Invalid pointer dereference in resolver Severity: medium CVE-2016-0742 Not vulnerable: 1.9.10+, 1.8.1+ Vulnerable: 0.6.18-1.9.9 Use-after-free during CNAME response processing in resolver Severity: medium CVE-2016-0746 Not vulnerable: 1.9.10+, 1.8.1+ Vulnerable: 0.6.18-1.9.9 Insufficient limits of CNAME resolution in resolver Severity: medium CVE-2016-0747 Not vulnerable: 1.9.10+, 1.8.1+ Vulnerable: 0.6.18-1.9.9
Ebuild was bumped a few hours ago: https://github.com/gentoo/gentoo/compare/master...jbergstroem:verbump/www-servers/nginx
sorry, to clarify -- the _work in progress_ ebuild to the nginx 1.9.x series was bumped to reflect the version bump. No changes in tree.
What about 1.8.1 and its stabilization? Seems to be no other work then renaming ebuild.
regarding 1.8.x: I haven't looked at it in a while; would like to revisit before renaming but it would probably suffice to just bump it.
security@ should be involved.
I've tried renaming nginx-1.8.0.ebuild->nginx-1.8.1.ebuild With flags USE="aio http http-cache ipv6 pcre ssl vim-syntax -debug -libatomic -luajit -pcre-jit -rtmp (-selinux)" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif fancyindex fastcgi geo gzip limit_conn limit_req map naxsi proxy realip referer rewrite spdy split_clients stub_status upload_progress userid emerged and running ok.
I just built all modules successfully. I'm happy to sign off on a version bump for 1.8.0 (and 1.9.x if that means we'll be quicker with the actual bump and merge all my changes at a later stage).
(In reply to Johan Bergström from comment #7) > I just built all modules successfully. I'm happy to sign off on a version > bump for 1.8.0 (and 1.9.x if that means we'll be quicker with the actual > bump and merge all my changes at a later stage). Since it's a security bump, that would probably make sense.
Bumped to 1.8.1 @amd64, x86: Please stabilize nginx-1.8.1
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Vulnerable versions have been removed.
CVE-2016-0747 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0747): The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution. CVE-2016-0746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0746): Use-after-free vulnerability in the resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (worker process crash) or possibly have unspecified other impact via a crafted DNS response related to CNAME response processing. CVE-2016-0742 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0742): The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid pointer dereference and worker process crash) via a crafted UDP DNS response.
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201606-06 at https://security.gentoo.org/glsa/201606-06 by GLSA coordinator Kristian Fiskerstrand (K_F).