| Summary: | <www-servers/nginx-1.10.1: NULL pointer dereference while writing client request body to a temporary file (CVE-2016-4450) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | minor | CC: | bugs, dev-zero, mrueg, proxy-maint, whissi | ||||
| Priority: | Normal | ||||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html | ||||||
| Whiteboard: | B3 [glsa cve] | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Attachments: |
|
||||||
Created attachment 436180 [details, diff] Changes needed for nginx-1.11.1 Some modules should be bumped, to. See my diff against nginx-1.10.0 ebuild. If the bump won't happen within the next 24 hours please check https://github.com/nbs-system/naxsi if they have released 0.55. Not sure if want to bring back "mainline" and "stable" slot Manual removed with https://gitweb.gentoo.org/repo/gentoo.git/commit/www-servers/nginx?id=18052d2432f8bdfd67092a09b5bb27702ef8763c CC'ing Manuel who removed the stable/mainline slot in the previous bump. PR submitted: https://github.com/gentoo/gentoo/pull/1650 (In reply to Thomas Deutschmann from comment #3) > PR submitted: https://github.com/gentoo/gentoo/pull/1650 @proxied maintainer: Thank you; PR committed and pushed, once you're satisfied with the in-tree result please call for stabilization to further this security bug. commit c0f1582077ff5ae4346bbaaaa9ac540c08b48949 Author: Thomas Deutschmann <whissi@whissi.de> Date: Sat Jun 11 17:16:14 2016 +0200 www-servers/nginx: Security cleanup Gentoo-Bug: 584744 Package-Manager: portage-2.3.0_rc1 commit ae9482758bf9b7ecbd965a324f13e7f3bd0c17d1 Author: Thomas Deutschmann <whissi@whissi.de> Date: Sat Jun 11 17:14:07 2016 +0200 www-servers/nginx: Version bump Gentoo-Bug: 584212 Gentoo-Bug: 584744 Package-Manager: portage-2.3.0_rc1 @ Arches, please stabilize =www-servers/nginx-1.10.1 Stable targets: amd64, x86 amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. PR for security cleanup submitted: https://github.com/gentoo/gentoo/pull/1669 Cleanup done: commit fa58d5378eee1fc28ceff889a80e26beffa23d38 Author: Thomas Deutschmann <whissi@whissi.de> Date: Mon Jun 13 20:30:54 2016 +0200 www-servers/nginx: Security cleanup Dropping nginx-1.8.1 which is vulnerable to CVE-2016-4450 and was replaced by nginx-1.10.1 via commit 9d8b4adb72f5912b8c121bdda6ffee72e08926d7. Gentoo-Bug: 584744 Package-Manager: portage-2.3.0_rc1 CVE-2016-4450 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4450): os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file. GLSA Vote: Yes. New request filed. This issue was resolved and addressed in GLSA 201606-06 at https://security.gentoo.org/glsa/201606-06 by GLSA coordinator Kristian Fiskerstrand (K_F). |
From ${URL} : A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file (CVE-2016-4450). The problem affects nginx 1.3.9 - 1.11.0. The problem is fixed in nginx 1.11.1, 1.10.1. Patch for nginx 1.9.13 - 1.11.0 can be found here: http://nginx.org/download/patch.2016.write.txt Patch for older nginx versions (1.3.9 - 1.9.12): http://nginx.org/download/patch.2016.write2.txt @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.