Upstream has issued an advisory today (July 11): http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html The issue is fixed in 1.12.1 and a patch is linked from the message above. Mageia 5 and 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Reassigning to all packagers collectively, since there is no longer a registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Debian and Ubuntu have issued advisories for this on July 12 and 13: https://www.debian.org/security/2017/dsa-3908 https://www.ubuntu.com/usn/usn-3352-1/
TV updated cauldron to 1.12.1 on the 19th so it is already fixed. Updated packages uploaded for Mageia 5 and 6. Advisory: ======================== Updated nginx package fixes security vulnerability: A security issue was identified in nginx range filter. A specially crafted request might result in an integer overflow and incorrect processing of ranges, potentially resulting in sensitive information leak (CVE-2017-7529). References: http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7529 ======================== Updated packages in core/updates_testing: ======================== nginx-1.6.2-5.3.mga5 nginx-debuginfo-1.6.2-5.3.mga5 from nginx-1.6.2-5.3.mga5.src.rpm nginx-1.10.3-1.1.mga6 nginx-debuginfo-1.10.3-1.1.mga6 from nginx-1.10.3-1.1.mga6.src.rpm Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=18595#c4
CC: (none) => mramboVersion: Cauldron => 6Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOAssignee: pkg-bugs => qa-bugs
MGA6-32 on Asus A6000VM MATE no installation issues Procedure as stated above works OK.
Whiteboard: MGA5TOO => MGA5TOO MGA6-32-OKCC: (none) => herman.viaene
mga5 x86_64 Stopped Apache. Installed nginx, started it as a service and checked the Welcome page on localhost. OK. Updated nginx from Core Updates Testing but could not see the debuginfo package. <lightbulb!> Enabled Core Updates Testing Debug and installed nginx-debuginfo. Restarted nginx (but it was probably already reloaded at installation time). The Welcome page announced 1.10.3.
CC: (none) => tarazed25
Whiteboard: MGA5TOO MGA6-32-OK => MGA5TOO MGA6-32-OK MGA5-64-OK
Withdrawing the OK. Had forgotten that this production machine is running mga6.
Whiteboard: MGA5TOO MGA6-32-OK MGA5-64-OK => MGA5TOO MGA6-32-OK
Len, debuginfo packages don't need to be installed or tested. Mike, thanks for the update. Please don't list debuginfo packages when pushing updates to QA.
Thanks David. x86_64 Stopped apache and installed nginx-1.6.2-5.2.mga5 on a genuine mga5 system. The welcome page states version 1.10.3. $ sudo systemctl start nginx $ systemctl status nginx ● nginx.service - A high performance web server and reverse proxy server Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled) Active: active (running) since Fri 2017-07-28 19:18:18 BST; 4s ago Process: 7493 ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf (code=exited, Refreshed firefox. Welcome page announced nginx 1.6.2 Installed the update: $ rpm -qa | grep nginx nginx-1.6.2-5.3.mga5 Refreshed the browser and checked localhost -> nginx 1.6.2
Testing complete mga6 64 Validating.
Whiteboard: MGA5TOO MGA6-32-OK MGA5-64-OK => MGA5TOO MGA6-32-OK mga6-64-ok MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: MGA5TOO MGA6-32-OK mga6-64-ok MGA5-64-OK => advisory MGA5TOO MGA6-32-OK mga6-64-ok MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0231.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CC: (none) => tedriemeltz21
In the previous try I have set https://phrazle.io/ the value to 10 but for this it is not enough https://weaverwordle.com/.
CC: (none) => lanikane68
It has been discovered that the nginx range filter contains a security flaw. A request that has been specifically constructed might lead to an integer overflow and erroneous processing of ranges, which could possibly result in the disclosure of sensitive information. http://advisories.mageia.org/MGASA-2017-0231.html https://basketrandom.io The Mageia Updates repository has been updated with the latest information on this problem.
CC: (none) => seekborrow
The improvement to the security issue is fantastic. https://eggy-car.com
CC: (none) => timothysykestss
I'm happy to see that Nginx is finally getting better security https://eggy-car.com
CC: (none) => drewbinskyn