Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 573046 (CVE-2016-0742) - <www-servers/nginx-1.10.1: Multiple vulnerabilities (CVE-2016-{0742,0746,0747})
Summary: <www-servers/nginx-1.10.1: Multiple vulnerabilities (CVE-2016-{0742,0746,0747})
Status: RESOLVED FIXED
Alias: CVE-2016-0742
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://nginx.org/en/security_advisori...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-26 20:00 UTC by cyberbat
Modified: 2016-06-17 18:30 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description cyberbat 2016-01-26 20:00:33 UTC
Invalid pointer dereference in resolver
Severity: medium
CVE-2016-0742
Not vulnerable: 1.9.10+, 1.8.1+
Vulnerable: 0.6.18-1.9.9

Use-after-free during CNAME response processing in resolver
Severity: medium
CVE-2016-0746
Not vulnerable: 1.9.10+, 1.8.1+
Vulnerable: 0.6.18-1.9.9

Insufficient limits of CNAME resolution in resolver
Severity: medium
CVE-2016-0747
Not vulnerable: 1.9.10+, 1.8.1+
Vulnerable: 0.6.18-1.9.9
Comment 1 Johan Bergström 2016-01-27 05:58:05 UTC
Ebuild was bumped a few hours ago: https://github.com/gentoo/gentoo/compare/master...jbergstroem:verbump/www-servers/nginx
Comment 2 Johan Bergström 2016-01-27 05:58:42 UTC
sorry, to clarify -- the _work in progress_ ebuild to the nginx 1.9.x series was bumped to reflect the version bump. No changes in tree.
Comment 3 cyberbat 2016-01-27 06:02:29 UTC
What about 1.8.1 and its stabilization? Seems to be no other work then renaming ebuild.
Comment 4 Johan Bergström 2016-01-27 06:05:11 UTC
regarding 1.8.x: I haven't looked at it in a while; would like to revisit before renaming but it would probably suffice to just bump it.
Comment 5 Matt Turner gentoo-dev 2016-01-27 20:07:20 UTC
security@ should be involved.
Comment 6 cyberbat 2016-01-27 23:36:20 UTC
I've tried renaming nginx-1.8.0.ebuild->nginx-1.8.1.ebuild

With flags
USE="aio http http-cache ipv6 pcre ssl vim-syntax -debug -libatomic -luajit -pcre-jit -rtmp (-selinux)" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif fancyindex fastcgi geo gzip limit_conn limit_req map naxsi proxy realip referer rewrite spdy split_clients stub_status upload_progress userid
emerged and running ok.
Comment 7 Johan Bergström 2016-01-27 23:58:37 UTC
I just built all modules successfully. I'm happy to sign off on a version bump for 1.8.0 (and 1.9.x if that means we'll be quicker with the actual bump and merge all my changes at a later stage).
Comment 8 Tomáš Mózes 2016-01-28 06:47:53 UTC
(In reply to Johan Bergström from comment #7)
> I just built all modules successfully. I'm happy to sign off on a version
> bump for 1.8.0 (and 1.9.x if that means we'll be quicker with the actual
> bump and merge all my changes at a later stage).

Since it's a security bump, that would probably make sense.
Comment 9 Manuel Rüger (RETIRED) gentoo-dev 2016-02-02 19:19:44 UTC
Bumped to 1.8.1 

@amd64, x86: Please stabilize nginx-1.8.1
Comment 10 Agostino Sarubbo gentoo-dev 2016-02-03 16:53:23 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-02-03 16:55:00 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Manuel Rüger (RETIRED) gentoo-dev 2016-02-03 21:49:38 UTC
Vulnerable versions have been removed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-06-14 09:13:41 UTC
CVE-2016-0747 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0747):
  The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly
  limit CNAME resolution, which allows remote attackers to cause a denial of
  service (worker process resource consumption) via vectors related to
  arbitrary name resolution.

CVE-2016-0746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0746):
  Use-after-free vulnerability in the resolver in nginx before 1.8.1 and 1.9.x
  before 1.9.10 allows remote attackers to cause a denial of service (worker
  process crash) or possibly have unspecified other impact via a crafted DNS
  response related to CNAME response processing.

CVE-2016-0742 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0742):
  The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote
  attackers to cause a denial of service (invalid pointer dereference and
  worker process crash) via a crafted UDP DNS response.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-14 09:15:02 UTC
Added to existing GLSA.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-06-17 18:30:56 UTC
This issue was resolved and addressed in
 GLSA 201606-06 at https://security.gentoo.org/glsa/201606-06
by GLSA coordinator Kristian Fiskerstrand (K_F).