Debian Bug report logs - #730012
nginx: CVE-2013-4547

version graph

Package: nginx; Maintainer for nginx is Kartik Mistry <kartik@debian.org>; Source for nginx is src:nginx.

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 20 Nov 2013 06:12:02 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions nginx/1.4.3-2, nginx/1.2.1-2.2+wheezy1

Fixed in versions nginx/1.4.4-1, 1.2.1-2.2+wheezy2

Done: Michael Lustfield <michael@lustfield.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#730012; Package nginx. (Wed, 20 Nov 2013 06:12:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Kartik Mistry <kartik@debian.org>. (Wed, 20 Nov 2013 06:12:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nginx: CVE-2013-4547
Date: Wed, 20 Nov 2013 07:09:07 +0100
Package: nginx
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerability was published for nginx.

CVE-2013-4547[0]:
security restrictions bypass

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Marked as found in versions nginx/1.2.1-2.2+wheezy1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 20 Nov 2013 09:03:05 GMT) Full text and rfc822 format available.

Marked as found in versions nginx/1.4.3-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 20 Nov 2013 09:03:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#730012; Package nginx. (Wed, 20 Nov 2013 09:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christos Trochalakis <yatiohi@ideopolis.gr>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Wed, 20 Nov 2013 09:15:04 GMT) Full text and rfc822 format available.

Message #14 received at submit@bugs.debian.org (full text, mbox):

From: Christos Trochalakis <yatiohi@ideopolis.gr>
To: Salvatore Bonaccorso <carnil@debian.org>, 730012@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#730012: nginx: CVE-2013-4547
Date: Wed, 20 Nov 2013 11:13:01 +0200
On Wed, Nov 20, 2013 at 07:09:07AM +0100, Salvatore Bonaccorso wrote:
>Package: nginx
>Severity: grave
>Tags: security upstream patch
>
>Hi,
>
>the following vulnerability was published for nginx.
>
>CVE-2013-4547[0]:
>security restrictions bypass
>
>If you fix the vulnerability please also make sure to include the
>CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
>For further information see:
>
>[0] http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html
>
>Please adjust the affected versions in the BTS as needed.
>

Thank you for the bug report Salvatore, we are working on that. We have
contacted the security team earlier today.




Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#730012; Package nginx. (Wed, 20 Nov 2013 09:15:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christos Trochalakis <yatiohi@ideopolis.gr>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Wed, 20 Nov 2013 09:15:10 GMT) Full text and rfc822 format available.

Reply sent to Michael Lustfield <michael@lustfield.net>:
You have taken responsibility. (Thu, 21 Nov 2013 15:39:30 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 21 Nov 2013 15:39:30 GMT) Full text and rfc822 format available.

Message #24 received at 730012-close@bugs.debian.org (full text, mbox):

From: Michael Lustfield <michael@lustfield.net>
To: 730012-close@bugs.debian.org
Subject: Bug#730012: fixed in nginx 1.4.4-1
Date: Thu, 21 Nov 2013 15:34:21 +0000
Source: nginx
Source-Version: 1.4.4-1

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 730012@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Lustfield <michael@lustfield.net> (supplier of updated nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 21 Nov 2013 19:25:50 +0530
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-full-dbg nginx-light nginx-light-dbg nginx-extras nginx-extras-dbg nginx-naxsi nginx-naxsi-dbg nginx-naxsi-ui
Architecture: source all amd64
Version: 1.4.4-1
Distribution: unstable
Urgency: low
Maintainer: Kartik Mistry <kartik@debian.org>
Changed-By: Michael Lustfield <michael@lustfield.net>
Description: 
 nginx      - small, powerful, scalable web/proxy server
 nginx-common - small, powerful, scalable web/proxy server - common files
 nginx-doc  - small, powerful, scalable web/proxy server - documentation
 nginx-extras - nginx web/proxy server (extended version)
 nginx-extras-dbg - nginx web/proxy server (extended version) - debugging symbols
 nginx-full - nginx web/proxy server (standard version)
 nginx-full-dbg - nginx web/proxy server (standard version) - debugging symbols
 nginx-light - nginx web/proxy server (basic version)
 nginx-light-dbg - nginx web/proxy server (basic version) - debugging symbols
 nginx-naxsi - nginx web/proxy server (version with naxsi)
 nginx-naxsi-dbg - nginx web/proxy server (version with naxsi) - debugging symbols
 nginx-naxsi-ui - nginx web/proxy server - naxsi configuration front-end
Closes: 728038 728103 728721 729003 730012
Changes: 
 nginx (1.4.4-1) unstable; urgency=low
 .
   [ Christos Trochalakis ]
   * New upstream release. (Closes: #730012)
   * debian/nginx-*.postinst:
     + Wait for the new master to write its pid file before sending QUIT to the
       old master. This solves an issue with systemd and the upgrade mechanism.
       Systemd receives the SIGCHLD from the old master but it can't see the new
       pid because the new master has not written it yet. As a result, it kills
       everything inside the cgroup, including the new master.
   * debian/modules/ngx-fancyindex:
     + Upgrade Fancy Index module to v0.3.3 (Closes: #728721)
   * debian/control:
     + Remove Upload module from nginx-extras description (Closes: #729003)
 .
   [ Michael Lustfield ]
   * debian/control:
     + Added spdy to package description (Closes: #728038)
   * debian/nginx-common.nginx.init:
     + Showing better start/stop messages. Thanks Pim van den Berg.
       (Closes: #728103)
Checksums-Sha1: 
 39ef85e628b0baf597e12eaf3c6049d42e93a0f0 2171 nginx_1.4.4-1.dsc
 304d5991ccde398af2002c0da980ae240cea9356 768217 nginx_1.4.4.orig.tar.gz
 cd47d2e8072c1380b36f1d96a96df5a0f92a2d79 1566388 nginx_1.4.4-1.debian.tar.gz
 1a5d34cc09192a1920bbe0937f191a1bfb5785af 66562 nginx_1.4.4-1_all.deb
 c1b899e970c60348cc8bc9575a09f98c7b85a1de 79084 nginx-doc_1.4.4-1_all.deb
 5d98c0990a759b8578f60d1cc31f7728800cc65e 77004 nginx-common_1.4.4-1_all.deb
 0a51d939821be10305ff3fb89c1b3dd72b1c5978 308806 nginx-naxsi-ui_1.4.4-1_all.deb
 276c22c2e871ff102cbfe5385058a57d973389f5 391676 nginx-full_1.4.4-1_amd64.deb
 76941614172ab9ed9834c7cda93587c6b4bfcdfc 2993684 nginx-full-dbg_1.4.4-1_amd64.deb
 4e275a23b5c3fa516b604f5bcffc4e79108c71bd 293924 nginx-light_1.4.4-1_amd64.deb
 dde561777cbb2c657572915f2a2752e0a334f112 2083078 nginx-light-dbg_1.4.4-1_amd64.deb
 e0d2b4454d1ab72397ab48ef8bde9777b0bfab3b 545182 nginx-extras_1.4.4-1_amd64.deb
 c32034a5b2e23fc589b91129680fe97307593744 4783378 nginx-extras-dbg_1.4.4-1_amd64.deb
 39a2af626f18804af8151c04246e6f05f1955942 329770 nginx-naxsi_1.4.4-1_amd64.deb
 74bf6069bf370ddc8ed430f4e37b2874d84b36dd 2247058 nginx-naxsi-dbg_1.4.4-1_amd64.deb
Checksums-Sha256: 
 78da2df0331a347ff90aabc525537e6aa7ec9a86945650ff546748cfec8ee4e2 2171 nginx_1.4.4-1.dsc
 7c989a58e5408c9593da0bebcd0e4ffc3d892d1316ba5042ddb0be5b0b4102b9 768217 nginx_1.4.4.orig.tar.gz
 0d8275648a361f48040aaeabd3733335b4623bfb88afb8a09d2c2830dd09ffd3 1566388 nginx_1.4.4-1.debian.tar.gz
 a23a69224877f89a05053aaf96a30f6197fd08239e8eb7b65ab757ab237384ba 66562 nginx_1.4.4-1_all.deb
 92d1a1d71ef8a3a1779dd55e6f0169f51ebf01d0553dbace692c282e1ae313d1 79084 nginx-doc_1.4.4-1_all.deb
 f9904924a9492d368cafeee08b2d84e22ed2796f0964788a2e0654da4ea14dbb 77004 nginx-common_1.4.4-1_all.deb
 5eb7f951cf1b964b5ed16a2d2ec677c8f6b2abe9616d70e2da59af8754263589 308806 nginx-naxsi-ui_1.4.4-1_all.deb
 9b40dca765ee953bb6a9cfd635eb67c93209190a799d093deb31671f32799e9d 391676 nginx-full_1.4.4-1_amd64.deb
 3b88b047c470db624a12cb951f222b6828275fde8e26b72c2b035adf22497adb 2993684 nginx-full-dbg_1.4.4-1_amd64.deb
 ded2a5635433fe84e55ce66819f0d3d64e3f7f2eda14df7ef31249de36e00a7d 293924 nginx-light_1.4.4-1_amd64.deb
 6255ddb99cc4e5353cdb65b93c8ae6b5ca37243b061d40611b0be9f00e1d0dcc 2083078 nginx-light-dbg_1.4.4-1_amd64.deb
 f75cca8238b6a6dbf96d86032807f16f5dd491a6097967e3073c725384a0989d 545182 nginx-extras_1.4.4-1_amd64.deb
 5606082efa83c3515d1306873504a6d09eda77e452b0a6bbfc8c4e7e1d3bc013 4783378 nginx-extras-dbg_1.4.4-1_amd64.deb
 4f801dc4a4d370ba98827435e01a5f0b2923b0164e36f60c87f3ba605489055d 329770 nginx-naxsi_1.4.4-1_amd64.deb
 4d51c1358d98e135c45de1e94db4a85987e74eeccb64b4e1518bedaa5ef378ab 2247058 nginx-naxsi-dbg_1.4.4-1_amd64.deb
Files: 
 30301582785b54e2ab36f8dff4beab4f 2171 httpd optional nginx_1.4.4-1.dsc
 5dfaba1cbeae9087f3949860a02caa9f 768217 httpd optional nginx_1.4.4.orig.tar.gz
 7cb96bbd095fb39fb2345085434c9478 1566388 httpd optional nginx_1.4.4-1.debian.tar.gz
 4cc76020cb1c0ad67d9bf1a45d45df7e 66562 httpd optional nginx_1.4.4-1_all.deb
 84f793a7c2d3bd30a94b7f74d37b8cf0 79084 doc optional nginx-doc_1.4.4-1_all.deb
 767766dedd93efed0ad5d7a72243d98d 77004 httpd optional nginx-common_1.4.4-1_all.deb
 93b769c6008cac68a9ae9f70d94bb42f 308806 httpd extra nginx-naxsi-ui_1.4.4-1_all.deb
 1f0fde9bc544513c99118c5320be3b16 391676 httpd optional nginx-full_1.4.4-1_amd64.deb
 764f9658d46c96da9347dfb49b862ae5 2993684 debug extra nginx-full-dbg_1.4.4-1_amd64.deb
 387f0f40b933a3252e23e6fcb231e6c0 293924 httpd extra nginx-light_1.4.4-1_amd64.deb
 bc1b5ec8fdc1c84623aeaccbf51d6617 2083078 debug extra nginx-light-dbg_1.4.4-1_amd64.deb
 8d59457062e8ccdd5e35aad30c9a4684 545182 httpd extra nginx-extras_1.4.4-1_amd64.deb
 604e1342d4707dbf14f83ccae2ad7767 4783378 debug extra nginx-extras-dbg_1.4.4-1_amd64.deb
 90a3b4a7fb2b0d41d072859ae1c29fa3 329770 httpd extra nginx-naxsi_1.4.4-1_amd64.deb
 6ebcc21420e93fff6b939d496df5b591 2247058 debug extra nginx-naxsi-dbg_1.4.4-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlKOIZoACgkQoRg/jtECjI1cMACffamJad63yPZ68Ui8EhEsnblo
NRAAoIKqTpi3cAIFGGwrYbmCGuXLv7m6
=ES3+
-----END PGP SIGNATURE-----




Marked as fixed in versions 1.2.1-2.2+wheezy2. Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Thu, 21 Nov 2013 21:39:13 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#730012; Package nginx. (Mon, 25 Nov 2013 20:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kevin Price <kp@kevin-price.de>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Mon, 25 Nov 2013 20:03:08 GMT) Full text and rfc822 format available.

Message #31 received at 730012@bugs.debian.org (full text, mbox):

From: Kevin Price <kp@kevin-price.de>
To: 730012@bugs.debian.org
Subject: Re: Bug#730012: nginx: CVE-2013-4547
Date: Mon, 25 Nov 2013 20:37:20 +0100
[Message part 1 (text/plain, inline)]
Hi!

Thanks a lot for fixing this issue! Is there a chance that the still
vulnerable wheezy-backports will soon be either patched or updated?
(I know, security does not include bpo.)

patch: http://nginx.org/download/patch.2013.space.txt

update: 1.4.4 or 1.5.7 will do.
(reference:
http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html )

brgds
-- 
Kevin Price
http://www.kevin-price.de/

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#730012; Package nginx. (Mon, 25 Nov 2013 20:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christos Trochalakis <yatiohi@ideopolis.gr>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Mon, 25 Nov 2013 20:15:04 GMT) Full text and rfc822 format available.

Message #36 received at 730012@bugs.debian.org (full text, mbox):

From: Christos Trochalakis <yatiohi@ideopolis.gr>
To: Kevin Price <kp@kevin-price.de>, 730012@bugs.debian.org
Subject: Re: Bug#730012: nginx: CVE-2013-4547
Date: Mon, 25 Nov 2013 22:07:03 +0200
On Mon, Nov 25, 2013 at 08:37:20PM +0100, Kevin Price wrote:
>Hi!
>
>Thanks a lot for fixing this issue! Is there a chance that the still
>vulnerable wheezy-backports will soon be either patched or updated?
>(I know, security does not include bpo.)
>
>patch: http://nginx.org/download/patch.2013.space.txt
>
>update: 1.4.4 or 1.5.7 will do.
>(reference:
>http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html )
>

Hello Kevin,

We are going to backport 1.4.4 as soon as it migrates to testing.




Information forwarded to debian-bugs-dist@lists.debian.org, Kartik Mistry <kartik@debian.org>:
Bug#730012; Package nginx. (Mon, 25 Nov 2013 20:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kevin Price <kp@kevin-price.de>:
Extra info received and forwarded to list. Copy sent to Kartik Mistry <kartik@debian.org>. (Mon, 25 Nov 2013 20:30:04 GMT) Full text and rfc822 format available.

Message #41 received at 730012@bugs.debian.org (full text, mbox):

From: Kevin Price <kp@kevin-price.de>
To: Christos Trochalakis <yatiohi@ideopolis.gr>
Cc: 730012@bugs.debian.org
Subject: Re: Bug#730012: nginx: CVE-2013-4547
Date: Mon, 25 Nov 2013 21:27:37 +0100
[Message part 1 (text/plain, inline)]
Hi Christos:

Am 25.11.2013 21:07, schrieb Christos Trochalakis:
> We are going to backport 1.4.4 as soon as it migrates to testing.

Thanks even more. :)

FYI: One serious data retention issue is a prime reason for using nginx
>= 1.3.7, thus bpo: OCSP stapling. (rfc4366) So presumably there are
many more users thankfully looking forward to this update.

cheers
-- 
Kevin Price
http://www.kevin-price.de/

[signature.asc (application/pgp-signature, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 24 Dec 2013 07:26:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 05:56:34 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.