[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
** Changed in: nginx (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
** Bug watch added: Debian Bug tracker #812806 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812806 ** Also affects: nginx (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812806 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
This bug was fixed in the package nginx - 1.9.3-1ubuntu1.1 --- nginx (1.9.3-1ubuntu1.1) wily-security; urgency=medium * SECURITY UPDATE: multiple resolver security issues (LP: #1538165) - debian/patches/CVE-2016-074x-1.patch: fix possible segmentation fault on DNS format error. - debian/patches/CVE-2016-074x-2.patch: fix crashes in timeout handler. - debian/patches/CVE-2016-074x-3.patch: fixed CNAME processing for several requests. - debian/patches/CVE-2016-074x-4.patch: change the ngx_resolver_create_*_query() arguments. - debian/patches/CVE-2016-074x-5.patch: fix use-after-free memory accesses with CNAME. - debian/patches/CVE-2016-074x-6.patch: limited CNAME recursion. - CVE-2016-0742 - CVE-2016-0743 - CVE-2016-0744 -- Marc Deslauriers Wed, 03 Feb 2016 08:38:22 -0500 ** Changed in: nginx (Ubuntu Wily) Status: Confirmed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-0743 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-0744 ** Changed in: nginx (Ubuntu Trusty) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
This bug was fixed in the package nginx - 1.4.6-1ubuntu3.4 --- nginx (1.4.6-1ubuntu3.4) trusty-security; urgency=medium * SECURITY UPDATE: multiple resolver security issues (LP: #1538165) - debian/patches/CVE-2016-074x-1.patch: fix possible segmentation fault on DNS format error. - debian/patches/CVE-2016-074x-2.patch: fix crashes in timeout handler. - debian/patches/CVE-2016-074x-3.patch: fixed CNAME processing for several requests. - debian/patches/CVE-2016-074x-4.patch: change the ngx_resolver_create_*_query() arguments. - debian/patches/CVE-2016-074x-5.patch: fix use-after-free memory accesses with CNAME. - debian/patches/CVE-2016-074x-6.patch: limited CNAME recursion. - CVE-2016-0742 - CVE-2016-0743 - CVE-2016-0744 -- Marc Deslauriers Wed, 03 Feb 2016 09:12:00 -0500 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
As Vivid reaches End of Life tomorrow, and that provides insufficient time for a fix to be produced for that version of the package, we are marking this as "Won't Fix" on Vivid. ** Changed in: nginx (Ubuntu Vivid) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
The following are upstream changeset links, in order of application: 1.9.x: http://hg.nginx.org/nginx/rev/81d44cd4044e http://hg.nginx.org/nginx/rev/7316c57e4fe7 http://hg.nginx.org/nginx/rev/978e79b95c9f http://hg.nginx.org/nginx/rev/a5767988c022 http://hg.nginx.org/nginx/rev/497d0cff8ace http://hg.nginx.org/nginx/rev/ff9b32c0e141 1.8.x: http://hg.nginx.org/nginx/rev/c36482d0a79f http://hg.nginx.org/nginx/rev/f63dd04c1580 http://hg.nginx.org/nginx/rev/838946300825 http://hg.nginx.org/nginx/rev/5557bf31e25d -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
The following are upstream changeset links, in order of application: 1.9.x: http://hg.nginx.org/nginx/rev/81d44cd4044e http://hg.nginx.org/nginx/rev/7316c57e4fe7 http://hg.nginx.org/nginx/rev/978e79b95c9f http://hg.nginx.org/nginx/rev/a5767988c022 http://hg.nginx.org/nginx/rev/497d0cff8ace http://hg.nginx.org/nginx/rev/ff9b32c0e141 1.8.x: http://hg.nginx.org/nginx/rev/c36482d0a79f http://hg.nginx.org/nginx/rev/f63dd04c1580 http://hg.nginx.org/nginx/rev/838946300825 http://hg.nginx.org/nginx/rev/5557bf31e25d http://hg.nginx.org/nginx/rev/dac6eda40475 http://hg.nginx.org/nginx/rev/93d70d87914c -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
** Changed in: nginx (Ubuntu Wily) Assignee: Thomas Ward (teward) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
** Changed in: nginx (Ubuntu Vivid) Assignee: Thomas Ward (teward) => (unassigned) ** Changed in: nginx (Ubuntu Trusty) Assignee: Thomas Ward (teward) => (unassigned) ** Changed in: nginx (Ubuntu Precise) Assignee: Thomas Ward (teward) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
This bug was fixed in the package nginx - 1.9.10-0ubuntu1 --- nginx (1.9.10-0ubuntu1) xenial; urgency=medium * New upstream release. * debian/patches/ubuntu-branding.patch: Refreshed Ubuntu Branding patch * Security content of this upload addresses the following vulnerabilities and CVE-numbered Security issues: (LP: #1538165) - Invalid pointer dereference might occur during DNS server response processing, allowing an attacker who is able to forge UDP packets from the DNS server to cause worker process crash (CVE-2016-0742). - Use-after-free condition might occur during CNAME response processing. This problem allows an attacker who is able to trigger name resolution to cause worker process crash, or might have potential other impact (CVE-2016-0746). - CNAME resolution was insufficiently limited, allowing an attacker who is able to trigger arbitrary name resolution to cause excessive resource consumption in worker processes (CVE-2016-0747). -- Thomas Ward Tue, 26 Jan 2016 14:53:01 -0500 ** Changed in: nginx (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
An upload of NGINX 1.9.10 has been done for Xenial, and is now building; marking Fix Committed for Xenial. ** Changed in: nginx (Ubuntu Xenial) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
Importance reset to Medium per Ubuntu Security Team stating the CVEs would be Medium level. (Bug importance set to match) ** Changed in: nginx (Ubuntu Precise) Importance: High => Medium ** Changed in: nginx (Ubuntu Trusty) Importance: High => Medium ** Changed in: nginx (Ubuntu Vivid) Importance: High => Medium ** Changed in: nginx (Ubuntu Wily) Importance: High => Medium ** Changed in: nginx (Ubuntu Xenial) Importance: High => Medium -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
** Tags added: trusty ** Tags added: precise ** Changed in: nginx (Ubuntu Precise) Importance: Undecided => High ** Changed in: nginx (Ubuntu Trusty) Importance: Undecided => High ** Changed in: nginx (Ubuntu Vivid) Importance: Undecided => High ** Changed in: nginx (Ubuntu Wily) Importance: Undecided => High ** Changed in: nginx (Ubuntu Xenial) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
Debian actually was faster, and uploaded 1.9.10 today. As soon as that is available, I will merge it into Xenial. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
