nginx vulnerable to MITM Attack [CVE-2011-4968]

Oneiric has reached EOL (End of Life) and is no longer supported. As a result, this bug (against Oneiric) is being marked "Won't Fix". Please see https://wiki.ubuntu.com/Releases for currently supported Ubuntu releases.

Please feel free to report any other bugs you may find.

I think this has been incorrectly classified as 'low'. People requiring secure connectivity to a backend server are currently receiving a silent downgrade in security.

An upstream commit has been made addressing this issue.

Refer to http://trac.nginx.org/nginx/changeset/060c2e692b96a150b584b8e30d596be1f2defa9c/nginx for the fix.

I'll check if the other versions of nginx not listed here are affected later, after work.

The nginx project tracker for this task was added to track the status in the PPAs. This has landed in the NGINX PPA for Mainline. It has not been backported to Stable at this time. (Was supposedly fixed in 1.7.0 per http://mailman.nginx.org/pipermail/nginx-devel/2015-February/006484.html)

Note on the 'severity' per comment #2: The severity set is based on the severity of the CVE, partly per the Security Team's tracker.

As this has been classified as "low" there, the severity here was set to "Low".

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Ubuntu Utopic has gone End of Life as of today. As such, this bug is being marked Won't Fix against the Utopic package.

Refer to: https://lists.ubuntu.com/archives/ubuntu-announce/2015-July/000198.html

Ubuntu Wily has a fix for this included as part of the 1.9.3-1ubuntu1 merge. The fix for this issue was introduced in nginx 1.7.0.

Per the notes on the CVE tracker:

 sarnold> Backporting this fix is non-trivial and may break deployed
  applications. Someone who really wanted this could use stunnel as a
  work-around until 16.04 LTS is released.

This applies to Precise, Trusty, and Vivid.