Upstream has issued an advisory today (May 31): http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html Patched package uploaded for Mageia 5. Freeze push requested for Cauldron. Advisory: ======================== Updated nginx package fixes security vulnerability: A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file (CVE-2016-4450). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4450 http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html ======================== Updated packages in core/updates_testing: ======================== nginx-1.6.2-5.2.mga5 from nginx-1.6.2-5.2.mga5.src.rpm
Before trying this on a real hardware Mageia 5 currently with Apache + all its bells & whistles: would I have to UNinstall Apache first? Not keen on that, thinking of all that it might take with it.
CC: (none) => lewyssmith
You don't have to uninstall Apache, just stop the service.
MGA5-32 on Acer D620 Xfce No installation issues Followed procedure as per bug 13044: # systemctl stop httpd # nginx then point browser at http://localhost/ and get in the page: "Welcome to nginx 1.6.2 on Mageia!"
CC: (none) => herman.viaeneWhiteboard: (none) => has_procedure MGA5-32-OK
Testing M5 x64 real h/w BEFORE update. Stopped httpd (Apache): # systemctl stop httpd Installed nginx-1.6.2-5.1.mga5.x86_64.rpm from normal repos. Started it: # nginx From a browser, http://localhost/ showed the "Welcome to nginx 1.6.2 on Mageia!" page. Note that no installed web applications (localhost/whatever) were accessible. AFTER a trouble-free update. nginx-1.6.2-5.2.mga5 As a precaution to make sure the updated nginx was in use, I used MCC System/Control services to stop nginx (and stop it being re-started in booting). Clicking its 'start' button seemed to do nothing, so from console: # nginx nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use) suggests it was already re-started. From a browser, http://localhost/ showed the "Welcome to nginx 1.6.2 on Mageia!" page. So this update is OK; validating it at the same time.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
Debian has issued an advisory for this on June 1: https://www.debian.org/security/2016/dsa-3592
URL: (none) => http://lwn.net/Vulnerabilities/689576/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0216.html
Status: NEW => RESOLVEDResolution: (none) => FIXED