group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #14646
[Bug 1704151] Re: Security Advisory - July 11 2017: CVE-2017-7529
This bug was fixed in the package nginx - 1.12.1-0ubuntu1
---------------
nginx (1.12.1-0ubuntu1) artful; urgency=medium
* New upstream release (1.12.1) - full changelog available at upstream
website - http://nginx.org/en/CHANGES-1.12
* This release is a security patch micro-release from Upstream.
* This package contains security content to fix the following CVEs:
* CVE-2017-7529: A security issue was identified in nginx range filter.
A specially crafted request might result in an integer overflow and
incorrect processing of ranges, potentially resulting in sensitive
information leak. (Closes LP: #1704151)
* Additional changes:
* d/patches/ubuntu-branding.patch: Refreshed Ubuntu Branding patch.
-- Thomas Ward <teward@xxxxxxxxxx> Sat, 15 Jul 2017 12:40:15 -0400
** Changed in: nginx (Ubuntu Artful)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1704151
Title:
Security Advisory - July 11 2017: CVE-2017-7529
Status in nginx package in Ubuntu:
Fix Released
Status in nginx source package in Trusty:
Fix Released
Status in nginx source package in Xenial:
Fix Released
Status in nginx source package in Yakkety:
Fix Released
Status in nginx source package in Zesty:
Fix Released
Status in nginx source package in Artful:
Fix Released
Bug description:
It was reported by NGINX that there was a security vulnerability.
Specifically that:
A specially crafted request might result in an integer overflow and
incorrect processing of ranges in the range filter, potentially
resulting in sensitive information leak.
------
Refer to original notice here: http://mailman.nginx.org/pipermail
/nginx-announce/2017/000200.html
Copy of the message contents below:
Hello!
A security issue was identified in nginx range filter. A specially
crafted request might result in an integer overflow and incorrect
processing of ranges, potentially resulting in sensitive information
leak (CVE-2017-7529).
When using nginx with standard modules this allows an attacker to
obtain a cache file header if a response was returned from cache.
In some configurations a cache file header may contain IP address
of the backend server or other sensitive information.
Besides, with 3rd party modules it is potentially possible that
the issue may lead to a denial of service or a disclosure of
a worker process memory. No such modules are currently known though.
The issue affects nginx 0.5.6 - 1.13.2.
The issue is fixed in nginx 1.13.3, 1.12.1.
For older versions, the following configuration can be used
as a temporary workaround:
max_ranges 1;
Patch for the issue can be found here:
http://nginx.org/download/patch.2017.ranges.txt
--
Maxim Dounin
http://nginx.org/
------
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1704151/+subscriptions