Bug 21227 - nginx new security issue CVE-2017-7529
Summary: nginx new security issue CVE-2017-7529
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: advisory MGA5TOO MGA6-32-OK mga6-64-o...
Keywords: validated_update
Depends on:
Reported: 2017-07-12 02:13 CEST by David Walser
Modified: 2023-03-13 03:20 CET (History)
10 users (show)

See Also:
Source RPM: nginx-1.10.3-1.mga6.src.rpm
Status comment:


Description David Walser 2017-07-12 02:13:04 CEST
Upstream has issued an advisory today (July 11):

The issue is fixed in 1.12.1 and a patch is linked from the message above.

Mageia 5 and 6 are also affected.
David Walser 2017-07-12 02:13:10 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 Marja Van Waes 2017-07-12 23:35:25 CEST
Reassigning to all packagers collectively, since there is no longer a registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 David Walser 2017-07-14 13:23:49 CEST
Debian and Ubuntu have issued advisories for this on July 12 and 13:
Comment 3 Mike Rambo 2017-07-26 21:02:21 CEST
TV updated cauldron to 1.12.1 on the 19th so it is already fixed.

Updated packages uploaded for Mageia 5 and 6.


Updated nginx package fixes security vulnerability:

A security issue was identified in nginx range filter.  A specially
crafted request might result in an integer overflow and incorrect
processing of ranges, potentially resulting in sensitive information
leak (CVE-2017-7529).


Updated packages in core/updates_testing:
from nginx-1.6.2-5.3.mga5.src.rpm

from nginx-1.10.3-1.1.mga6.src.rpm

Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=18595#c4

CC: (none) => mrambo
Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Assignee: pkg-bugs => qa-bugs

Comment 4 Herman Viaene 2017-07-28 13:25:24 CEST
MGA6-32 on Asus A6000VM MATE
no installation issues
Procedure as stated above works OK.

Whiteboard: MGA5TOO => MGA5TOO MGA6-32-OK
CC: (none) => herman.viaene

Comment 5 Len Lawrence 2017-07-28 19:03:38 CEST
mga5  x86_64

Stopped Apache.
Installed nginx, started it as a service and checked the Welcome page on localhost.  OK.

Updated nginx from Core Updates Testing but could not see the debuginfo package.
Enabled Core Updates Testing Debug and installed nginx-debuginfo.
Restarted nginx (but it was probably already reloaded at installation time).
The Welcome page announced 1.10.3.

CC: (none) => tarazed25

Len Lawrence 2017-07-28 19:04:47 CEST

Whiteboard: MGA5TOO MGA6-32-OK => MGA5TOO MGA6-32-OK MGA5-64-OK

Comment 6 Len Lawrence 2017-07-28 19:11:46 CEST
Withdrawing the OK.  Had forgotten that this production machine is running mga6.

Whiteboard: MGA5TOO MGA6-32-OK MGA5-64-OK => MGA5TOO MGA6-32-OK

Comment 7 David Walser 2017-07-28 20:16:43 CEST
Len, debuginfo packages don't need to be installed or tested.  Mike, thanks for the update.  Please don't list debuginfo packages when pushing updates to QA.
Comment 8 Len Lawrence 2017-07-28 20:31:07 CEST
Thanks David.

Stopped apache and installed nginx-1.6.2-5.2.mga5 on a genuine mga5 system.
The welcome page states version 1.10.3.

$ sudo systemctl start nginx
$ systemctl status nginx
● nginx.service - A high performance web server and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled)
   Active: active (running) since Fri 2017-07-28 19:18:18 BST; 4s ago
  Process: 7493 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited,

Refreshed firefox.
Welcome page announced nginx 1.6.2

Installed the update:
$ rpm -qa | grep nginx
Refreshed the browser and checked localhost -> nginx 1.6.2
Len Lawrence 2017-07-28 20:31:25 CEST

Whiteboard: MGA5TOO MGA6-32-OK => MGA5TOO MGA6-32-OK MGA5-64-OK

Comment 9 claire robinson 2017-07-30 14:12:00 CEST
Testing complete mga6 64


Whiteboard: MGA5TOO MGA6-32-OK MGA5-64-OK => MGA5TOO MGA6-32-OK mga6-64-ok MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Rémi Verschelde 2017-07-30 14:18:56 CEST

Whiteboard: MGA5TOO MGA6-32-OK mga6-64-ok MGA5-64-OK => advisory MGA5TOO MGA6-32-OK mga6-64-ok MGA5-64-OK

Comment 10 Mageia Robot 2017-07-30 17:59:42 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Amira Rimoldi 2020-05-13 10:36:54 CEST

CC: (none) => tedriemeltz21

Comment 12 lani kane 2022-07-20 05:18:07 CEST Comment hidden (spam)

CC: (none) => lanikane68

Comment 13 Terrence Kirk 2023-03-06 23:53:29 CET Comment hidden (spam)

CC: (none) => seekborrow

Comment 14 Timothy Sykes 2023-03-09 19:47:13 CET Comment hidden (spam)

CC: (none) => timothysykestss

Comment 15 Drew Binsky 2023-03-13 03:20:19 CET Comment hidden (spam)

CC: (none) => drewbinskyn

Note You need to log in before you can comment on or make changes to this bug.