| 2016-01-26 14:50:08 |
Thomas Ward |
bug |
|
|
added bug |
| 2016-01-26 14:50:34 |
Thomas Ward |
nominated for series |
|
Ubuntu Wily |
|
| 2016-01-26 14:50:34 |
Thomas Ward |
bug task added |
|
nginx (Ubuntu Wily) |
|
| 2016-01-26 14:50:34 |
Thomas Ward |
nominated for series |
|
Ubuntu Xenial |
|
| 2016-01-26 14:50:34 |
Thomas Ward |
bug task added |
|
nginx (Ubuntu Xenial) |
|
| 2016-01-26 14:50:44 |
Thomas Ward |
nginx (Ubuntu Wily): assignee |
|
Thomas Ward (teward) |
|
| 2016-01-26 16:41:43 |
Thomas Ward |
cve linked |
|
2016-0742 |
|
| 2016-01-26 16:41:53 |
Thomas Ward |
cve linked |
|
2016-0746 |
|
| 2016-01-26 16:44:10 |
Thomas Ward |
cve linked |
|
2016-0747 |
|
| 2016-01-26 16:55:34 |
Thomas Ward |
nominated for series |
|
Ubuntu Trusty |
|
| 2016-01-26 16:55:34 |
Thomas Ward |
bug task added |
|
nginx (Ubuntu Trusty) |
|
| 2016-01-26 16:55:34 |
Thomas Ward |
nominated for series |
|
Ubuntu Vivid |
|
| 2016-01-26 16:55:34 |
Thomas Ward |
bug task added |
|
nginx (Ubuntu Vivid) |
|
| 2016-01-26 16:55:34 |
Thomas Ward |
nominated for series |
|
Ubuntu Precise |
|
| 2016-01-26 16:55:34 |
Thomas Ward |
bug task added |
|
nginx (Ubuntu Precise) |
|
| 2016-01-26 16:56:12 |
Thomas Ward |
nginx (Ubuntu Vivid): assignee |
|
Thomas Ward (teward) |
|
| 2016-01-26 16:56:14 |
Thomas Ward |
nginx (Ubuntu Trusty): assignee |
|
Thomas Ward (teward) |
|
| 2016-01-26 17:01:12 |
Thomas Ward |
nginx (Ubuntu Precise): assignee |
|
Thomas Ward (teward) |
|
| 2016-01-26 17:18:03 |
Thomas Ward |
nginx (Ubuntu Precise): status |
New |
Confirmed |
|
| 2016-01-26 17:18:05 |
Thomas Ward |
nginx (Ubuntu Trusty): status |
New |
Confirmed |
|
| 2016-01-26 17:18:07 |
Thomas Ward |
nginx (Ubuntu Vivid): status |
New |
Confirmed |
|
| 2016-01-26 17:18:09 |
Thomas Ward |
nginx (Ubuntu Wily): status |
New |
Confirmed |
|
| 2016-01-26 17:18:11 |
Thomas Ward |
nginx (Ubuntu Xenial): status |
New |
Confirmed |
|
| 2016-01-26 17:56:46 |
Thomas Ward |
description |
This is listed as a Private Security bug as it contains some security content, but does not contain specifics due to Upstream not releasing them, and also at Upstream's request to keep notifications about issues not yet known to the public quiet.
It was told to me from NGINX Upstream by Andrew Hutchings (the Technical Product Manager at NGINX Inc, the company behind the nginx web server) that there is an update releasing for NGINX that addresses some security issues, with CVE information to be made available once the release is made. The releases containing fixes for these issues are 1.8.1 for the Stable branch, and 1.9.10 for the Mainline branch.
These issues are NOT yet available for me to review, and therefore security content of these issues remains secret to me.
This bug here is made as a tracker for pending state on this, as well as to have the information stored for the issues affecting NGINX in Ubuntu.
Without specific details, I can say with some certainty that NGINX 1.9.0 and later are affected, which means Wily and Xenial are both affected. Once more data is available, CVEs will be added here as well as other information related to these CVEs, and we can determine what needs to be fixed where after that information is available.
I am assigning myself currently to track this, as the NGINX release is expected today (January 26, 2016) at some time according to Andrew, and that release will have details available there as well as fixes. |
This is listed as a Public Security bug as the CVEs and fixes have been announced by NGINX Upstream officially.
