Upstream has issued an advisory today (November 19): http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html Mageia 2 and Mageia 3 are also affected. The issue is fixed upstream in 1.4.4, and there is a patch available as well. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
nginx 1.4.4 is in SVN (updated by Sam) and just needs submitted in Cauldron. Patched packages uploaded for Mageia 2 and Mageia 3. Full advisory to come shortly. For QA: The testing procedure is pretty simple. Install nginx (from /release), webserver-base, and netcat-traditional. Then edit /etc/nginx/nginx.conf... In the http{} section is a server{} section which contains a location / {} section. In that section, change the root line to read: root /var/www/html; Then, somewhere else inside of the server{} section, add the following: location /protected/ { deny all; root /var/www/html; } Then do: mkdir /var/www/html/protected echo "hello" > /var/www/html/protected/file mkdir "/var/www/html/foo " Then run "systemctl start nginx.service" Then do "nc localhost 80" and then type the following: GET /protected/file HTTP/1.0 (you have to hit Enter twice at the end of that). It should print out some HTML that contains a "403 Forbidden" message. Then do "nc localhost 80" and then type the following: GET /foo /../protected/file HTTP/1.0 (you have to hit Enter twice at the end of that). It should print out some HTTP headers and then a line that says "hello" Then install the updates_testing version of nginx (which should automatically restart the service), and then repeat the last "nc" test. It should not give you the "hello," but instead it should also give you the "403 Forbidden." ----------------------------------- Updated packages in updates_testing: ----------------------------------- nginx-1.0.15-2.1.mga2 nginx-1.2.9-1.2.mga3 from SRPMS: nginx-1.0.15-2.1.mga2.src.rpm nginx-1.2.9-1.2.mga3.src.rpm
CC: (none) => samVersion: Cauldron => 3Assignee: sam => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Freeze push requested for Cauldron. Here's the full advisory for the Mageia 2 and Mageia 3 update. Advisory: ======================== Updated nginx package fixes security vulnerability: Ivan Fratric of the Google Security Team discovered a bug in nginx, which might allow an attacker to bypass security restrictions in certain configurations by using a specially crafted request, or might have potential other impact (CVE-2013-4547). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4547 http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html ======================== Updated packages in core/updates_testing: ======================== nginx-1.0.15-2.1.mga2 nginx-1.2.9-1.2.mga3 from SRPMS: nginx-1.0.15-2.1.mga2.src.rpm nginx-1.2.9-1.2.mga3.src.rpm
nginx-1.4.4-1.mga4 has been uploaded for Cauldron.
My testing shows all updates (mga2, mga3, cauldron) working as expected with that test.
Adding whiteboard markers, thanks Sam.
Whiteboard: MGA2TOO => MGA2TOO mga2-64-ok mga3-64-ok
Testing complete mga2 32 and mga3 32 Interesting testcase David, thanks. Confirmed "It works!" as expected in a browser too. http://localhost
Whiteboard: MGA2TOO mga2-64-ok mga3-64-ok => MGA2TOO has_procedure mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
Validating. Advisory uploaded. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
URL: (none) => http://lwn.net/Vulnerabilities/574752/
Update pushed: http://advisories.mageia.org/MGASA-2013-0349.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED