Bug 13044

Summary: nginx new security issue CVE-2014-0133
Product: Mageia Reporter: Sam Bailey <sam>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: luigiwalser, rverschelde, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/591218/
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK advisory
Source RPM: nginx-1.4.7-1.mga4.src.rpm CVE:
Status comment:

Description Sam Bailey 2014-03-19 11:18:31 CET 
Upstream has issued an advisory yesterday (March 18):
http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html

Affects 1.3.15 - 1.5.11 so only Mageia 4 and Cauldron are affected.

The issue is fixed upstream in 1.4.7 and 1.5.12, and there is a patch available as well.

Cauldron has been updated to 1.5.12.

Advisory:
========================

Updated nginx package fixes security vulnerability:

A bug in the experimental SPDY implementation in nginx was found, which
might allow an attacker to cause a heap memory buffer overflow in a
worker process by using a specially crafted request, potentially
resulting in arbitrary code execution (CVE-2014-0133).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0133
http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html
http://nginx.org/en/CHANGES-1.4

-----------------------------------
Updated packages in updates_testing:
-----------------------------------
nginx-1.4.7-1.mga5

from SRPMS:
nginx-1.4.7-1.mga4.src.rpm


----------------------
Testing:
Not very easy to test the actual security fix. 

Steps to test upgrading:
1. Install the current nginx-1.4.5.mga4 package.
2. Start nginx
3. Go to http://localhost/ in a browser - should show the "Welcome to nginx 1.4.5 on Mageia!" page
4. Install the updated nginx-1.4.7.mga4 package.
5. Service will be automatically reload.
6. Go the http://localhost/ in a browser - should now show the "Welcome to nginx 1.4.7 on Mageia!" page.
7. Success

Reproducible: 

Steps to Reproduce:
Comment 1 Sam Bailey 2014-03-19 11:21:40 CET 
I've tested this successfully on 64bit that everything still works, however as mentioned above there is no easy way to test the actual fix for the security issue.
Sam Bailey 2014-03-19 11:22:14 CET

Assignee: bugsquad => qa-bugs

Comment 2 Sam Bailey 2014-03-19 11:24:38 CET 
and due to my typo above, the package is actually: nginx-1.4.7-1.mga4 with SRPM nginx-1.4.7-1.mga4.src.rpm
Sam Bailey 2014-03-19 11:30:25 CET

Component: RPM Packages => Security

David Walser 2014-03-19 12:39:19 CET

QA Contact: (none) => security

Comment 3 David Walser 2014-03-19 12:42:11 CET 
Works fine on Mageia 4 i586.  Sam's test should suffice for x86_64.

This can be validated once the advisory is uploaded.

Nice job Sam!

Whiteboard: (none) => has_procedure MGA4-64-OK MGA4-32-OK

Comment 4 RĂ©mi Verschelde 2014-03-19 18:52:18 CET 
Advisory uploaded, please push to 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 5 Thomas Backlund 2014-03-19 18:58:51 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0136.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-03-20 21:17:42 CET

URL: http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html => http://lwn.net/Vulnerabilities/591218/
CC: (none) => luigiwalser