Your message dated Wed, 27 Jan 2016 10:26:31 +0000
with message-id <[email protected]>
and subject line Bug#812806: fixed in nginx 0.7.67-3+squeeze4+deb6u1
has caused the Debian Bug report #812806,
regarding nginx: resolver CVEs: CVE-2016-0742 CVE-2016-0746 CVE-2016-0747
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
812806: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812806
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nginx
Severity: important
Tags: security upstream
Several problems in nginx resolver were identified, which might
allow an attacker to cause worker process crash, or might have
potential other impact:
- Invalid pointer dereference might occur during DNS server response
processing, allowing an attacker who is able to forge UDP
packets from the DNS server to cause worker process crash
(CVE-2016-0742).
- Use-after-free condition might occur during CNAME response
processing. This problem allows an attacker who is able to trigger
name resolution to cause worker process crash, or might
have potential other impact (CVE-2016-0746).
- CNAME resolution was insufficiently limited, allowing an attacker who
is able to trigger arbitrary name resolution to cause excessive resource
consumption in worker processes (CVE-2016-0747).
The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive
is used in a configuration file.
The problems are fixed in nginx 1.9.10, 1.8.1.
http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 0.7.67-3+squeeze4+deb6u1
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chris Lamb <[email protected]> (supplier of updated nginx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 27 Jan 2016 09:58:15 +0100
Source: nginx
Binary: nginx nginx-dbg
Architecture: source amd64
Version: 0.7.67-3+squeeze4+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: Jose Parrella <[email protected]>
Changed-By: Chris Lamb <[email protected]>
Description:
nginx - small, but very powerful and efficient web server and mail proxy
nginx-dbg - Debugging symbols for nginx
Closes: 812806
Changes:
nginx (0.7.67-3+squeeze4+deb6u1) squeeze-lts; urgency=high
.
* CVE-2016-0742: Invalid pointer dereference might occur during DNS server
response processing, allowing an attacker who is able to forge UDP packets
from the DNS server to cause worker process crash. (Closes: #812806)
Checksums-Sha1:
67df99ec896831691ab60eb16df902ab2d390b4a 2048
nginx_0.7.67-3+squeeze4+deb6u1.dsc
511a7c4b9f4296119e64eba54bd4ce241579e8bd 608462 nginx_0.7.67.orig.tar.gz
92911db8cec9bfff90ffb1891007c77d10695dac 29229
nginx_0.7.67-3+squeeze4+deb6u1.debian.tar.gz
937933011f7ae5fb555600e28f5d246bcb8f171f 357122
nginx_0.7.67-3+squeeze4+deb6u1_amd64.deb
75db70a107d33b656a4b1547ec895421f849c85e 1967690
nginx-dbg_0.7.67-3+squeeze4+deb6u1_amd64.deb
Checksums-Sha256:
f7bdd24185ce0e3e0981ff44a1896d0752f010f4c8a94f9f11a402a74528a816 2048
nginx_0.7.67-3+squeeze4+deb6u1.dsc
396c95055d041950831a9ee8ff54473436f212cd770c6bad0aa795637007f747 608462
nginx_0.7.67.orig.tar.gz
fbf13bb1996ec232b1abc29f5d8797c11e4bb9e6c399a356c2bc9f06766aac77 29229
nginx_0.7.67-3+squeeze4+deb6u1.debian.tar.gz
ef58eac64deb842a05e29a45bf77a9e7611b13d2a55503c4e08ea3b2331b6031 357122
nginx_0.7.67-3+squeeze4+deb6u1_amd64.deb
9e9f603e8e7006b53544430820b8eeac4f4f14a25a1fe0fd7011b742aed5b54b 1967690
nginx-dbg_0.7.67-3+squeeze4+deb6u1_amd64.deb
Files:
961ea6c9626bdb97419a0d48615356c0 2048 httpd optional
nginx_0.7.67-3+squeeze4+deb6u1.dsc
b6e175f969d03a4d3c5643aaabc6a5ff 608462 httpd optional nginx_0.7.67.orig.tar.gz
bef5b06689dc6ce1af38ada360d3d27b 29229 httpd optional
nginx_0.7.67-3+squeeze4+deb6u1.debian.tar.gz
1caade74ba02972f65d2af90747ccea1 357122 httpd optional
nginx_0.7.67-3+squeeze4+deb6u1_amd64.deb
9aeb77a81e1273c9a47d95eade3dfd4d 1967690 debug extra
nginx-dbg_0.7.67-3+squeeze4+deb6u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWqI8nAAoJEB6VPifUMR5Y45wP/RyKj7JmG1arfKwtp+fVAxYl
GuZYQt8j6I1t8t298vNxzNj5QJzh0ObjD8uHs1WKrMtDZdiG0uGS2f3tLtq7+VQh
x/69uSE/uujoA8NG6EmEi9aIDZuEii5VaFHNZ1IcPMJ9lW2fcxdfn5kEKUbvZSJI
7M1RJ+odYZn3WypN6NQGbBiGxp/xvLehUBUqnqs3zA+Sur+3f18fZ4AXeO1D/ghb
qzK8GmrsSH9fkg+ZZEzr6+BjVDREKb1IpdbClq0k6F0WFF9kma0hMm+z2GfPScSB
COuDmji/DJdirmYxD3qKsyN0BSZE+ZiaPW9qXiABZw9RpDaqSu3POm3OWxMLSmY9
YKhX/CtDsdm+na7hbAg0MsEphtEs77Mdl0oR+ds/UyXA/dD3UnSHv3J+bEzbmgoe
16QzpHRRI6UxuNciWwvQAulz6xESL3K1OBG/PhEUS14ZArZ2JaDw5qAzpUFLsg/r
P4eEKfNJXBP++/gPW4JQSQwRZA/c1sqVKdBv3zbPyMlDvkF2dXDcu1ZCEKG0nMkM
3BS5bVhq9Z6e76pt2tQoq8Oxep+3YZjouHfuF+vxlIuxwgSxjtaHzRL4qmbfZ1qA
gzjMqWuXZnwVdIvfO9C9hbogih48Vq33RByk2Qy05u3CNsIRSBjBQsKADzgDmauU
2Xg8BLbCIaVcwH5kmQtR
=RZ7a
-----END PGP SIGNATURE-----
--- End Message ---
