| Summary: | nginx new security issue CVE-2013-2070 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | oe, sysadmin-bugs |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/551693/ | ||
| Whiteboard: | has_procedure mga3-32-ok mga3-64-ok | ||
| Source RPM: | nginx-1.2.6-3.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-05-13 18:29:34 CEST
Fedora has issued an advisory for this on May 15: http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105950.html Updated packages uploaded for Mageia 3 and Cauldron. Hopefully there's enough information on the CVE available to test that it's fixed, given what Oden linked in Comment 1. Fedora, however, didn't make any special changes other than updating to 1.2.9. Advisory: ======================== Updated nginx package fixes security vulnerability: A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used. The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server (CVE-2013-2070). Nginx has been updated to version 1.2.9 to fix this and several other issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2070 http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html http://nginx.org/en/CHANGES-1.2 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105950.html ======================== Updated packages in core/updates_testing: ======================== nginx-1.2.6-3.mga3 from nginx-1.2.6-3.mga3.src.rpm URL:
(none) =>
http://lwn.net/Vulnerabilities/551693/
David Walser
2013-05-24 18:14:01 CEST
Severity:
normal =>
major Hold on, Mageia 3 SVN was branched incorrectly. I need to re-upload the actually fixed package. Updated package *really* uploaded for Mageia 3 this time. Advisory: ======================== Updated nginx package fixes security vulnerability: A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used. The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server (CVE-2013-2070). Nginx has been updated to version 1.2.9 to fix this and several other issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2070 http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html http://nginx.org/en/CHANGES-1.2 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105950.html ======================== Updated packages in core/updates_testing: ======================== nginx-1.2.9-1.mga3 from nginx-1.2.9-1.mga3.src.rpm Altered /etc/nginx/nginx.conf to listen on port 8080 so it wouldn't interfere with apache, started the nginx service then connected on http://localhost:8080 to view the index page located at /usr/share/nginx/html poweredby.png seems to be missing. IIRC this was altered to a Mageia logo in a previous update when it was found to have an MDV logo. Currently displays alt text so should probably either be removed completely or added back again.
claire robinson
2013-05-28 12:38:50 CEST
Whiteboard:
(none) =>
feedback has_procedure It was removed by Guillaume right before Mageia 2, as he thought it still said Mandriva :o( I don't see a point in issuing an update for Mageia 2 just for this, but if we ever have a security update for Mageia 2 (surprisingly we haven't yet) it'll be included, as it's in SVN now. Re-added in Mageia 3 and Cauldron. Advisory: ======================== Updated nginx package fixes security vulnerability: A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used. The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server (CVE-2013-2070). Nginx has been updated to version 1.2.9 to fix this and several other issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2070 http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html http://nginx.org/en/CHANGES-1.2 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105950.html ======================== Updated packages in core/updates_testing: ======================== nginx-1.2.9-1.1.mga3 from nginx-1.2.9-1.1.mga3.src.rpm
David Walser
2013-05-28 21:06:24 CEST
Whiteboard:
feedback has_procedure =>
has_procedure Thanks David. Testing complete mga3 32 & 64 Validating Advisory & srpm in comment 6 Could sysadmin please push from 3 core/updates_testing to core/updates Thanks! Keywords:
(none) =>
validated_update Update has been pushed. Status:
NEW =>
RESOLVED *** Bug 10819 has been marked as a duplicate of this bug. ***
Nicolas Vigier
2014-05-08 18:07:21 CEST
CC:
boklm =>
(none) |