| Summary: | nginx new security issues CVE-2016-0742, CVE-2016-0746, and CVE-2016-0747 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/673778/ | ||
| Whiteboard: | has_procedure advisory MGA5-64-OK | ||
| Source RPM: | nginx-1.6.2-5.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-01-27 23:23:00 CET
LWN reference for the other CVEs: http://lwn.net/Vulnerabilities/673952/ Fedora has issued an advisory for this on January 30: https://lists.fedoraproject.org/pipermail/package-announce/2016-January/176417.html Debian has 1.6.2 in jessie, so we could wait for them to backport patches. The CVE-2016-0742 and CVE-2016-0747 patches pretty much apply cleanly, but there are a lot of failing hunks in the CVE-2016-0746 patches. Debian has issued an advisory for this on February 11: https://www.debian.org/security/2016/dsa-3473 Patched package uploaded for Mageia 5. Simple testing procedure in bug 13044. Advisory: ======================== Updated nginx package fixes security vulnerabilities: Several vulnerabilities were discovered in the resolver in nginx, leading to denial of service or, potentially, to arbitrary code execution. These only affect nginx if the "resolver" directive is used in a configuration file (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0742 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0746 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0747 http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html https://www.debian.org/security/2016/dsa-3473 ======================== Updated packages in core/updates_testing: ======================== nginx-1.6.2-5.1.mga5 from nginx-1.6.2-5.1.mga5.src.rpm Assignee:
bugsquad =>
qa-bugs Testing this on 64-bit system. First installed nginx-1.6.2-5.mga5.x86_64 then updated it to nginx-1.6.2-5.1.mga5. Going for the test procedure noted in comment #4. CC:
(none) =>
tarazed25 Had not checked the effect of the pre-update installation. Aimed firefox at http://localhost/ which showed a "Welcome to nginx 1.6.2 on Mageia!" banner. Tried one of the examples from the man page. Copied /etc/nginx/nginx.conf to /root and edited it, commenting out the pid and worker processes lines. Ran this command: [root@belexeuli ~]# nginx -t -c ~/mynginx.conf -g "pid /var/run/mynginx.pid; worker_processes 2;" nginx: the configuration file /root/mynginx.conf syntax is ok nginx: configuration file /root/mynginx.conf test is successful [root@belexeuli ~]# ls -l /var/run/mynginx.pid -rw-r--r-- 1 root root 0 Feb 13 22:26 /var/run/mynginx.pid
Len Lawrence
2016-02-13 23:31:40 CET
Whiteboard:
has_procedure =>
has_procedure MGA5-64-OK mga5 i586 in vbox Mate
Installed nginx and tried to start it.
[root@cursa lcl]# systemctl start nginx.service
Job for nginx.service failed. See "systemctl status nginx.service" and "journalctl -xe" for details.
[root@cursa lcl]# systemctl status nginx.service
â nginx.service - A high performance web server and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled)
Active: failed (Result: exit-code) since Sat 2016-02-13 23:06:31 GMT; 18s ago
Process: 22208 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE)
Process: 22207 ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
Feb 13 23:06:29 cursa nginx[22208]: nginx: [emerg] bind() to 0.0.0.0:80 fai...e)
Feb 13 23:06:29 cursa nginx[22208]: nginx: [emerg] bind() to 0.0.0.0:80 fai...e)
Feb 13 23:06:30 cursa nginx[22208]: nginx: [emerg] bind() to 0.0.0.0:80 fai...e)
Feb 13 23:06:30 cursa nginx[22208]: nginx: [emerg] bind() to 0.0.0.0:80 fai...e)
Feb 13 23:06:31 cursa nginx[22208]: nginx: [emerg] bind() to 0.0.0.0:80 fai...e)
Feb 13 23:06:31 cursa systemd[1]: nginx.service: control process exited, co...=1
Feb 13 23:06:31 cursa systemd[1]: Failed to start A high performance web se...r.
Feb 13 23:06:31 cursa systemd[1]: Unit nginx.service entered failed state.
Feb 13 23:06:31 cursa systemd[1]: nginx.service failed.
Feb 13 23:06:31 cursa nginx[22208]: nginx: [emerg] still could not bind()
Hint: Some lines were ellipsized, use -l to show in full.
There was nothing in the journal after 22:56:50.
Went back to the 64bit system to check what web services were running and found httpd was stopped. On the vm httpd was still running. Stopped it and restarted nginx.
[root@cursa nginx]# systemctl status nginx.service
â nginx.service - A high performance web server and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled)
Active: active (running) since Sat 2016-02-13 23:21:48 GMT; 12s ago
Process: 22797 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
Process: 22796 ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS)
Main PID: 22800 (nginx)
CGroup: /system.slice/nginx.service
ââ22800 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx....
ââ22801 nginx: worker process
Feb 13 23:21:48 cursa nginx[22796]: nginx: the configuration file /etc/ngin...ok
Feb 13 23:21:48 cursa nginx[22796]: nginx: configuration file /etc/nginx/ng...ul
The http://localhost/ displayed the "It Works!" message, so no change from the the apache server.
Installed the nginx-1.6.2-5.1.mga5.i586 version and restarted nginx. Pointing at http://localhost/ brought up the "It Works!" page in firefox. I guess this means that it is still OK. Normal browser operations have not been affected. Maybe I should try a wget on an http site file. Using KeepVid on a 3 minute Youtube video clip downloaded the file in 18 seconds. youtube-dl succeeded in downloading the same clip. Copied the /etc/nginx.conf file to /root and edited it as before: [root@cursa ~]# nginx -t -c ~/mynginx.conf -g "pid /var/run/mynginx.pid; worker_processes 2;" nginx: the configuration file /root/mynginx.conf syntax is ok nginx: configuration file /root/mynginx.conf test is successful How critical is the lack of the new welcome banner? The string does not seem to be included in the binary so maybe in a config file somewhere? You can check what is listening on port 80 (http) with.. # netstat -pantu | grep :80 As long as nginx is running/restarted & responding that is usually enough for a security update. The banner shows "Welcome to nginx 1.6.2 on Mageia". The version hasn't changed so this is accurate after update also. Verified here also. # systemctl status -l nginx â nginx.service - A high performance web server and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled) Active: active (running) since Mon 2016-02-15 12:01:15 GMT; 8s ago ..shows when it started - eg. 8s ago Validating. Advisory uploaded. Please push to 5 updates, thanks. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0065.html Status:
NEW =>
RESOLVED |