2012, July 16 - Security Advisory - CVE-2012-3380

Marked Invalid for Nginx source because Nginx is not vulnerable.

The relevant binary package needs to actually exist in the release in order for it to be of any concern. No naxsi binary packages were being produced prior to Precise and this bug is therefore Invalid in them. I'll leave the remaining bug as assigned to determine if the CVE is pertanent to Precise and Quantal.

The binary in Quantal already has the fix, per Debian changelogs:

nginx (1.2.1-2) unstable; urgency=medium

  [Cyril Lavier]
  * Urgency set to medium, security bug in naxsi module, fix via upstream.
  * debian/modules/naxsi:
    + Updated naxsi module to version 0.46-1 fixing the following security
      issue : potential file disclosure in nx_extract.

 -- Cyril Lavier <email address hidden> Wed, 27 Jun 2012 13:52:03 +0200

"Fix Released" is valid in this case for Quantal.

------

According to the Debian CVE tracker here: http://security-tracker.debian.org/tracker/CVE-2012-3380

Versions prior to 1.1.18-1 are not affected, but a fix was not applied until 1.2.1-2. Therefore, assuming that Precise (1.1.19-1) has this vulnerability is valid. Please confirm though that 1.1.19 is affected (Debian did not show a fix until at least 1.2.1-2).

Further inspection showed that this only affected Quantal (the nginx-naxsi-ui package was not shipped in Precise, and that package is what is affected).

This is being marked "invalid" for precise.