nginx: CVE-2014-0133: SPDY heap buffer overflow

Debian Bug report logs - #742059
nginx: CVE-2014-0133: SPDY heap buffer overflow

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: nginx: CVE-2014-0133: SPDY heap buffer overflow

Date: Tue, 18 Mar 2014 20:02:25 +0200

[Message part 1 (text/plain, inline)]

Source: nginx
Version: 1.4.6-1
Severity: grave
Tags: security, fixed-upstream

http://nginx.org/en/security_advisories.html
http://nginx.org/download/patch.2014.spdy2.txt

Not vulnerable: 1.5.12+, 1.4.7+
Vulnerable: 1.3.15-1.5.11

---
Henri Salo

[signature.asc (application/pgp-signature, inline)]

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: yatiohi@ideopolis.gr

To: Henri Salo <henri@nerv.fi>, 742059@bugs.debian.org

Cc: submit@bugs.debian.org

Subject: Re: Bug#742059: nginx: CVE-2014-0133: SPDY heap buffer overflow

Date: Tue, 18 Mar 2014 22:16:11 +0200

Hello Henri,

On Tue, Mar 18, 2014 at 08:02:25PM +0200, Henri Salo wrote:
>Source: nginx
>Version: 1.4.6-1
>Severity: grave
>Tags: security, fixed-upstream
>
>http://nginx.org/en/security_advisories.html
>http://nginx.org/download/patch.2014.spdy2.txt
>
>Not vulnerable: 1.5.12+, 1.4.7+
>Vulnerable: 1.3.15-1.5.11
>
>---
>Henri Salo

Thank you for the quick bug report,

we are not vulnerable since nginx is compiled with the --with-debug
configure option. Although, we will release 1.4.7-1 shortly to follow
upstream and include a few module updates as well.

Message #22 received at 742059-close@bugs.debian.org (full text, mbox, reply):

From: Christos Trochalakis <yatiohi@ideopolis.gr>

To: 742059-close@bugs.debian.org

Subject: Bug#742059: fixed in nginx 1.4.7-1

Date: Tue, 18 Mar 2014 21:41:54 +0000

Source: nginx
Source-Version: 1.4.7-1

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742059@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christos Trochalakis <yatiohi@ideopolis.gr> (supplier of updated nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 18 Mar 2014 22:03:47 +0200
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-full-dbg nginx-light nginx-light-dbg nginx-extras nginx-extras-dbg nginx-naxsi nginx-naxsi-dbg nginx-naxsi-ui
Architecture: source all amd64
Version: 1.4.7-1
Distribution: unstable
Urgency: medium
Maintainer: Kartik Mistry <kartik@debian.org>
Changed-By: Christos Trochalakis <yatiohi@ideopolis.gr>
Description: 
 nginx      - small, powerful, scalable web/proxy server
 nginx-common - small, powerful, scalable web/proxy server - common files
 nginx-doc  - small, powerful, scalable web/proxy server - documentation
 nginx-extras - nginx web/proxy server (extended version)
 nginx-extras-dbg - nginx web/proxy server (extended version) - debugging symbols
 nginx-full - nginx web/proxy server (standard version)
 nginx-full-dbg - nginx web/proxy server (standard version) - debugging symbols
 nginx-light - nginx web/proxy server (basic version)
 nginx-light-dbg - nginx web/proxy server (basic version) - debugging symbols
 nginx-naxsi - nginx web/proxy server (version with naxsi)
 nginx-naxsi-dbg - nginx web/proxy server (version with naxsi) - debugging symbols
 nginx-naxsi-ui - nginx web/proxy server - naxsi configuration front-end
Closes: 732251 742059
Changes: 
 nginx (1.4.7-1) unstable; urgency=medium
 .
   [ Christos Trochalakis ]
   * New upstream release. (Closes: #742059)
     + Fixes pottential arbitrary code execution (CVE-2014-0133)
       Debian build was not vulnerable since it was compiled
       with the --with-debug configure option.
   * debian/modules/nginx-http-push:
     + Update to v0.711 (Closes: #732251)
   * debian/modules/headers-more-nginx-module:
     + Update to v0.25, containing several bugfixes.
   * debian/modules/nginx-echo:
     + Update to v0.51, containing several bugfixes.
   * debian/modules/nginx-dav-ext-module:
     + Update to v0.0.3, containing some uri encoding fixes.
   * debian/modules/ngx_http_substitutions_filter_module:
     + Update to v0.6.4, containing some enhancements.
   * debian/modules/nginx-auth-pam:
     + Update to v1.3.
       This version contains our downstream patch (See: #721702)
Checksums-Sha1: 
 4f9cf827d459aa2915af72c28aea541482b53730 2773 nginx_1.4.7-1.dsc
 e13b5b23f9be908b69652b0c394a95e9029687e3 769153 nginx_1.4.7.orig.tar.gz
 72bce3651c7e436fe758aa50a53ec3141cdc4fbb 867988 nginx_1.4.7-1.debian.tar.xz
 ebe6f8634f1dd6f3bb89c885525e1ee3f960e663 68168 nginx_1.4.7-1_all.deb
 9ebae887c8feb8261f7347b3108ee1cf879d1ae4 79380 nginx-doc_1.4.7-1_all.deb
 7db9fc033adcb745c526cd87e8b91b0a19295430 80978 nginx-common_1.4.7-1_all.deb
 a119a99d0c867ba9d3b07d1791252170b4265f33 310336 nginx-naxsi-ui_1.4.7-1_all.deb
 0dfe44b0ee67040c70316042d3d0a928a9ff1116 406536 nginx-full_1.4.7-1_amd64.deb
 cb86125375934d50fb8dead1df54b86bd3ea2e2f 3154358 nginx-full-dbg_1.4.7-1_amd64.deb
 b7fce01952803a901e5a01a3da39a98f34592297 315150 nginx-light_1.4.7-1_amd64.deb
 a9999fcda71815671f936951fe3222ac5b0d446b 2159764 nginx-light-dbg_1.4.7-1_amd64.deb
 3e6e75af8f53c6d03d8f86c24a66cadffc67d5bf 560092 nginx-extras_1.4.7-1_amd64.deb
 3ceb722e00216611655738bd3c21679804ffd59b 4850416 nginx-extras-dbg_1.4.7-1_amd64.deb
 9dfe0e6d6aa2f39afe29d51baecdc11a98fc57bd 351072 nginx-naxsi_1.4.7-1_amd64.deb
 f8e8ef8012eb92e429a1ed00dd7a85fa5082ae30 2303046 nginx-naxsi-dbg_1.4.7-1_amd64.deb
Checksums-Sha256: 
 9991a18e71622134b37d50366af02857468b7776ae727abca3c82e59ef178fc1 2773 nginx_1.4.7-1.dsc
 23b8ff4a76817090678f91b0efbfcef59a93492f6612dc8370c44c1f1ce1b626 769153 nginx_1.4.7.orig.tar.gz
 d392b6103e8f1c170b4a48ab0b9dc08dd0b1b2d25b04f24548e78511c3be5068 867988 nginx_1.4.7-1.debian.tar.xz
 102ae7eefd5d350377f7f0869ac4faaf180b8b364afba5f4cad4ba7c8fe19e4f 68168 nginx_1.4.7-1_all.deb
 c8728eb145f4a6992b865d354192f4cd448383530e07c788bc5d446f0c8eed75 79380 nginx-doc_1.4.7-1_all.deb
 ed7c1f02ae4fe8245f46084ceccebd6c2beeb3b891ba6186f5c0d2710876a5cf 80978 nginx-common_1.4.7-1_all.deb
 71a1add0e8b950f1e30a80b0de510b8b77f5c67926f79c3b70d2f20989d521da 310336 nginx-naxsi-ui_1.4.7-1_all.deb
 ec761b87dddccb08f358081ff8d1042778b5dd0ae36c9f149cb98e829c5093a1 406536 nginx-full_1.4.7-1_amd64.deb
 ed81fb4d8c290aa79bf80fcfa9b9434941ed2f7a5e6c80b7e88398ce84a36696 3154358 nginx-full-dbg_1.4.7-1_amd64.deb
 a73753d5a2f4e146d0e4273d0d5a541928ab4f7d4fa5b4cd30da0494919a00d5 315150 nginx-light_1.4.7-1_amd64.deb
 29c86a516033a07fa6e850bc6ef15cf0f0c792570e0b6a74d439def051e997d1 2159764 nginx-light-dbg_1.4.7-1_amd64.deb
 193ebecb13a1edb35b7ffe8cef9297d6afa9fbc1947930a6a954c7fbec599a00 560092 nginx-extras_1.4.7-1_amd64.deb
 98ecc7b4fcdc28f0161e295e5f055d76568527fb48ea5714e0afc88d6639a5c3 4850416 nginx-extras-dbg_1.4.7-1_amd64.deb
 5eb63539d672123a53f0a906f2f849a8f1091355a66c76c4863ad7cd04cac43f 351072 nginx-naxsi_1.4.7-1_amd64.deb
 4e86783d9102a8dcda15ced66d5a02d948f2bcb1e4b6aa3eec925ed3fa13ec4a 2303046 nginx-naxsi-dbg_1.4.7-1_amd64.deb
Files: 
 4451ec0ba1f1aac73b3adcd8da25c06b 2773 httpd optional nginx_1.4.7-1.dsc
 aee151d298dcbfeb88b3f7dd3e7a4d17 769153 httpd optional nginx_1.4.7.orig.tar.gz
 b59ea48f28019103c7e6c3e4034d5495 867988 httpd optional nginx_1.4.7-1.debian.tar.xz
 4c6384bedd2533345f6c001809623745 68168 httpd optional nginx_1.4.7-1_all.deb
 235daf15d707ee36f2f04acc0bb3f5a2 79380 doc optional nginx-doc_1.4.7-1_all.deb
 ba62ecb56bf8a4a9cc6199ca4406e93f 80978 httpd optional nginx-common_1.4.7-1_all.deb
 93fe6da54a3f02a5258457297af0dd74 310336 httpd extra nginx-naxsi-ui_1.4.7-1_all.deb
 72053413eac8e4b12ff4d88802fa3748 406536 httpd optional nginx-full_1.4.7-1_amd64.deb
 1156ec9ed874ef116deaab096dc3f42a 3154358 debug extra nginx-full-dbg_1.4.7-1_amd64.deb
 6d72973305a5c9cfe029ca36a0aaab51 315150 httpd extra nginx-light_1.4.7-1_amd64.deb
 8d2cd2d6f982a06a84b2b9cd169c0216 2159764 debug extra nginx-light-dbg_1.4.7-1_amd64.deb
 6c2dca4631464cc9ed6793a85e84c8aa 560092 httpd extra nginx-extras_1.4.7-1_amd64.deb
 1664b316771c5820259e3041d79116c9 4850416 debug extra nginx-extras-dbg_1.4.7-1_amd64.deb
 69d3a441b6487a78b9500422980b1bff 351072 httpd extra nginx-naxsi_1.4.7-1_amd64.deb
 feefa2caf1ff7513f19ae8cc5dc5e2ff 2303046 debug extra nginx-naxsi-dbg_1.4.7-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJTKKqYAAoJEBE2JgCnR+zZGr8QANG1UlpidO8RTSUoHgTbGMVq
2pQl4uhS3YjRP7LgNWdktSA1Da/Wop1q8HAW+gB5cBktKtbglYSLQQl4ZrETyYOJ
/nh/IJOK5Ij70jz6V5EsOmOli5apw8eFx4DvZHvOEBZZl6II8oEz9DSHW9OQ/9Bc
+V+vBQ5RRQg/sXS7CbupjGWUoefn9o9i+V1tUPvHBpGPMZJjeGtjzOEY8f9xFYjC
R0jl3LW3VsKpNAJghHqCYjhrNBWLRlMU4jHcJGCOamLrdKCud7U2h94AQYQ2DBCz
n4tvCECRwk3NDsfDhOvHOIXPEmf7R64enZYWrVJmeJ7EYNqNw/p1IW+44dizUQ7S
MwJxmieCphUd6MaX659gEN80TvhwTtRWtal6vJ2noSDS7UUIXnPGQATW+/NclRqf
v/u6H5v1zeiRbQ+LFKYC7JFUROnchtO4yI0y3TTm7Coa5OAtHI5o6K3vaUtrJjbd
JJzpDcXN6FTFHR0QTx0uGwDzOyLbZ1LCXxlOQ5V0fmGWkzuLjRlxcwh4pumfMzBS
mEdb0/xLOnPUfGg2XSQfsGPLE+mvuzkrxGFjdkn4+Yu6rtmDXxQR/+Km1QCXDnfq
SIiaxR1+lKDxwtIrU88nVTbpdJhTxPo55YM2PiipvNM7vw/LPdZSlPrB/16HFpQd
E6U+1Is/3usqw9NYfS/L
=mamK
-----END PGP SIGNATURE-----

Message #25 received at 742059-submitter@bugs.debian.org (full text, mbox, reply):

From: Christos Trochalakis <yatiohi@ideopolis.gr>

To: 742059-submitter@bugs.debian.org

Subject: Bug#742059 marked as pending

Date: Tue, 18 Mar 2014 21:44:23 +0000

tag 742059 pending
thanks

Hello,

Bug #742059 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=collab-maint/nginx.git;a=commitdiff;h=1ed0224

---
commit 1ed0224979e9b1cc197f166eee486dfdce8b2534
Author: Christos Trochalakis <yatiohi@ideopolis.gr>
Date:   Tue Mar 18 22:04:03 2014 +0200

    Release 1.4.7-1, CVE-2014-0133
    
    Release announcement:
    http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html

diff --git a/debian/changelog b/debian/changelog
index 4c66bd8..dbe62da 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,10 @@
-nginx (1.4.6-2) UNRELEASED; urgency=medium
+nginx (1.4.7-1) unstable; urgency=medium
 
   [ Christos Trochalakis ]
+  * New upstream release. (Closes: #742059)
+    + Fixes pottential arbitrary code execution (CVE-2014-0133)
+      Debian build was not vulnerable since it was compiled
+      with the --with-debug configure option.
   * debian/modules/nginx-http-push:
     + Update to v0.711 (Closes: #732251)
   * debian/modules/headers-more-nginx-module:
@@ -15,7 +19,7 @@ nginx (1.4.6-2) UNRELEASED; urgency=medium
     + Update to v1.3.
       This version contains our downstream patch (See: #721702)
 
- -- Christos Trochalakis <yatiohi@ideopolis.gr>  Thu, 13 Mar 2014 12:58:40 +0200
+ -- Christos Trochalakis <yatiohi@ideopolis.gr>  Tue, 18 Mar 2014 22:03:47 +0200
 
 nginx (1.4.6-1) unstable; urgency=medium
 

Message #30 received at 742059@bugs.debian.org (full text, mbox, reply):

From: James Cloos <cloos@jhcloos.com>

To: 742059@bugs.debian.org

Cc: yatiohi@ideopolis.gr, Henri Salo <henri@nerv.fi>

Subject: Re: Bug#742059: nginx: CVE-2014-0133: SPDY heap buffer overflow

Date: Tue, 18 Mar 2014 19:06:39 -0400

>>>>> "y" == yatiohi  <yatiohi@ideopolis.gr> writes:

y> we are not vulnerable since nginx is compiled with the --with-debug
y> configure option.

Does that also apply to 1.5.11 in experimental?

y> Although, we will release 1.4.7-1 shortly to follow
y> upstream and include a few module updates as well.

Updating experimental to 1.5.12 is welcome in either case.

Thanks!

-JimC
--
James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

Message #35 received at 742059@bugs.debian.org (full text, mbox, reply):

From: Thomas Ward <teward@ubuntu.com>

To: James Cloos <cloos@jhcloos.com>, 742059@bugs.debian.org

Cc: Christos Trochalakis <yatiohi@ideopolis.gr>, Henri Salo <henri@nerv.fi>

Subject: Re: Bug#742059: nginx: CVE-2014-0133: SPDY heap buffer overflow

Date: Tue, 18 Mar 2014 19:36:18 -0400

Assuming it follows similar build rules in its Debian packaging in
Experimental, then I'm assuming it also is covered.

On Tue, Mar 18, 2014 at 7:06 PM, James Cloos <cloos@jhcloos.com> wrote:
>>>>>> "y" == yatiohi  <yatiohi@ideopolis.gr> writes:
>
> y> we are not vulnerable since nginx is compiled with the --with-debug
> y> configure option.
>
> Does that also apply to 1.5.11 in experimental?
>
> y> Although, we will release 1.4.7-1 shortly to follow
> y> upstream and include a few module updates as well.
>
> Updating experimental to 1.5.12 is welcome in either case.
>
> Thanks!
>
> -JimC
> --
> James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6
>

Send a report that this bug log contains spam.