** Description changed: This is listed as a Public Security bug as the CVEs and fixes have been announced by NGINX Upstream officially. There are 3 CVEs impacting all versions of NGINX in Ubuntu. The following is taken from the upstream security announcement on the nginx- - announce mailing list: + announce mailing list + (http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html): - Invalid pointer dereference might occur during DNS server response - processing, allowing an attacker who is able to forge UDP - packets from the DNS server to cause worker process crash - (CVE-2016-0742). + processing, allowing an attacker who is able to forge UDP + packets from the DNS server to cause worker process crash + (CVE-2016-0742). - Use-after-free condition might occur during CNAME response - processing. This problem allows an attacker who is able to trigger - name resolution to cause worker process crash, or might - have potential other impact (CVE-2016-0746). + processing. This problem allows an attacker who is able to trigger + name resolution to cause worker process crash, or might + have potential other impact (CVE-2016-0746). - CNAME resolution was insufficiently limited, allowing an attacker who - is able to trigger arbitrary name resolution to cause excessive resource - consumption in worker processes (CVE-2016-0747). + is able to trigger arbitrary name resolution to cause excessive resource + consumption in worker processes (CVE-2016-0747). The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive is used in a configuration file. The problems are fixed in nginx 1.9.10, 1.8.1. ------ As stated prior, all versions of Ubuntu have an affected version of nginx. There are many commits done by upstream to fix these issues. There are at least 17 of which will need to be examined; as I examine the commits in the upstream commit logs, I will provide links to each commit here. Xenial will very quickly get a fix, after I push an upload containing nginx 1.9.10 to the repositories. Wily, having nginx 1.9.3, may be more receptive to patching without any type of changing of the patch to match code changes. This remains to be determined however. Older versions of Ubuntu, Vivid and earlier, are likely less receptive to the patches, and may need re-engineered to apply to those code bases, given the age of those versions of nginx. + + ------ + + This is tracked in Debian as Debian Bug 812806: + https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812806
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nginx in Ubuntu. https://bugs.launchpad.net/bugs/1538165 Title: Security Issues Impacting NGINX: 1.8.x, 1.9.x To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
