Bug 5259 - nginx security issue CVE-2011-4315
Summary: nginx security issue CVE-2011-4315
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-04-06 18:29 CEST by David Walser
Modified: 2012-05-01 20:36 CEST (History)
4 users (show)

See Also:
Source RPM: nginx-1.0.0-1.1.mga1.src.rpm
CVE:
Status comment:

Attachments
replacement for mdv poweredby.png (4.72 KB, image/png)
2012-04-25 16:03 CEST, claire robinson 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-04-06 18:29:07 CEST 
SuSE has issued this advisory on February 9:
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00009.html

Cauldron is not vulnerable.
David Walser 2012-04-06 18:29:29 CEST

CC: (none) => guillomovitch

Comment 1 David Walser 2012-04-14 03:33:05 CEST 
Patched package uploaded.

Advisory:
========================

Updated nginx package fixes security vulnerability:

Heap-based buffer overflow in compression-pointer processing in
core/ngx_resolver.c in nginx before 1.0.10 allows remote resolvers to
cause a denial of service (daemon crash) or possibly have unspecified
other impact via a long response (CVE-2011-4315).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4315
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00009.html
========================

Updated packages in core/updates_testing:
========================
nginx-1.0.0-1.2.mga1

from nginx-1.0.0-1.2.mga2.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2012-04-21 15:29:26 CEST 
I'm guessing the bugzilla mail to qa-bugs didn't get through for a time, so just pinging QA if you hadn't seen this one yet.  If you already knew about it, sorry for the noise.
Comment 3 Dave Hodgins 2012-04-23 22:55:30 CEST 
Testing complete on i586 for the srpm
nginx-1.0.0-1.2.mga1.src.rpm

Just testing that http://localhost/ shows the nginx page.

You may want to fix ... grep Mandriva /usr/share/nginx/html/*
/usr/share/nginx/html/404.html:                    Mandriva.  It is located
/usr/share/nginx/html/404.html:                    alt="[ Powered by Mandriva ]"
/usr/share/nginx/html/50x.html:                    Mandriva.  It is located
/usr/share/nginx/html/50x.html:                    alt="[ Powered by Mandriva ]"
/usr/share/nginx/html/index.html:        <title>Test Page for the Nginx HTTP Server on Mandriva</title>
/usr/share/nginx/html/index.html:        <h1>Welcome to <strong>nginx 1.0.0</strong> on Mandriva!</h1>
/usr/share/nginx/html/index.html:                    Mandriva.  It is located in
/usr/share/nginx/html/index.html:                    alt="[ Powered by Mandriva ]"

As this is a security update, it's ok if you prefer to leave that fix
for another update.

CC: (none) => davidwhodgins

Comment 4 David Walser 2012-04-23 23:26:24 CEST 
Thanks Dave.  Might as well fix it now.  Fixed package uploaded.

Advisory:
========================

Updated nginx package fixes security vulnerability:

Heap-based buffer overflow in compression-pointer processing in
core/ngx_resolver.c in nginx before 1.0.10 allows remote resolvers to
cause a denial of service (daemon crash) or possibly have unspecified
other impact via a long response (CVE-2011-4315).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4315
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00009.html
========================

Updated packages in core/updates_testing:
========================
nginx-1.0.0-1.3.mga1

from nginx-1.0.0-1.3.mga2.src.rpm
Comment 5 claire robinson 2012-04-25 15:42:33 CEST 
x86_64

There is still a logo at the bottom of the page 'Powered by Mandriva Linux' which links to mandriva.com

It is /usr/share/nginx/html/poweredby.png

It might be an idea to remove it completely as we don't have a replacement or replace it with a text link to mageia.org instead in /usr/share/nginx/html/index.html

Other than that, it works as expected browsing to http://localhost
Comment 6 claire robinson 2012-04-25 16:03:53 CEST 
Created attachment 2105 [details]
replacement for mdv poweredby.png

It's just a Mageia logo suitably scaled.
Comment 7 David Walser 2012-04-26 00:47:45 CEST 
Thanks Claire.  Fixed package uploaded.

Advisory:
========================

Updated nginx package fixes security vulnerability:

Heap-based buffer overflow in compression-pointer processing in
core/ngx_resolver.c in nginx before 1.0.10 allows remote resolvers to
cause a denial of service (daemon crash) or possibly have unspecified
other impact via a long response (CVE-2011-4315).

References to Mandriva in the default index and 404 pages have been
corrected to refer to Mageia.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4315
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00009.html
========================

Updated packages in core/updates_testing:
========================
nginx-1.0.0-1.4.mga1

from nginx-1.0.0-1.4.mga2.src.rpm
Comment 8 Dave Hodgins 2012-04-26 23:51:26 CEST 
Testing complete on i586 for the srpm
nginx-1.0.0-1.4.mga1.src.rpm

Note mga1, not mga2.
Comment 9 claire robinson 2012-05-01 10:09:43 CEST 
Testing complete x86_64

Please see comment 7 for advisory. SRPM: nginx-1.0.0-1.4.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 10 Thomas Backlund 2012-05-01 20:36:45 CEST 
Update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.