| Summary: | nginx new security issue CVE-2013-4547 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | sam, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/574752/ | ||
| Whiteboard: | MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok | ||
| Source RPM: | nginx-1.4.3-4.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-11-19 23:25:40 CET
David Walser
2013-11-19 23:25:49 CET
Whiteboard:
(none) =>
MGA3TOO, MGA2TOO nginx 1.4.4 is in SVN (updated by Sam) and just needs submitted in Cauldron.
Patched packages uploaded for Mageia 2 and Mageia 3.
Full advisory to come shortly.
For QA: The testing procedure is pretty simple.
Install nginx (from /release), webserver-base, and netcat-traditional.
Then edit /etc/nginx/nginx.conf...
In the http{} section is a server{} section which contains a location / {} section. In that section, change the root line to read:
root /var/www/html;
Then, somewhere else inside of the server{} section, add the following:
location /protected/ {
deny all;
root /var/www/html;
}
Then do:
mkdir /var/www/html/protected
echo "hello" > /var/www/html/protected/file
mkdir "/var/www/html/foo "
Then run "systemctl start nginx.service"
Then do "nc localhost 80" and then type the following:
GET /protected/file HTTP/1.0
(you have to hit Enter twice at the end of that).
It should print out some HTML that contains a "403 Forbidden" message.
Then do "nc localhost 80" and then type the following:
GET /foo /../protected/file HTTP/1.0
(you have to hit Enter twice at the end of that).
It should print out some HTTP headers and then a line that says "hello"
Then install the updates_testing version of nginx (which should automatically restart the service), and then repeat the last "nc" test. It should not give you the "hello," but instead it should also give you the "403 Forbidden."
-----------------------------------
Updated packages in updates_testing:
-----------------------------------
nginx-1.0.15-2.1.mga2
nginx-1.2.9-1.2.mga3
from SRPMS:
nginx-1.0.15-2.1.mga2.src.rpm
nginx-1.2.9-1.2.mga3.src.rpmCC:
(none) =>
sam Freeze push requested for Cauldron. Here's the full advisory for the Mageia 2 and Mageia 3 update. Advisory: ======================== Updated nginx package fixes security vulnerability: Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might have potential other impact (CVE-2013-4547). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4547 http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html ======================== Updated packages in core/updates_testing: ======================== nginx-1.0.15-2.1.mga2 nginx-1.2.9-1.2.mga3 from SRPMS: nginx-1.0.15-2.1.mga2.src.rpm nginx-1.2.9-1.2.mga3.src.rpm nginx-1.4.4-1.mga4 has been uploaded for Cauldron. My testing shows all updates (mga2, mga3, cauldron) working as expected with that test. Adding whiteboard markers, thanks Sam. Whiteboard:
MGA2TOO =>
MGA2TOO mga2-64-ok mga3-64-ok Testing complete mga2 32 and mga3 32 Interesting testcase David, thanks. Confirmed "It works!" as expected in a browser too. http://localhost Whiteboard:
MGA2TOO mga2-64-ok mga3-64-ok =>
MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok Validating. Advisory uploaded. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks! Keywords:
(none) =>
validated_update
David Walser
2013-11-22 17:12:40 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/574752/ Update pushed: http://advisories.mageia.org/MGASA-2013-0349.html Status:
NEW =>
RESOLVED |