Bug 13044 - nginx new security issue CVE-2014-0133
Summary: nginx new security issue CVE-2014-0133
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/591218/
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-03-19 11:18 CET by Sam Bailey
Modified: 2014-03-20 21:17 CET (History)
4 users (show)

See Also:
Source RPM: nginx-1.4.7-1.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Sam Bailey 2014-03-19 11:18:31 CET 
Upstream has issued an advisory yesterday (March 18):
http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html

Affects 1.3.15 - 1.5.11 so only Mageia 4 and Cauldron are affected.

The issue is fixed upstream in 1.4.7 and 1.5.12, and there is a patch available as well.

Cauldron has been updated to 1.5.12.

Advisory:
========================

Updated nginx package fixes security vulnerability:

A bug in the experimental SPDY implementation in nginx was found, which
might allow an attacker to cause a heap memory buffer overflow in a
worker process by using a specially crafted request, potentially
resulting in arbitrary code execution (CVE-2014-0133).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0133
http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html
http://nginx.org/en/CHANGES-1.4

-----------------------------------
Updated packages in updates_testing:
-----------------------------------
nginx-1.4.7-1.mga5

from SRPMS:
nginx-1.4.7-1.mga4.src.rpm


----------------------
Testing:
Not very easy to test the actual security fix. 

Steps to test upgrading:
1. Install the current nginx-1.4.5.mga4 package.
2. Start nginx
3. Go to http://localhost/ in a browser - should show the "Welcome to nginx 1.4.5 on Mageia!" page
4. Install the updated nginx-1.4.7.mga4 package.
5. Service will be automatically reload.
6. Go the http://localhost/ in a browser - should now show the "Welcome to nginx 1.4.7 on Mageia!" page.
7. Success

Reproducible: 

Steps to Reproduce:
Comment 1 Sam Bailey 2014-03-19 11:21:40 CET 
I've tested this successfully on 64bit that everything still works, however as mentioned above there is no easy way to test the actual fix for the security issue.
Sam Bailey 2014-03-19 11:22:14 CET

Assignee: bugsquad => qa-bugs

Comment 2 Sam Bailey 2014-03-19 11:24:38 CET 
and due to my typo above, the package is actually: nginx-1.4.7-1.mga4 with SRPM nginx-1.4.7-1.mga4.src.rpm
Sam Bailey 2014-03-19 11:30:25 CET

Component: RPM Packages => Security

David Walser 2014-03-19 12:39:19 CET

QA Contact: (none) => security

Comment 3 David Walser 2014-03-19 12:42:11 CET 
Works fine on Mageia 4 i586.  Sam's test should suffice for x86_64.

This can be validated once the advisory is uploaded.

Nice job Sam!

Whiteboard: (none) => has_procedure MGA4-64-OK MGA4-32-OK

Comment 4 Rémi Verschelde 2014-03-19 18:52:18 CET 
Advisory uploaded, please push to 4 core/updates.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure MGA4-64-OK MGA4-32-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 5 Thomas Backlund 2014-03-19 18:58:51 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0136.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-03-20 21:17:42 CET

URL: http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html => http://lwn.net/Vulnerabilities/591218/
CC: (none) => luigiwalser
Note You need to log in before you can comment on or make changes to this bug.