A security issue fixed upstream in nginx has been announced today (September 16): http://nginx.org/en/security_advisories.html The issue is fixed upstream in 1.6.2, for which I made a freeze push request for Cauldron. Upstream hasn't yet released a patch or update for nginx 1.2.x (Mageia 3) and 1.4.x (Mageia 4), which are also vulnerable. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Ubuntu has issued an advisory for this on September 22: http://www.ubuntu.com/usn/usn-2351-1/
URL: (none) => http://lwn.net/Vulnerabilities/612808/
fixed with nginx-1.2.9-1.3.mga3 & nginx-1.4.7-1.1.mga4
CC: (none) => oe
Hmm, the patch needs some porting for nginx-1.2.9.
I don't know enough about openssl programming to fix this. What I see is ngx_ssl_certificate() is completely different between 1.2.x and 1.4.x. In 1.2.x it uses SSL_CTX_use_certificate_chain_file() to store the (PEM) cert in the ctx structure, and in 1.4.x it uses SSL_CTX_set_ex_data() with the ngx_ssl_certificate_index to store the (x509) cert in the ctx structure. So in 1.4.x, it's able to use SSL_CTX_get_ex_data() with the ngx_ssl_certificate_index to retrieve the cert, but I don't know the analog to retrieve a cert stored with SSL_CTX_use_certificate_chain_file().
Debian has a working patch for nginx 1.2.x. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated nginx package fixes security vulnerability: Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that it was possible to reuse cached SSL sessions in unrelated contexts, allowing virtual host confusion attacks in some configurations by an attacker in a privileged network position (CVE-2014-3616). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3616 https://www.debian.org/security/2014/dsa-3029 ======================== Updated packages in core/updates_testing: ======================== nginx-1.2.9-1.3.mga3 nginx-1.4.7-1.1.mga4 from SRPMS: nginx-1.2.9-1.3.mga3.src.rpm nginx-1.4.7-1.1.mga4.src.rpm
Assignee: sam => qa-bugsSeverity: normal => major
Simple testing procedure in bug 13044.
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Testing on Mageia4-64 real H/W Followed procedure mentionned in comment 6 Installed current package : - nginx-1.4.7-1.mga4.x86_64 which brought along : - geoip-database-1.5.1-3.mga4.noarch - lib64geoip1-1.5.1-3.mga4.x86_64 - pcre-8.33-2.mga4.x86_64 Rebooted. http://localhost/ Welcome to nginx 1.4.7 on Mageia! Installed updated package : - nginx-1.4.7-1.1.mga4.x86_64 Rebooted and redid the test. All OK
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK => MGA3TOO has_procedure advisory mga3-32-ok MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0427.html
Status: NEW => RESOLVEDResolution: (none) => FIXED