[Bug 1538165] Re: Security Issues Impacting NGINX: 1.8.x, 1.9.x

Tue Jan 26 17:56:46 UTC 2016

** Description changed:

- This is listed as a Private Security bug as it contains some security
- content, but does not contain specifics due to Upstream not releasing
- them, and also at Upstream's request to keep notifications about issues
- not yet known to the public quiet.
+ This is listed as a Public Security bug as the CVEs and fixes have been
+ announced by NGINX Upstream officially.
  
- It was told to me from NGINX Upstream by Andrew Hutchings (the Technical
- Product Manager at NGINX Inc, the company behind the nginx web server)
- that there is an update releasing for NGINX that addresses some security
- issues, with CVE information to be made available once the release is
- made.  The releases containing fixes for these issues are 1.8.1 for the
- Stable branch, and 1.9.10 for the Mainline branch.
+ There are 3 CVEs impacting all versions of NGINX in Ubuntu.  The
+ following is taken from the upstream security announcement on the nginx-
+ announce mailing list:
  
- These issues are NOT yet available for me to review, and therefore
- security content of these issues remains secret to me.
+ - Invalid pointer dereference might occur during DNS server response
+  processing, allowing an attacker who is able to forge UDP
+  packets from the DNS server to cause worker process crash
+  (CVE-2016-0742).
  
- This bug here is made as a tracker for pending state on this, as well as
- to have the information stored for the issues affecting NGINX in Ubuntu.
+ - Use-after-free condition might occur during CNAME response
+  processing. This problem allows an attacker who is able to trigger
+  name resolution to cause worker process crash, or might
+  have potential other impact (CVE-2016-0746).
  
- Without specific details, I can say with some certainty that NGINX 1.9.0
- and later are affected, which means Wily and Xenial are both affected.
- Once more data is available, CVEs will be added here as well as other
- information related to these CVEs, and we can determine what needs to be
- fixed where after that information is available.
+ - CNAME resolution was insufficiently limited, allowing an attacker who
+  is able to trigger arbitrary name resolution to cause excessive resource
+  consumption in worker processes (CVE-2016-0747).
  
- I am assigning myself currently to track this, as the NGINX release is
- expected today (January 26, 2016) at some time according to Andrew, and
- that release will have details available there as well as fixes.
+ The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive
+ is used in a configuration file.
+ 
+ The problems are fixed in nginx 1.9.10, 1.8.1.
+ 
+ ------
+ 
+ As stated prior, all versions of Ubuntu have an affected version of
+ nginx.  There are many commits done by upstream to fix these issues.
+ There are at least 17 of which will need to be examined; as I examine
+ the commits in the upstream commit logs, I will provide links to each
+ commit here.
+ 
+ Xenial will very quickly get a fix, after I push an upload containing
+ nginx 1.9.10 to the repositories.
+ 
+ Wily, having nginx 1.9.3, may be more receptive to patching without any
+ type of changing of the patch to match code changes.  This remains to be
+ determined however.
+ 
+ Older versions of Ubuntu, Vivid and earlier, are likely less receptive
+ to the patches, and may need re-engineered to apply to those code bases,
+ given the age of those versions of nginx.

** Information type changed from Private Security to Public Security

** Changed in: nginx (Ubuntu Xenial)
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nginx in Ubuntu.
https://bugs.launchpad.net/bugs/1538165

Title:
  Security Issues Impacting NGINX: 1.8.x, 1.9.x

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1538165/+subscriptions