group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Thomas Ward <teward@xxxxxxxxxxx>
Date: Wed, 03 Feb 2016 18:25:54 -0000
Reply-to: Bug 1538165 <1538165@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

As Vivid reaches End of Life tomorrow, and that provides insufficient
time for a fix to be produced for that version of the package, we are
marking this as "Won't Fix" on Vivid.

** Changed in: nginx (Ubuntu Vivid)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1538165

Title:
  Security Issues Impacting NGINX: 1.8.x, 1.9.x

Status in nginx package in Ubuntu:
  Fix Released
Status in nginx source package in Precise:
  Confirmed
Status in nginx source package in Trusty:
  Confirmed
Status in nginx source package in Vivid:
  Won't Fix
Status in nginx source package in Wily:
  Confirmed
Status in nginx source package in Xenial:
  Fix Released

Bug description:
  This is listed as a Public Security bug as the CVEs and fixes have
  been announced by NGINX Upstream officially.

  There are 3 CVEs impacting all versions of NGINX in Ubuntu.  The
  following is taken from the upstream security announcement on the
  nginx-announce mailing list
  (http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html):

  - Invalid pointer dereference might occur during DNS server response
   processing, allowing an attacker who is able to forge UDP
   packets from the DNS server to cause worker process crash
   (CVE-2016-0742).

  - Use-after-free condition might occur during CNAME response
   processing. This problem allows an attacker who is able to trigger
   name resolution to cause worker process crash, or might
   have potential other impact (CVE-2016-0746).

  - CNAME resolution was insufficiently limited, allowing an attacker who
   is able to trigger arbitrary name resolution to cause excessive resource
   consumption in worker processes (CVE-2016-0747).

  The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive
  is used in a configuration file.

  The problems are fixed in nginx 1.9.10, 1.8.1.

  ------

  As stated prior, all versions of Ubuntu have an affected version of
  nginx.  There are many commits done by upstream to fix these issues.
  There are at least 17 of which will need to be examined; as I examine
  the commits in the upstream commit logs, I will provide links to each
  commit here.

  Xenial will very quickly get a fix, after I push an upload containing
  nginx 1.9.10 to the repositories.

  Wily, having nginx 1.9.3, may be more receptive to patching without
  any type of changing of the patch to match code changes.  This remains
  to be determined however.

  Older versions of Ubuntu, Vivid and earlier, are likely less receptive
  to the patches, and may need re-engineered to apply to those code
  bases, given the age of those versions of nginx.

  ------

  This is tracked in Debian as Debian Bug 812806:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812806

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions