Bug 11710 - nginx new security issue CVE-2013-4547
: nginx new security issue CVE-2013-4547
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/574752/
: MGA2TOO has_procedure mga2-32-ok mga2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-11-19 23:25 CET by David Walser
Modified: 2013-11-22 20:27 CET (History)
3 users (show)

See Also:
Source RPM: nginx-1.4.3-4.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-11-19 23:25:40 CET
Upstream has issued an advisory today (November 19):
http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html

Mageia 2 and Mageia 3 are also affected.

The issue is fixed upstream in 1.4.4, and there is a patch available as well.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-20 18:46:44 CET
nginx 1.4.4 is in SVN (updated by Sam) and just needs submitted in Cauldron.

Patched packages uploaded for Mageia 2 and Mageia 3.

Full advisory to come shortly.

For QA: The testing procedure is pretty simple.

Install nginx (from /release), webserver-base, and netcat-traditional.

Then edit /etc/nginx/nginx.conf...

In the http{} section is a server{} section which contains a location / {} section.  In that section, change the root line to read:
            root /var/www/html;

Then, somewhere else inside of the server{} section, add the following:
        location /protected/ {
            deny all;
            root /var/www/html;
        }

Then do:
mkdir /var/www/html/protected
echo "hello" > /var/www/html/protected/file
mkdir "/var/www/html/foo "

Then run "systemctl start nginx.service"

Then do "nc localhost 80" and then type the following:
GET /protected/file HTTP/1.0

(you have to hit Enter twice at the end of that).

It should print out some HTML that contains a "403 Forbidden" message.

Then do "nc localhost 80" and then type the following:
GET /foo /../protected/file HTTP/1.0

(you have to hit Enter twice at the end of that).

It should print out some HTTP headers and then a line that says "hello"

Then install the updates_testing version of nginx (which should automatically restart the service), and then repeat the last "nc" test.  It should not give you the "hello," but instead it should also give you the "403 Forbidden."

-----------------------------------
Updated packages in updates_testing:
-----------------------------------
nginx-1.0.15-2.1.mga2
nginx-1.2.9-1.2.mga3

from SRPMS:
nginx-1.0.15-2.1.mga2.src.rpm
nginx-1.2.9-1.2.mga3.src.rpm
Comment 2 David Walser 2013-11-20 19:02:46 CET
Freeze push requested for Cauldron.

Here's the full advisory for the Mageia 2 and Mageia 3 update.

Advisory:
========================

Updated nginx package fixes security vulnerability:

Ivan Fratric of the Google Security Team discovered a bug in nginx,
which might allow an attacker to bypass security restrictions in certain
configurations by using a specially crafted request, or might have
potential other impact (CVE-2013-4547).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4547
http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html
========================

Updated packages in core/updates_testing:
========================
nginx-1.0.15-2.1.mga2
nginx-1.2.9-1.2.mga3

from SRPMS:
nginx-1.0.15-2.1.mga2.src.rpm
nginx-1.2.9-1.2.mga3.src.rpm
Comment 3 David Walser 2013-11-21 00:22:42 CET
nginx-1.4.4-1.mga4 has been uploaded for Cauldron.
Comment 4 Sam Bailey 2013-11-21 11:18:49 CET
My testing shows all updates (mga2, mga3, cauldron) working as expected with that test.
Comment 5 claire robinson 2013-11-21 11:42:18 CET
Adding whiteboard markers, thanks Sam.
Comment 6 claire robinson 2013-11-21 12:18:02 CET
Testing complete mga2 32 and mga3 32

Interesting testcase David, thanks.

Confirmed "It works!" as expected in a browser too. http://localhost
Comment 7 claire robinson 2013-11-21 12:30:37 CET
Validating. Advisory uploaded.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!
Comment 8 Thomas Backlund 2013-11-22 20:27:24 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0349.html

Note You need to log in before you can comment on or make changes to this bug.