc3f42a 3154358 debug extra nginx-full-dbg_1.4.7-1_amd64.deb
6d72973305a5c9cfe029ca36a0aaab51 315150 httpd extra nginx-light_1.4.7-1_amd64.deb
8d2cd2d6f982a06a84b2b9cd169c0216 2159764 debug extra nginx-light-dbg_1.4.7-1_amd64.deb
6c2dca4631464cc9ed6793a85e84c8aa 560092 httpd extra nginx-extras_1.4.7-1_amd64.deb
1664b316771c5820259e3041d79116c9 4850416 debug extra nginx-extras-dbg_1.4.7-1_amd64.deb
69d3a441b6487a78b9500422980b1bff 351072 httpd extra nginx-naxsi_1.4.7-1_amd64.deb
feefa2caf1ff7513f19ae8cc5dc5e2ff 2303046 debug extra nginx-naxsi-dbg_1.4.7-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJTKKqYAAoJEBE2JgCnR+zZGr8QANG1UlpidO8RTSUoHgTbGMVq
2pQl4uhS3YjRP7LgNWdktSA1Da/Wop1q8HAW+gB5cBktKtbglYSLQQl4ZrETyYOJ
/nh/IJOK5Ij70jz6V5EsOmOli5apw8eFx4DvZHvOEBZZl6II8oEz9DSHW9OQ/9Bc
+V+vBQ5RRQg/sXS7CbupjGWUoefn9o9i+V1tUPvHBpGPMZJjeGtjzOEY8f9xFYjC
R0jl3LW3VsKpNAJghHqCYjhrNBWLRlMU4jHcJGCOamLrdKCud7U2h94AQYQ2DBCz
n4tvCECRwk3NDsfDhOvHOIXPEmf7R64enZYWrVJmeJ7EYNqNw/p1IW+44dizUQ7S
MwJxmieCphUd6MaX659gEN80TvhwTtRWtal6vJ2noSDS7UUIXnPGQATW+/NclRqf
v/u6H5v1zeiRbQ+LFKYC7JFUROnchtO4yI0y3TTm7Coa5OAtHI5o6K3vaUtrJjbd
JJzpDcXN6FTFHR0QTx0uGwDzOyLbZ1LCXxlOQ5V0fmGWkzuLjRlxcwh4pumfMzBS
mEdb0/xLOnPUfGg2XSQfsGPLE+mvuzkrxGFjdkn4+Yu6rtmDXxQR/+Km1QCXDnfq
SIiaxR1+lKDxwtIrU88nVTbpdJhTxPo55YM2PiipvNM7vw/LPdZSlPrB/16HFpQd
E6U+1Is/3usqw9NYfS/L
=mamK
-----END PGP SIGNATURE-----
Message sent on
to Henri Salo <henri@nerv.fi>
:
Bug#742059.
(Tue, 18 Mar 2014 21:45:42 GMT) (full text, mbox, link).
Message #25 received at 742059-submitter@bugs.debian.org (full text, mbox, reply):
tag 742059 pending
thanks
Hello,
Bug #742059 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
http://git.debian.org/?p=collab-maint/nginx.git;a=commitdiff;h=1ed0224
---
commit 1ed0224979e9b1cc197f166eee486dfdce8b2534
Author: Christos Trochalakis <yatiohi@ideopolis.gr>
Date: Tue Mar 18 22:04:03 2014 +0200
Release 1.4.7-1, CVE-2014-0133
Release announcement:
http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html
diff --git a/debian/changelog b/debian/changelog
index 4c66bd8..dbe62da 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,10 @@
-nginx (1.4.6-2) UNRELEASED; urgency=medium
+nginx (1.4.7-1) unstable; urgency=medium
[ Christos Trochalakis ]
+ * New upstream release. (Closes: #742059)
+ + Fixes pottential arbitrary code execution (CVE-2014-0133)
+ Debian build was not vulnerable since it was compiled
+ with the --with-debug configure option.
* debian/modules/nginx-http-push:
+ Update to v0.711 (Closes: #732251)
* debian/modules/headers-more-nginx-module:
@@ -15,7 +19,7 @@ nginx (1.4.6-2) UNRELEASED; urgency=medium
+ Update to v1.3.
This version contains our downstream patch (See: #721702)
- -- Christos Trochalakis <yatiohi@ideopolis.gr> Thu, 13 Mar 2014 12:58:40 +0200
+ -- Christos Trochalakis <yatiohi@ideopolis.gr> Tue, 18 Mar 2014 22:03:47 +0200
nginx (1.4.6-1) unstable; urgency=medium
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>
:
Bug#742059
; Package src:nginx
.
(Tue, 18 Mar 2014 23:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to James Cloos <cloos@jhcloos.com>
:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>
.
(Tue, 18 Mar 2014 23:27:04 GMT) (full text, mbox, link).
Message #30 received at 742059@bugs.debian.org (full text, mbox, reply):
>>>>> "y" == yatiohi <yatiohi@ideopolis.gr> writes:
y> we are not vulnerable since nginx is compiled with the --with-debug
y> configure option.
Does that also apply to 1.5.11 in experimental?
y> Although, we will release 1.4.7-1 shortly to follow
y> upstream and include a few module updates as well.
Updating experimental to 1.5.12 is welcome in either case.
Thanks!
-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 1024D/ED7DAEA6
Information forwarded
to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>
:
Bug#742059
; Package src:nginx
.
(Tue, 18 Mar 2014 23:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Ward <teward@ubuntu.com>
:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>
.
(Tue, 18 Mar 2014 23:39:05 GMT) (full text, mbox, link).
Message #35 received at 742059@bugs.debian.org (full text, mbox, reply):
Assuming it follows similar build rules in its Debian packaging in
Experimental, then I'm assuming it also is covered.
On Tue, Mar 18, 2014 at 7:06 PM, James Cloos <cloos@jhcloos.com> wrote:
>>>>>> "y" == yatiohi <yatiohi@ideopolis.gr> writes:
>
> y> we are not vulnerable since nginx is compiled with the --with-debug
> y> configure option.
>
> Does that also apply to 1.5.11 in experimental?
>
> y> Although, we will release 1.4.7-1 shortly to follow
> y> upstream and include a few module updates as well.
>
> Updating experimental to 1.5.12 is welcome in either case.
>
> Thanks!
>
> -JimC
> --
> James Cloos <cloos@jhcloos.com> OpenPGP: 1024D/ED7DAEA6
>
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 16 Apr 2014 07:29:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:46:10 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.