** Description changed: This is listed as a Public Security bug as the CVEs and fixes have been announced by NGINX Upstream officially. There are 3 CVEs impacting all versions of NGINX in Ubuntu. The following is taken from the upstream security announcement on the nginx- - announce mailing list: + announce mailing list + (http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html): - Invalid pointer dereference might occur during DNS server response - processing, allowing an attacker who is able to forge UDP - packets from the DNS server to cause worker process crash - (CVE-2016-0742). + processing, allowing an attacker who is able to forge UDP + packets from the DNS server to cause worker process crash + (CVE-2016-0742). - Use-after-free condition might occur during CNAME response - processing. This problem allows an attacker who is able to trigger - name resolution to cause worker process crash, or might - have potential other impact (CVE-2016-0746). + processing. This problem allows an attacker who is able to trigger + name resolution to cause worker process crash, or might + have potential other impact (CVE-2016-0746). - CNAME resolution was insufficiently limited, allowing an attacker who - is able to trigger arbitrary name resolution to cause excessive resource - consumption in worker processes (CVE-2016-0747). + is able to trigger arbitrary name resolution to cause excessive resource + consumption in worker processes (CVE-2016-0747). The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive is used in a configuration file. The problems are fixed in nginx 1.9.10, 1.8.1. -- As stated prior, all versions of Ubuntu have an affected version of nginx. There are many commits done by upstream to fix these issues. There are at least 17 of which will need to be examined; as I examine the commits in the upstream commit logs, I will provide links to each commit here. Xenial will very quickly get a fix, after I push an upload containing nginx 1.9.10 to the repositories. Wily, having nginx 1.9.3, may be more receptive to patching without any type of changing of the patch to match code changes. This remains to be determined however. Older versions of Ubuntu, Vivid and earlier, are likely less receptive to the patches, and may need re-engineered to apply to those code bases, given the age of those versions of nginx. + + -- + + This is tracked in Debian as Debian Bug 812806: + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812806 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x
** Description changed: - This is listed as a Private Security bug as it contains some security - content, but does not contain specifics due to Upstream not releasing - them, and also at Upstream's request to keep notifications about issues - not yet known to the public quiet. + This is listed as a Public Security bug as the CVEs and fixes have been + announced by NGINX Upstream officially. - It was told to me from NGINX Upstream by Andrew Hutchings (the Technical - Product Manager at NGINX Inc, the company behind the nginx web server) - that there is an update releasing for NGINX that addresses some security - issues, with CVE information to be made available once the release is - made. The releases containing fixes for these issues are 1.8.1 for the - Stable branch, and 1.9.10 for the Mainline branch. + There are 3 CVEs impacting all versions of NGINX in Ubuntu. The + following is taken from the upstream security announcement on the nginx- + announce mailing list: - These issues are NOT yet available for me to review, and therefore - security content of these issues remains secret to me. + - Invalid pointer dereference might occur during DNS server response + processing, allowing an attacker who is able to forge UDP + packets from the DNS server to cause worker process crash + (CVE-2016-0742). - This bug here is made as a tracker for pending state on this, as well as - to have the information stored for the issues affecting NGINX in Ubuntu. + - Use-after-free condition might occur during CNAME response + processing. This problem allows an attacker who is able to trigger + name resolution to cause worker process crash, or might + have potential other impact (CVE-2016-0746). - Without specific details, I can say with some certainty that NGINX 1.9.0 - and later are affected, which means Wily and Xenial are both affected. - Once more data is available, CVEs will be added here as well as other - information related to these CVEs, and we can determine what needs to be - fixed where after that information is available. + - CNAME resolution was insufficiently limited, allowing an attacker who + is able to trigger arbitrary name resolution to cause excessive resource + consumption in worker processes (CVE-2016-0747). - I am assigning myself currently to track this, as the NGINX release is - expected today (January 26, 2016) at some time according to Andrew, and - that release will have details available there as well as fixes. + The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive + is used in a configuration file. + + The problems are fixed in nginx 1.9.10, 1.8.1. + + -- + + As stated prior, all versions of Ubuntu have an affected version of + nginx. There are many commits done by upstream to fix these issues. + There are at least 17 of which will need to be examined; as I examine + the commits in the upstream commit logs, I will provide links to each + commit here. + + Xenial will very quickly get a fix, after I push an upload containing + nginx 1.9.10 to the repositories. + + Wily, having nginx 1.9.3, may be more receptive to patching without any + type of changing of the patch to match code changes. This remains to be + determined however. + + Older versions of Ubuntu, Vivid and earlier, are likely less receptive + to the patches, and may need re-engineered to apply to those code bases, + given the age of those versions of nginx. ** Information type changed from Private Security to Public Security ** Changed in: nginx (Ubuntu Xenial) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs