From ${URL} : Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered a virtual host confusion issue in nginx, allowing HTTPS connections for one origin to be redirected to the virtual host of a different origin. This leads to a variety of issues, such as cookie theft and session hijacking. It could be triggered from a cross-site scripting flaw, tricking a user into visiting a malicious URL, and so on. The upstream changelog describes the issue as: "" it was possible to reuse SSL sessions in unrelated contexts if a shared SSL session cache or the same TLS session ticket key was used for multiple "server" blocks "" Full details and some mitigation strategies are available in their paper: http://bh.ht.vc/vhost_confusion.pdf It is reported that this issue affected nginx versions 0.5.6 to 1.7.4, and has been fixed in the 1.6.2 and 1.7.5 releases: http://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html Upstream patch: http://trac.nginx.org/nginx/changeset/5841/nginx External References: http://bh.ht.vc/vhost_confusion.pdf @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Thanks for the bug report. We'll update nginx shortly.
*** Bug 523146 has been marked as a duplicate of this bug. ***
Any news on this bug? I've just checked, it emerges successfully with renamed ebuild.
1.7.6 is out Changes with nginx 1.7.6 30 Sep 2014 *) Change: the deprecated "limit_zone" directive is not supported anymore. *) Feature: the "limit_conn_zone" and "limit_req_zone" directives now can be used with combinations of multiple variables. *) Bugfix: request body might be transmitted incorrectly when retrying a FastCGI request to the next upstream server. *) Bugfix: in logging to syslog.
1.7.5 is in the nginx-overlay (https://github.com/gentoo/nginx-overlay/tree/nginx-1.7.5). I will bump to 1.7.6. Since I'm not a gentoo dev just yet, the co-maintainers needs to help out. I've been talking to them and they will assist shortly.
Just bumped to 1.7.6 in our overlay. Please test: https://github.com/gentoo/nginx-overlay/pull/12
*** Bug 524254 has been marked as a duplicate of this bug. ***
Created attachment 385948 [details, diff] D, ED, EROOT and NGINX_HOME_TMP usage corrected (In reply to Johan Bergström from comment #6) > Just bumped to 1.7.6 in our overlay. Please test: > https://github.com/gentoo/nginx-overlay/pull/12 Looks good. Passed my test suite ;) Two things I noticed: 1) Wrong usage of D, ED, EROOT... some variables ends with a slash, some don't. See my attached diff. Nothing important but... ;) Related to bug #465772. 2) When I set the "luajit" USE flag but don't have dev-lang/luajit installed, that's not a fatal error. Well, I only saw this, because I was testing using the "ebuild" command which don't pull in dependencies... but I was wondering that nginx only said >>> Configuring source in /var/tmp/portage/www-servers/nginx-1.7.6/work/nginx-1.7.6 ... Package luajit was not found in the pkg-config search path. Perhaps you should add the directory containing `luajit.pc' to the PKG_CONFIG_PATH environment variable No package 'luajit' found Package luajit was not found in the pkg-config search path. Perhaps you should add the directory containing `luajit.pc' to the PKG_CONFIG_PATH environment variable No package 'luajit' found [...] adding module in /var/tmp/portage/www-servers/nginx-1.7.6/work/lua-nginx-module-0.9.12 checking for Lua library ... found checking for export symbols by default (-E) ... found checking for export symbols by default (--export-all-symbols) ... not found checking for SO_PASSCRED ... found + ngx_http_lua_module was configured [...] but build succeeded.
@Thomas: Thanks for your review. I'll look at your suggestions and incorporate them in the overlay. As for further review, either contact me directly (jbergstroem@fnode) file a pull request at github or open a new bug in the bugzilla; I don't want to clutter security people's inboxes for ebuild refinements. The changes you suggest doesn't warrant holding the security bump back (imo). Thanks again.
sorry for the delay, 1.7.6 is now in the tree, although without the corrections mentioned here.
Is there any reason why you dropped keywords?
Arches, please test and mark stable: =www-servers/nginx-1.7.6 Target keywords : "amd64 x86"
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Agostino Sarubbo from comment #14) > x86 stable. > > Maintainer(s), please cleanup. done.
CVE-2014-3616 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3616): nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks.
GLSA Vote: Yes
GLSA vote: no.
oops, wrong bug. Vote yes. Request filed.
Cleanup was done. GLSA drafted and ready for peer review.
This issue was resolved and addressed in GLSA 201502-06 at http://security.gentoo.org/glsa/glsa-201502-06.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