There are 3 CVEs impacting all versions of NGINX in Ubuntu. The following is taken from the upstream security announcement on the nginx-announce mailing list:
- Invalid pointer dereference might occur during DNS server response
processing, allowing an attacker who is able to forge UDP
packets from the DNS server to cause worker process crash
(CVE-2016-0742).
- Use-after-free condition might occur during CNAME response
processing. This problem allows an attacker who is able to trigger
name resolution to cause worker process crash, or might
have potential other impact (CVE-2016-0746).
- CNAME resolution was insufficiently limited, allowing an attacker who
is able to trigger arbitrary name resolution to cause excessive resource
consumption in worker processes (CVE-2016-0747).
The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive
is used in a configuration file.
The problems are fixed in nginx 1.9.10, 1.8.1.
------
As stated prior, all versions of Ubuntu have an affected version of nginx. There are many commits done by upstream to fix these issues. There are at least 17 of which will need to be examined; as I examine the commits in the upstream commit logs, I will provide links to each commit here.
Xenial will very quickly get a fix, after I push an upload containing nginx 1.9.10 to the repositories.
Wily, having nginx 1.9.3, may be more receptive to patching without any type of changing of the patch to match code changes. This remains to be determined however.
Older versions of Ubuntu, Vivid and earlier, are likely less receptive to the patches, and may need re-engineered to apply to those code bases, given the age of those versions of nginx. |
|
| 2016-01-26 17:57:07 |
Thomas Ward |
information type |
Private Security |
Public Security |
|
| 2016-01-26 17:57:24 |
Thomas Ward |
nginx (Ubuntu Xenial): status |
Confirmed |
In Progress |
|
| 2016-01-26 18:11:17 |
Thomas Ward |
description |
This is listed as a Public Security bug as the CVEs and fixes have been announced by NGINX Upstream officially.
There are 3 CVEs impacting all versions of NGINX in Ubuntu. The following is taken from the upstream security announcement on the nginx-announce mailing list:
- Invalid pointer dereference might occur during DNS server response
processing, allowing an attacker who is able to forge UDP
packets from the DNS server to cause worker process crash
(CVE-2016-0742).
- Use-after-free condition might occur during CNAME response
processing. This problem allows an attacker who is able to trigger
name resolution to cause worker process crash, or might
have potential other impact (CVE-2016-0746).
- CNAME resolution was insufficiently limited, allowing an attacker who
is able to trigger arbitrary name resolution to cause excessive resource
consumption in worker processes (CVE-2016-0747).
The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive
is used in a configuration file.
The problems are fixed in nginx 1.9.10, 1.8.1.
------
As stated prior, all versions of Ubuntu have an affected version of nginx. There are many commits done by upstream to fix these issues. There are at least 17 of which will need to be examined; as I examine the commits in the upstream commit logs, I will provide links to each commit here.
Xenial will very quickly get a fix, after I push an upload containing nginx 1.9.10 to the repositories.
Wily, having nginx 1.9.3, may be more receptive to patching without any type of changing of the patch to match code changes. This remains to be determined however.
Older versions of Ubuntu, Vivid and earlier, are likely less receptive to the patches, and may need re-engineered to apply to those code bases, given the age of those versions of nginx. |
This is listed as a Public Security bug as the CVEs and fixes have been announced by NGINX Upstream officially.
There are 3 CVEs impacting all versions of NGINX in Ubuntu. The following is taken from the upstream security announcement on the nginx-announce mailing list (http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html):
- Invalid pointer dereference might occur during DNS server response
processing, allowing an attacker who is able to forge UDP
packets from the DNS server to cause worker process crash
(CVE-2016-0742).
- Use-after-free condition might occur during CNAME response
processing. This problem allows an attacker who is able to trigger
name resolution to cause worker process crash, or might
have potential other impact (CVE-2016-0746).
- CNAME resolution was insufficiently limited, allowing an attacker who
is able to trigger arbitrary name resolution to cause excessive resource
consumption in worker processes (CVE-2016-0747).
The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive
is used in a configuration file.
The problems are fixed in nginx 1.9.10, 1.8.1.
------
As stated prior, all versions of Ubuntu have an affected version of nginx. There are many commits done by upstream to fix these issues. There are at least 17 of which will need to be examined; as I examine the commits in the upstream commit logs, I will provide links to each commit here.
