Bug 18595

Summary: nginx new security issue CVE-2016-4450
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/689576/
Whiteboard: has_procedure advisory MGA5-32-OK MGA5-64-OK
Source RPM: nginx-1.6.2-5.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-05-31 20:51:14 CEST 
Upstream has issued an advisory today (May 31):
http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html

Patched package uploaded for Mageia 5.  Freeze push requested for Cauldron.

Advisory:
========================

Updated nginx package fixes security vulnerability:

A problem was identified in nginx code responsible for saving client request
body to a temporary file.  A specially crafted request might result in worker
process crash due to a NULL pointer dereference while writing client request
body to a temporary file (CVE-2016-4450).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4450
http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html
========================

Updated packages in core/updates_testing:
========================
nginx-1.6.2-5.2.mga5

from nginx-1.6.2-5.2.mga5.src.rpm
Comment 1 Lewis Smith 2016-06-01 11:41:10 CEST 
Before trying this on a real hardware Mageia 5 currently with Apache + all its bells & whistles: would I have to UNinstall Apache first? Not keen on that, thinking of all that it might take with it.

CC: (none) => lewyssmith

Comment 2 David Walser 2016-06-01 11:52:49 CEST 
You don't have to uninstall Apache, just stop the service.
Comment 3 Herman Viaene 2016-06-01 15:20:52 CEST 
MGA5-32 on Acer D620 Xfce
No installation issues
Followed procedure as per bug 13044:
# systemctl stop httpd
# nginx 
then point browser at http://localhost/ 
and get in  the page: "Welcome to nginx 1.6.2 on Mageia!"

CC: (none) => herman.viaene
Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 4 Lewis Smith 2016-06-02 09:52:29 CEST 
Testing M5 x64 real h/w

BEFORE update.
Stopped httpd (Apache):
 # systemctl stop httpd
Installed nginx-1.6.2-5.1.mga5.x86_64.rpm from normal repos.
Started it:
 # nginx
From a browser,
 http://localhost/ showed the "Welcome to nginx 1.6.2 on Mageia!" page.
Note that no installed web applications (localhost/whatever) were accessible.

AFTER a trouble-free update.
 nginx-1.6.2-5.2.mga5
As a precaution to make sure the updated nginx was in use, I used MCC System/Control services to stop nginx (and stop it being re-started in booting). Clicking its 'start' button seemed to do nothing, so from console:
 # nginx
 nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
suggests it was already re-started.
From a browser,
 http://localhost/ showed the "Welcome to nginx 1.6.2 on Mageia!" page.
So this update is OK; validating it at the same time.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 5 David Walser 2016-06-02 18:15:14 CEST 
Debian has issued an advisory for this on June 1:
https://www.debian.org/security/2016/dsa-3592
David Walser 2016-06-02 21:31:32 CEST

URL: (none) => http://lwn.net/Vulnerabilities/689576/

claire robinson 2016-06-02 22:53:58 CEST

Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK

Comment 6 Mageia Robot 2016-06-02 23:41:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0216.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED