Upstream has issued an advisory on January 26: http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html The issues are fixed in version 1.8.1. The 1.6 stable branch is no longer maintained, so we'll have to either backport the patches or update to 1.8.1 (which requires no SPEC file changes other than the version number). Version 1.8.1 has some feature additions and likely several other bug fixes over 1.6.2. http://nginx.org/en/CHANGES-1.8 Debian has identified the upstream commits that fixed these issues in these entries: https://security-tracker.debian.org/tracker/CVE-2016-0742 https://security-tracker.debian.org/tracker/CVE-2016-0746 https://security-tracker.debian.org/tracker/CVE-2016-0747 Reproducible: Steps to Reproduce:
LWN reference for the other CVEs: http://lwn.net/Vulnerabilities/673952/
Fedora has issued an advisory for this on January 30: https://lists.fedoraproject.org/pipermail/package-announce/2016-January/176417.html
Debian has 1.6.2 in jessie, so we could wait for them to backport patches. The CVE-2016-0742 and CVE-2016-0747 patches pretty much apply cleanly, but there are a lot of failing hunks in the CVE-2016-0746 patches.
Debian has issued an advisory for this on February 11: https://www.debian.org/security/2016/dsa-3473 Patched package uploaded for Mageia 5. Simple testing procedure in bug 13044. Advisory: ======================== Updated nginx package fixes security vulnerabilities: Several vulnerabilities were discovered in the resolver in nginx, leading to denial of service or, potentially, to arbitrary code execution. These only affect nginx if the "resolver" directive is used in a configuration file (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0742 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0746 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0747 http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html https://www.debian.org/security/2016/dsa-3473 ======================== Updated packages in core/updates_testing: ======================== nginx-1.6.2-5.1.mga5 from nginx-1.6.2-5.1.mga5.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: (none) => has_procedure
Testing this on 64-bit system. First installed nginx-1.6.2-5.mga5.x86_64 then updated it to nginx-1.6.2-5.1.mga5. Going for the test procedure noted in comment #4.
CC: (none) => tarazed25
Had not checked the effect of the pre-update installation. Aimed firefox at http://localhost/ which showed a "Welcome to nginx 1.6.2 on Mageia!" banner. Tried one of the examples from the man page. Copied /etc/nginx/nginx.conf to /root and edited it, commenting out the pid and worker processes lines. Ran this command: [root@belexeuli ~]# nginx -t -c ~/mynginx.conf -g "pid /var/run/mynginx.pid; worker_processes 2;" nginx: the configuration file /root/mynginx.conf syntax is ok nginx: configuration file /root/mynginx.conf test is successful [root@belexeuli ~]# ls -l /var/run/mynginx.pid -rw-r--r-- 1 root root 0 Feb 13 22:26 /var/run/mynginx.pid
Whiteboard: has_procedure => has_procedure MGA5-64-OK
mga5 i586 in vbox Mate Installed nginx and tried to start it. [root@cursa lcl]# systemctl start nginx.service Job for nginx.service failed. See "systemctl status nginx.service" and "journalctl -xe" for details. [root@cursa lcl]# systemctl status nginx.service â nginx.service - A high performance web server and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled) Active: failed (Result: exit-code) since Sat 2016-02-13 23:06:31 GMT; 18s ago Process: 22208 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=1/FAILURE) Process: 22207 ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS) Feb 13 23:06:29 cursa nginx[22208]: nginx: [emerg] bind() to 0.0.0.0:80 fai...e) Feb 13 23:06:29 cursa nginx[22208]: nginx: [emerg] bind() to 0.0.0.0:80 fai...e) Feb 13 23:06:30 cursa nginx[22208]: nginx: [emerg] bind() to 0.0.0.0:80 fai...e) Feb 13 23:06:30 cursa nginx[22208]: nginx: [emerg] bind() to 0.0.0.0:80 fai...e) Feb 13 23:06:31 cursa nginx[22208]: nginx: [emerg] bind() to 0.0.0.0:80 fai...e) Feb 13 23:06:31 cursa systemd[1]: nginx.service: control process exited, co...=1 Feb 13 23:06:31 cursa systemd[1]: Failed to start A high performance web se...r. Feb 13 23:06:31 cursa systemd[1]: Unit nginx.service entered failed state. Feb 13 23:06:31 cursa systemd[1]: nginx.service failed. Feb 13 23:06:31 cursa nginx[22208]: nginx: [emerg] still could not bind() Hint: Some lines were ellipsized, use -l to show in full. There was nothing in the journal after 22:56:50. Went back to the 64bit system to check what web services were running and found httpd was stopped. On the vm httpd was still running. Stopped it and restarted nginx. [root@cursa nginx]# systemctl status nginx.service â nginx.service - A high performance web server and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled) Active: active (running) since Sat 2016-02-13 23:21:48 GMT; 12s ago Process: 22797 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS) Process: 22796 ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf (code=exited, status=0/SUCCESS) Main PID: 22800 (nginx) CGroup: /system.slice/nginx.service ââ22800 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.... ââ22801 nginx: worker process Feb 13 23:21:48 cursa nginx[22796]: nginx: the configuration file /etc/ngin...ok Feb 13 23:21:48 cursa nginx[22796]: nginx: configuration file /etc/nginx/ng...ul The http://localhost/ displayed the "It Works!" message, so no change from the the apache server.
Installed the nginx-1.6.2-5.1.mga5.i586 version and restarted nginx. Pointing at http://localhost/ brought up the "It Works!" page in firefox. I guess this means that it is still OK. Normal browser operations have not been affected. Maybe I should try a wget on an http site file. Using KeepVid on a 3 minute Youtube video clip downloaded the file in 18 seconds. youtube-dl succeeded in downloading the same clip. Copied the /etc/nginx.conf file to /root and edited it as before: [root@cursa ~]# nginx -t -c ~/mynginx.conf -g "pid /var/run/mynginx.pid; worker_processes 2;" nginx: the configuration file /root/mynginx.conf syntax is ok nginx: configuration file /root/mynginx.conf test is successful How critical is the lack of the new welcome banner? The string does not seem to be included in the binary so maybe in a config file somewhere?
You can check what is listening on port 80 (http) with.. # netstat -pantu | grep :80 As long as nginx is running/restarted & responding that is usually enough for a security update. The banner shows "Welcome to nginx 1.6.2 on Mageia". The version hasn't changed so this is accurate after update also. Verified here also. # systemctl status -l nginx â nginx.service - A high performance web server and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled) Active: active (running) since Mon 2016-02-15 12:01:15 GMT; 8s ago ..shows when it started - eg. 8s ago
Validating. Advisory uploaded. Please push to 5 updates, thanks.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0065.html
Status: NEW => RESOLVEDResolution: (none) => FIXED