Xenial will very quickly get a fix, after I push an upload containing nginx 1.9.10 to the repositories.
Wily, having nginx 1.9.3, may be more receptive to patching without any type of changing of the patch to match code changes. This remains to be determined however.
Older versions of Ubuntu, Vivid and earlier, are likely less receptive to the patches, and may need re-engineered to apply to those code bases, given the age of those versions of nginx.
------
This is tracked in Debian as Debian Bug 812806:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812806 |
|
| 2016-01-26 18:46:12 |
ctrochalakis |
bug |
|
|
added subscriber ctrochalakis |
| 2016-01-26 19:49:09 |
Alberto Salvia Novella |
tags |
wily xenial |
trusty wily xenial |
|
| 2016-01-26 19:49:18 |
Alberto Salvia Novella |
tags |
trusty wily xenial |
precise trusty wily xenial |
|
| 2016-01-26 19:50:41 |
Alberto Salvia Novella |
nginx (Ubuntu Precise): importance |
Undecided |
High |
|
| 2016-01-26 19:50:43 |
Alberto Salvia Novella |
nginx (Ubuntu Trusty): importance |
Undecided |
High |
|
| 2016-01-26 19:50:44 |
Alberto Salvia Novella |
nginx (Ubuntu Vivid): importance |
Undecided |
High |
|
| 2016-01-26 19:50:45 |
Alberto Salvia Novella |
nginx (Ubuntu Wily): importance |
Undecided |
High |
|
| 2016-01-26 19:50:47 |
Alberto Salvia Novella |
nginx (Ubuntu Xenial): importance |
Undecided |
High |
|
| 2016-01-26 20:03:53 |
Thomas Ward |
nginx (Ubuntu Precise): importance |
High |
Medium |
|
| 2016-01-26 20:03:54 |
Thomas Ward |
nginx (Ubuntu Trusty): importance |
High |
Medium |
|
| 2016-01-26 20:03:55 |
Thomas Ward |
nginx (Ubuntu Vivid): importance |
High |
Medium |
|
| 2016-01-26 20:03:57 |
Thomas Ward |
nginx (Ubuntu Wily): importance |
High |
Medium |
|
| 2016-01-26 20:03:59 |
Thomas Ward |
nginx (Ubuntu Xenial): importance |
High |
Medium |
|
| 2016-01-26 21:09:33 |
Thomas Ward |
nginx (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2016-01-26 22:07:03 |
Launchpad Janitor |
nginx (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2016-01-26 23:12:26 |
Thomas Ward |
nginx (Ubuntu Vivid): assignee |
Thomas Ward (teward) |
|
|
| 2016-01-26 23:12:29 |
Thomas Ward |
nginx (Ubuntu Trusty): assignee |
Thomas Ward (teward) |
|
|
| 2016-01-26 23:12:32 |
Thomas Ward |
nginx (Ubuntu Precise): assignee |
Thomas Ward (teward) |
|
|
| 2016-01-27 15:55:29 |
Thomas Ward |
nginx (Ubuntu Wily): assignee |
Thomas Ward (teward) |
|
|
| 2016-02-03 18:25:54 |
Thomas Ward |
nginx (Ubuntu Vivid): status |
Confirmed |
Won't Fix |
|
| 2016-02-09 18:00:34 |
Launchpad Janitor |
nginx (Ubuntu Wily): status |
Confirmed |
Fix Released |
|
| 2016-02-09 18:00:34 |
Launchpad Janitor |
cve linked |
|
2016-0743 |
|
| 2016-02-09 18:00:34 |
Launchpad Janitor |
cve linked |
|
2016-0744 |
|
| 2016-02-09 18:00:35 |
Launchpad Janitor |
nginx (Ubuntu Trusty): status |
Confirmed |
Fix Released |
|
| 2016-02-09 18:36:52 |
Thomas Ward |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812806 |
|
| 2016-02-09 18:36:52 |
Thomas Ward |
bug task added |
|
nginx (Debian) |
|
| 2016-02-09 23:37:15 |
Bug Watch Updater |
nginx (Debian): status |
Unknown |
Fix Released |
|
| 2021-10-14 15:24:09 |
Steve Langasek |
nginx (Ubuntu Precise): status |
Confirmed |
Won't Fix |
|
