Nginx

Bug #1098654
Activity log

Activity log for bug #1098654

Date	Who	What changed	Old value	New value	Message
2013-01-11 17:26:24	Thomas Ward	bug			added bug
2013-01-11 17:26:46	Thomas Ward	cve linked		2011-4968
2013-01-11 17:39:25	Marc Deslauriers	nominated for series		Ubuntu Lucid
2013-01-11 17:39:25	Marc Deslauriers	bug task added		nginx (Ubuntu Lucid)
2013-01-11 17:39:25	Marc Deslauriers	nominated for series		Ubuntu Oneiric
2013-01-11 17:39:25	Marc Deslauriers	bug task added		nginx (Ubuntu Oneiric)
2013-01-11 17:39:25	Marc Deslauriers	nominated for series		Ubuntu Precise
2013-01-11 17:39:25	Marc Deslauriers	bug task added		nginx (Ubuntu Precise)
2013-01-11 17:39:25	Marc Deslauriers	nominated for series		Ubuntu Raring
2013-01-11 17:39:25	Marc Deslauriers	bug task added		nginx (Ubuntu Raring)
2013-01-11 17:39:25	Marc Deslauriers	nominated for series		Ubuntu Quantal
2013-01-11 17:39:25	Marc Deslauriers	bug task added		nginx (Ubuntu Quantal)
2013-01-11 17:39:35	Marc Deslauriers	nginx (Ubuntu Lucid): status	New	Confirmed
2013-01-11 17:39:37	Marc Deslauriers	nginx (Ubuntu Oneiric): status	New	Confirmed
2013-01-11 17:39:39	Marc Deslauriers	nginx (Ubuntu Precise): status	New	Confirmed
2013-01-11 17:39:41	Marc Deslauriers	nginx (Ubuntu Quantal): status	New	Confirmed
2013-01-11 17:39:43	Marc Deslauriers	nginx (Ubuntu Raring): status	New	Confirmed
2013-01-11 17:39:46	Marc Deslauriers	nginx (Ubuntu Lucid): importance	Undecided	Low
2013-01-11 17:39:48	Marc Deslauriers	nginx (Ubuntu Oneiric): importance	Undecided	Low
2013-01-11 17:39:50	Marc Deslauriers	nginx (Ubuntu Precise): importance	Undecided	Low
2013-01-11 17:39:52	Marc Deslauriers	nginx (Ubuntu Quantal): importance	Undecided	Low
2013-01-11 17:39:55	Marc Deslauriers	nginx (Ubuntu Raring): importance	Undecided	Low
2013-01-11 18:58:59	Thomas Ward	bug watch added		http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697940
2013-01-11 18:58:59	Thomas Ward	bug task added		nginx (Debian)
2013-01-11 20:36:03	Bug Watch Updater	nginx (Debian): status	Unknown	Confirmed
2013-05-21 17:16:56	Thomas Ward	nginx (Ubuntu Oneiric): status	Confirmed	Won't Fix
2014-04-17 18:45:59	Jamie Strandboge	nginx (Ubuntu Raring): status	Confirmed	Won't Fix
2014-06-26 22:53:40	Jamie Strandboge	nginx (Ubuntu Quantal): status	Confirmed	Won't Fix
2015-01-12 06:10:18	Bug Watch Updater	nginx (Debian): status	Confirmed	Fix Released
2015-02-11 17:17:23	Thomas Ward	bug task added		nginx
2015-02-11 17:19:14	Thomas Ward	nginx: importance	Undecided	Low
2015-02-11 17:19:14	Thomas Ward	nginx: status	New	Fix Released
2015-02-11 17:19:49	Thomas Ward	nominated for series		Ubuntu Trusty
2015-02-11 17:19:49	Thomas Ward	bug task added		nginx (Ubuntu Trusty)
2015-02-11 17:19:49	Thomas Ward	nominated for series		Ubuntu Vivid
2015-02-11 17:19:49	Thomas Ward	bug task added		nginx (Ubuntu Vivid)
2015-02-11 17:19:49	Thomas Ward	nominated for series		Ubuntu Utopic
2015-02-11 17:19:49	Thomas Ward	bug task added		nginx (Ubuntu Utopic)
2015-02-11 17:20:28	Thomas Ward	nginx (Ubuntu Trusty): importance	Undecided	Low
2015-02-11 17:20:28	Thomas Ward	nginx (Ubuntu Trusty): status	New	Confirmed
2015-02-11 17:20:41	Thomas Ward	nginx (Ubuntu Utopic): importance	Undecided	Low
2015-02-11 17:20:41	Thomas Ward	nginx (Ubuntu Utopic): status	New	Confirmed
2015-06-17 11:42:48	Rolf Leggewie	nginx (Ubuntu Lucid): status	Confirmed	Won't Fix
2015-07-23 22:17:24	Thomas Ward	nginx (Ubuntu Utopic): status	Confirmed	Won't Fix
2015-09-10 19:30:28	Thomas Ward	nominated for series		Ubuntu Wily
2015-09-10 19:30:28	Thomas Ward	bug task added		nginx (Ubuntu Wily)
2015-09-10 19:33:24	Thomas Ward	nginx (Ubuntu Wily): status	Confirmed	Fix Released
2015-09-10 19:36:14	Thomas Ward	description	I am reporting this bug so there's a bug to track this in within Launchpad. If/when a patch is approved upstream, this bug can be used as a reference point in the changelog when SRU-ing the fix into older releases. Confirmed as Debian Bug 697940. Confirmed as CVE-2011-4968. This has already been added to the Ubuntu Security Team Tracker at http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4968.html Information as follows comes from the Debian Bug: "When nginx is configured as a reverse proxy with an https origin server, it is vulnerable to a MITM attack, because it does not verify the certificate of the origin server. This is upstream's bug https://trac.nginx.org/nginx/ticket/13, and also CVE-2011-4968. It appears to have been known for over a year, but the proposed patches to resolve the problem appear to have never made it through the patch review process in upstream."	I am reporting this bug so there's a bug to track this in within Launchpad. If/when a patch is approved upstream, this bug can be used as a reference point in the changelog when SRU-ing the fix into older releases. Confirmed as Debian Bug 697940. Confirmed as CVE-2011-4968. This has already been added to the Ubuntu Security Team Tracker at http://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-4968.html Information as follows comes from the Debian Bug: "When nginx is configured as a reverse proxy with an https origin server, it is vulnerable to a MITM attack, because it does not verify the certificate of the origin server. This is upstream's bug https://trac.nginx.org/nginx/ticket/13, and also CVE-2011-4968. It appears to have been known for over a year, but the proposed patches to resolve the problem appear to have never made it through the patch review process in upstream." Sept. 10, 2015: This was 'fixed' upstream in nginx 1.7.0, with a commit landing upstream about 17 months ago. (see the changeset located at https://trac.nginx.org/nginx/changeset/060c2e692b96a150b584b8e30d596be1f2defa9c/nginx )
2015-09-21 16:41:34	Thomas Ward	nginx (Ubuntu Precise): status	Confirmed	Won't Fix
2015-09-21 16:41:46	Thomas Ward	nginx (Ubuntu Trusty): status	Confirmed	Won't Fix
2015-09-21 16:41:57	Thomas Ward	nginx (Ubuntu Vivid): status	Confirmed	Won't Fix