2012, July 16 - Security Advisory - CVE-2012-3380

Bug #1025463 reported by Thomas Ward
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Nginx
Invalid
Undecided
Unassigned
nginx (Ubuntu)
Fix Released
Undecided
Thomas Ward
Hardy
Invalid
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Natty
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
Precise
Invalid
Undecided
Unassigned

Bug Description

CVE-2012-3380:
File disclosure in Naxsi web application firewall module for Nginx (also shipped in the Debian nginx package)

http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-3380.html reports this does not impact Quantal. BugControl should assign this bug to all other currently supported releases of Ubuntu.

CVE References

Tyler Hicks (tyhicks)
security vulnerability: no → yes
Changed in nginx (Ubuntu):
status: New → Fix Released
Thomas Ward (teward)
Changed in nginx (Ubuntu Precise):
assignee: nobody → Thomas Ward (trekcaptainusa-tw)
Changed in nginx (Ubuntu Oneiric):
assignee: nobody → Thomas Ward (trekcaptainusa-tw)
Changed in nginx (Ubuntu Natty):
assignee: nobody → Thomas Ward (trekcaptainusa-tw)
Changed in nginx (Ubuntu Lucid):
assignee: nobody → Thomas Ward (trekcaptainusa-tw)
Changed in nginx (Ubuntu Hardy):
assignee: nobody → Thomas Ward (trekcaptainusa-tw)
Changed in nginx (Ubuntu):
assignee: nobody → Thomas Ward (trekcaptainusa-tw)
Revision history for this message
Michael Lustfield (michaellustfield) wrote :

Marked Invalid for Nginx source because Nginx is not vulnerable.

Changed in nginx:
status: New → Invalid
Changed in nginx (Ubuntu Hardy):
assignee: Thomas Ward (trekcaptainusa-tw) → nobody
status: New → Invalid
Changed in nginx (Ubuntu Lucid):
status: New → Invalid
Changed in nginx (Ubuntu Natty):
status: New → Invalid
Changed in nginx (Ubuntu Oneiric):
status: New → Invalid
Changed in nginx (Ubuntu Lucid):
assignee: Thomas Ward (trekcaptainusa-tw) → nobody
Changed in nginx (Ubuntu Natty):
assignee: Thomas Ward (trekcaptainusa-tw) → nobody
Changed in nginx (Ubuntu Oneiric):
assignee: Thomas Ward (trekcaptainusa-tw) → nobody
Revision history for this message
Michael Lustfield (michaellustfield) wrote :

The relevant binary package needs to actually exist in the release in order for it to be of any concern. No naxsi binary packages were being produced prior to Precise and this bug is therefore Invalid in them. I'll leave the remaining bug as assigned to determine if the CVE is pertanent to Precise and Quantal.

Revision history for this message
Thomas Ward (teward) wrote :

The binary in Quantal already has the fix, per Debian changelogs:

nginx (1.2.1-2) unstable; urgency=medium

  [Cyril Lavier]
  * Urgency set to medium, security bug in naxsi module, fix via upstream.
  * debian/modules/naxsi:
    + Updated naxsi module to version 0.46-1 fixing the following security
      issue : potential file disclosure in nx_extract.

 -- Cyril Lavier <email address hidden> Wed, 27 Jun 2012 13:52:03 +0200

"Fix Released" is valid in this case for Quantal.

------

According to the Debian CVE tracker here: http://security-tracker.debian.org/tracker/CVE-2012-3380

Versions prior to 1.1.18-1 are not affected, but a fix was not applied until 1.2.1-2. Therefore, assuming that Precise (1.1.19-1) has this vulnerability is valid. Please confirm though that 1.1.19 is affected (Debian did not show a fix until at least 1.2.1-2).

Revision history for this message
Thomas Ward (teward) wrote :

Further inspection showed that this only affected Quantal (the nginx-naxsi-ui package was not shipped in Precise, and that package is what is affected).

This is being marked "invalid" for precise.

Changed in nginx (Ubuntu Precise):
status: New → Invalid
assignee: Thomas Ward (trekcaptainusa-tw) → nobody
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.