| Summary: | nginx new security issue CVE-2014-3616 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | oe, olchal, rverschelde, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/612808/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory mga3-32-ok MGA4-64-OK | ||
| Source RPM: | nginx-1.4.7-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-09-16 19:34:46 CEST
David Walser
2014-09-16 19:34:54 CEST
Whiteboard:
(none) =>
MGA3TOO Ubuntu has issued an advisory for this on September 22: http://www.ubuntu.com/usn/usn-2351-1/ URL:
(none) =>
http://lwn.net/Vulnerabilities/612808/ fixed with nginx-1.2.9-1.3.mga3 & nginx-1.4.7-1.1.mga4 CC:
(none) =>
oe Hmm, the patch needs some porting for nginx-1.2.9. I don't know enough about openssl programming to fix this. What I see is ngx_ssl_certificate() is completely different between 1.2.x and 1.4.x. In 1.2.x it uses SSL_CTX_use_certificate_chain_file() to store the (PEM) cert in the ctx structure, and in 1.4.x it uses SSL_CTX_set_ex_data() with the ngx_ssl_certificate_index to store the (x509) cert in the ctx structure. So in 1.4.x, it's able to use SSL_CTX_get_ex_data() with the ngx_ssl_certificate_index to retrieve the cert, but I don't know the analog to retrieve a cert stored with SSL_CTX_use_certificate_chain_file(). Debian has a working patch for nginx 1.2.x. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated nginx package fixes security vulnerability: Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that it was possible to reuse cached SSL sessions in unrelated contexts, allowing virtual host confusion attacks in some configurations by an attacker in a privileged network position (CVE-2014-3616). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3616 https://www.debian.org/security/2014/dsa-3029 ======================== Updated packages in core/updates_testing: ======================== nginx-1.2.9-1.3.mga3 nginx-1.4.7-1.1.mga4 from SRPMS: nginx-1.2.9-1.3.mga3.src.rpm nginx-1.4.7-1.1.mga4.src.rpm Assignee:
sam =>
qa-bugs Simple testing procedure in bug 13044. CC:
(none) =>
remi Testing on Mageia4-64 real H/W Followed procedure mentionned in comment 6 Installed current package : - nginx-1.4.7-1.mga4.x86_64 which brought along : - geoip-database-1.5.1-3.mga4.noarch - lib64geoip1-1.5.1-3.mga4.x86_64 - pcre-8.33-2.mga4.x86_64 Rebooted. http://localhost/ Welcome to nginx 1.4.7 on Mageia! Installed updated package : - nginx-1.4.7-1.1.mga4.x86_64 Rebooted and redid the test. All OK CC:
(none) =>
olchal Testing complete mga3 32 Whiteboard:
MGA3TOO has_procedure MGA4-64-OK =>
MGA3TOO has_procedure mga3-32-ok MGA4-64-OK Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0427.html Status:
NEW =>
RESOLVED |