Upstream has issued an advisory today (May 13): http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html Mageia 2 is not affected. The issue is fixed upstream in 1.2.9, which I have pushed to updates_testing, but it will have to be re-pushed once Mageia 3 is out. The other changes in 1.2.9 are mostly bugfixes: http://nginx.org/en/CHANGES-1.2 Reproducible: Steps to Reproduce:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708164#10
CC: (none) => oe
Fedora has issued an advisory for this on May 15: http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105950.html Updated packages uploaded for Mageia 3 and Cauldron. Hopefully there's enough information on the CVE available to test that it's fixed, given what Oden linked in Comment 1. Fedora, however, didn't make any special changes other than updating to 1.2.9. Advisory: ======================== Updated nginx package fixes security vulnerability: A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used. The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server (CVE-2013-2070). Nginx has been updated to version 1.2.9 to fix this and several other issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2070 http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html http://nginx.org/en/CHANGES-1.2 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105950.html ======================== Updated packages in core/updates_testing: ======================== nginx-1.2.6-3.mga3 from nginx-1.2.6-3.mga3.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/551693/Version: Cauldron => 3Assignee: bugsquad => qa-bugs
Severity: normal => major
Hold on, Mageia 3 SVN was branched incorrectly. I need to re-upload the actually fixed package.
Updated package *really* uploaded for Mageia 3 this time. Advisory: ======================== Updated nginx package fixes security vulnerability: A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used. The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server (CVE-2013-2070). Nginx has been updated to version 1.2.9 to fix this and several other issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2070 http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html http://nginx.org/en/CHANGES-1.2 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105950.html ======================== Updated packages in core/updates_testing: ======================== nginx-1.2.9-1.mga3 from nginx-1.2.9-1.mga3.src.rpm
Altered /etc/nginx/nginx.conf to listen on port 8080 so it wouldn't interfere with apache, started the nginx service then connected on http://localhost:8080 to view the index page located at /usr/share/nginx/html poweredby.png seems to be missing. IIRC this was altered to a Mageia logo in a previous update when it was found to have an MDV logo. Currently displays alt text so should probably either be removed completely or added back again.
Whiteboard: (none) => feedback has_procedure
It was removed by Guillaume right before Mageia 2, as he thought it still said Mandriva :o( I don't see a point in issuing an update for Mageia 2 just for this, but if we ever have a security update for Mageia 2 (surprisingly we haven't yet) it'll be included, as it's in SVN now. Re-added in Mageia 3 and Cauldron. Advisory: ======================== Updated nginx package fixes security vulnerability: A security problem related to CVE-2013-2028 was identified, affecting some previous nginx versions if proxy_pass to untrusted upstream HTTP servers is used. The problem may lead to a denial of service or a disclosure of a worker process memory on a specially crafted response from an upstream proxied server (CVE-2013-2070). Nginx has been updated to version 1.2.9 to fix this and several other issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2070 http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html http://nginx.org/en/CHANGES-1.2 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105950.html ======================== Updated packages in core/updates_testing: ======================== nginx-1.2.9-1.1.mga3 from nginx-1.2.9-1.1.mga3.src.rpm
Whiteboard: feedback has_procedure => has_procedure
Thanks David. Testing complete mga3 32 & 64 Validating Advisory & srpm in comment 6 Could sysadmin please push from 3 core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update has been pushed.
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
*** Bug 10819 has been marked as a duplicate of this bug. ***
CC: boklm => (none)