Bug#812806: marked as done (nginx: resolver CVEs: CVE-2016-0742 CVE-2016-0746 CVE-2016-0747)

Sat, 13 Feb 2016 13:51:59 -0800 

Your message dated Sat, 13 Feb 2016 21:47:46 +0000
with message-id <[email protected]>
and subject line Bug#812806: fixed in nginx 1.2.1-2.2+wheezy4
has caused the Debian Bug report #812806,
regarding nginx: resolver CVEs: CVE-2016-0742 CVE-2016-0746 CVE-2016-0747
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
812806: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812806
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: nginx
Severity: important
Tags: security upstream

Several problems in nginx resolver were identified, which might
allow an attacker to cause worker process crash, or might have
potential other impact:

- Invalid pointer dereference might occur during DNS server response
 processing, allowing an attacker who is able to forge UDP
 packets from the DNS server to cause worker process crash
 (CVE-2016-0742).

- Use-after-free condition might occur during CNAME response
 processing.  This problem allows an attacker who is able to trigger
 name resolution to cause worker process crash, or might
 have potential other impact (CVE-2016-0746).

- CNAME resolution was insufficiently limited, allowing an attacker who
 is able to trigger arbitrary name resolution to cause excessive resource
 consumption in worker processes (CVE-2016-0747).

The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive
is used in a configuration file.

The problems are fixed in nginx 1.9.10, 1.8.1.
http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html

--- End Message ---
--- Begin Message --- 
Source: nginx
Source-Version: 1.2.1-2.2+wheezy4

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christos Trochalakis <[email protected]> (supplier of updated nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Jan 2016 13:42:29 +0200
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-full-dbg nginx-light 
nginx-light-dbg nginx-extras nginx-extras-dbg nginx-naxsi nginx-naxsi-dbg 
nginx-naxsi-ui
Architecture: source all amd64
Version: 1.2.1-2.2+wheezy4
Distribution: wheezy-security
Urgency: high
Maintainer: Kartik Mistry <[email protected]>
Changed-By: Christos Trochalakis <[email protected]>
Description: 
 nginx      - small, powerful, scalable web/proxy server
 nginx-common - small, powerful, scalable web/proxy server - common files
 nginx-doc  - small, powerful, scalable web/proxy server - documentation
 nginx-extras - nginx web/proxy server (extended version)
 nginx-extras-dbg - nginx web/proxy server (extended version) - debugging 
symbols
 nginx-full - nginx web/proxy server (standard version)
 nginx-full-dbg - nginx web/proxy server (standard version) - debugging symbols
 nginx-light - nginx web/proxy server (basic version)
 nginx-light-dbg - nginx web/proxy server (basic version) - debugging symbols
 nginx-naxsi - nginx web/proxy server (version with naxsi)
 nginx-naxsi-dbg - nginx web/proxy server (version with naxsi) - debugging 
symbols
 nginx-naxsi-ui - nginx web/proxy server - naxsi configuration front-end
Closes: 812806
Changes: 
 nginx (1.2.1-2.2+wheezy4) wheezy-security; urgency=high
 .
   [ Christos Trochalakis ]
   * Fixes multiple resolver CVEs,
     CVE-2016-0742, CVE-2016-0746, CVE-2016-0747
     Closes: #812806
Checksums-Sha1: 
 2d9db1d3b2dca648c0e6306522cd400ecfbfd97c 2800 nginx_1.2.1-2.2+wheezy4.dsc
 b4680d7917dc62b8a9664b088c129fbb6ec86fbb 1362828 
nginx_1.2.1-2.2+wheezy4.debian.tar.gz
 bcc7a3c46b6250d1d62f3288de9db881cdf9ffba 61416 nginx_1.2.1-2.2+wheezy4_all.deb
 ba7d85d250c70d49844d7870c10cf0bd72658470 74254 
nginx-doc_1.2.1-2.2+wheezy4_all.deb
 de67e437c4896f88750606113256a2f6cae68555 72824 
nginx-common_1.2.1-2.2+wheezy4_all.deb
 04d39120cdc4f81eb210c90062859899cf4bbc5a 343276 
nginx-naxsi-ui_1.2.1-2.2+wheezy4_all.deb
 affee58dec777f4c61a4ee87adc0b6afb024a626 435784 
nginx-full_1.2.1-2.2+wheezy4_amd64.deb
 036d5041f9e9683f2359bea05b8c08285ecab3c4 3090350 
nginx-full-dbg_1.2.1-2.2+wheezy4_amd64.deb
 ecf1e499fa517a51cf56527e08e1fa20fe852723 319546 
nginx-light_1.2.1-2.2+wheezy4_amd64.deb
 76861fcbc84acb533115df7b53576e9d79357b2e 2134642 
nginx-light-dbg_1.2.1-2.2+wheezy4_amd64.deb
 eeb8eaf02794c9d803df31d94432f56d0a3e0bb9 601798 
nginx-extras_1.2.1-2.2+wheezy4_amd64.deb
 5fe8125d52e4eef24a7a17c3633de38a797958c2 4576854 
nginx-extras-dbg_1.2.1-2.2+wheezy4_amd64.deb
 91f47f45636dc670fa0d8538c79b67033c7a1bd4 359102 
nginx-naxsi_1.2.1-2.2+wheezy4_amd64.deb
 e47a955e560e13fcbd94aba7f30d8fd0e8fc3e86 2265698 
nginx-naxsi-dbg_1.2.1-2.2+wheezy4_amd64.deb
Checksums-Sha256: 
 a4ca37d2831e90d93031384481caa6a3e3e4fe28e2240ab0776502c7e5afcc00 2800 
nginx_1.2.1-2.2+wheezy4.dsc
 205f922a7ee57cab09c73875e14f5eb8029b82e92c5ac0fe2e49e2a26faff458 1362828 
nginx_1.2.1-2.2+wheezy4.debian.tar.gz
 4a819e4f0fe3a4f621349fa140521ae5c6a65ef2a285615faea8ed8a60ad7dc6 61416 
nginx_1.2.1-2.2+wheezy4_all.deb
 c4b2059d3974b8c4f3a6b823ec15342e506911e6e0712924a1a2330fed5262ec 74254 
nginx-doc_1.2.1-2.2+wheezy4_all.deb
 5dec82be5034dced3d4567cfc485e8453480b30d718af8b0b50e4a392772121f 72824 
nginx-common_1.2.1-2.2+wheezy4_all.deb
 85a85d3acfb38fcb2c50422a8a20ecb5cfd75aa1096154b9ebb9c8f470a0f255 343276 
nginx-naxsi-ui_1.2.1-2.2+wheezy4_all.deb
 e07d98beeb651a73e4e052d3c322137926bd8b3c3cf5548b84bbbd2acf217caf 435784 
nginx-full_1.2.1-2.2+wheezy4_amd64.deb
 8230882f2702abde501a892126bd5ae8e5556bdff7219c011e9f816732453dd1 3090350 
nginx-full-dbg_1.2.1-2.2+wheezy4_amd64.deb
 e609b926ac24f2317d7987dc86fafa6a036428d2d4da9b164ba791e90f43a1c6 319546 
nginx-light_1.2.1-2.2+wheezy4_amd64.deb
 1cfc582ef9045cbb5b3e7dbaf3c8db7db4214b7d626a2a709dae0dfb1f7ba129 2134642 
nginx-light-dbg_1.2.1-2.2+wheezy4_amd64.deb
 afd1b6a41319d11c2e990653e8128a374e9330056a86a0e3c57db156b981e157 601798 
nginx-extras_1.2.1-2.2+wheezy4_amd64.deb
 b7230f566d59cc2608ed3f35af1cf05a86b74c842172437ef5143648002a90f3 4576854 
nginx-extras-dbg_1.2.1-2.2+wheezy4_amd64.deb
 0126f8e43cd5146d5697e35d85944a3f8face67bb1b7f721dfbfdb2bafd899d8 359102 
nginx-naxsi_1.2.1-2.2+wheezy4_amd64.deb
 b16bce3e30aa61c603e1faa1f80f8831e878ebc731b2392923f7f837eccc9ee6 2265698 
nginx-naxsi-dbg_1.2.1-2.2+wheezy4_amd64.deb
Files: 
 3b2d94c272f90fd90289bdfc4bfd4dd6 2800 httpd optional 
nginx_1.2.1-2.2+wheezy4.dsc
 5ca79ee79a2c65a40870ebc93a3fafe6 1362828 httpd optional 
nginx_1.2.1-2.2+wheezy4.debian.tar.gz
 ba533601ef76597f22a1c21ed943de15 61416 httpd optional 
nginx_1.2.1-2.2+wheezy4_all.deb
 a16b0d1bf9a58e34855bbf27c48f708a 74254 doc optional 
nginx-doc_1.2.1-2.2+wheezy4_all.deb
 84adb50343dc8508ee195cec2623ccb2 72824 httpd optional 
nginx-common_1.2.1-2.2+wheezy4_all.deb
 f9c9e23521f73c0a49be24c40eabfa86 343276 httpd extra 
nginx-naxsi-ui_1.2.1-2.2+wheezy4_all.deb
 2541e5c5ca697c1dd6e67f95c7a612fb 435784 httpd optional 
nginx-full_1.2.1-2.2+wheezy4_amd64.deb
 7afbc1b85901fa61c008bdc98b970aa3 3090350 debug extra 
nginx-full-dbg_1.2.1-2.2+wheezy4_amd64.deb
 7667a4d6ef9b8b64e1242798d06edc5e 319546 httpd extra 
nginx-light_1.2.1-2.2+wheezy4_amd64.deb
 065c8ca62cbf1a81edd631ecb70500c7 2134642 debug extra 
nginx-light-dbg_1.2.1-2.2+wheezy4_amd64.deb
 9af4600e8b4c35c68bd4d72a3f4ace5e 601798 httpd extra 
nginx-extras_1.2.1-2.2+wheezy4_amd64.deb
 7155598a0245bc6b97ad409ce13c4397 4576854 debug extra 
nginx-extras-dbg_1.2.1-2.2+wheezy4_amd64.deb
 64a223d394126ddffdabe70abd8918b3 359102 httpd extra 
nginx-naxsi_1.2.1-2.2+wheezy4_amd64.deb
 ddb9aba7138409fa4d5fe49e8e8a0758 2265698 debug extra 
nginx-naxsi-dbg_1.2.1-2.2+wheezy4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWu6/lAAoJEAVMuPMTQ89EKRcP+wc2eq0U34r7D0i3qyA+EZNb
lANy77m0ZjFvDgsClf3saei0Tzj6p7WD2+ghSLccwhDmKEcZkKoJKYTPZLFYLMOh
w0gTCTIo40nodNM8U9DEf7jtdrV44cVAgFt57Tpas7pF2VIZs+d5Eq9v0FZ9Uu5/
Hbhzxb2n2sbz6iKsiaxzkgHKsGtJjFYZpJfpJQl6GIcNxnVEflStierq8sSThb8/
cOtqjL6TQ47uK/jr0+9p0sfCtZMnlx2qZDpGTEkVOpKKIQz3BkxlUceJXX/UUhG5
rgmI+oNZPRvSwvuJIeucHj2HK0pfseSEceWjg6mOO/3XDrDMtnFAfjbCn4k8uGSS
0vPOapLv9T7w2BRPFz/hzSCfQdfcArrd266+61BMNvf3q/O5Gcb6Ecjm52pHtjsW
Bmi2eEKq9b6ndAA9H+rIWO2B6z+fSbINbe2bHyoK4+L0pEdPFf+qDXB5Hr7dNxug
9zCXYXz8Dw8j110/WWUZAbIimjopSeebg8LTBDk5nMLQg6ZvgK9nDjDOAkuebfWX
KyEsBkcq0mmduCUmvJUKtQj54HgDPwGG/WYFUjTFYdZQ9nlbytl0SJHl7n8axl+Y
lJfp8dhR/sVw49AA+/wP1KcS6A40Unt5/AOaSMUSzmab7sY2FE2ljP63vJrWAgbh
5Fmg9qMaKETmYf5cVgo9
=NX+h
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to