Your message dated Sat, 15 Jul 2017 21:47:38 +0000
with message-id <[email protected]>
and subject line Bug#868109: fixed in nginx 1.10.3-1+deb9u1
has caused the Debian Bug report #868109,
regarding nginx: CVE-2017-7529 Integer overflow in the range filter
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
868109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868109
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nginx
Severity: important
Tags: upstream security
A security issue was identified in nginx range filter. A specially
crafted request might result in an integer overflow and incorrect
processing of ranges, potentially resulting in sensitive information
leak (CVE-2017-7529).
When using nginx with standard modules this allows an attacker to
obtain a cache file header if a response was returned from cache.
In some configurations a cache file header may contain IP address
of the backend server or other sensitive information.
Besides, with 3rd party modules it is potentially possible that
the issue may lead to a denial of service or a disclosure of
a worker process memory. No such modules are currently known though.
The issue affects nginx 0.5.6 - 1.13.2.
The issue is fixed in nginx 1.13.3, 1.12.1.
For older versions, the following configuration can be used
as a temporary workaround:
max_ranges 1;
Patch for the issue can be found here:
http://nginx.org/download/patch.2017.ranges.txt
Announcement: http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.10.3-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christos Trochalakis <[email protected]> (supplier of updated nginx
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 12 Jul 2017 08:44:59 +0300
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-light nginx-extras
libnginx-mod-http-geoip libnginx-mod-http-image-filter
libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream
libnginx-mod-http-perl libnginx-mod-http-auth-pam libnginx-mod-http-lua
libnginx-mod-http-ndk libnginx-mod-nchan libnginx-mod-http-echo
libnginx-mod-http-upstream-fair libnginx-mod-http-headers-more-filter
libnginx-mod-http-cache-purge libnginx-mod-http-fancyindex
libnginx-mod-http-uploadprogress libnginx-mod-http-subs-filter
libnginx-mod-http-dav-ext
Architecture: source
Version: 1.10.3-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Nginx Maintainers
<[email protected]>
Changed-By: Christos Trochalakis <[email protected]>
Description:
libnginx-mod-http-auth-pam - PAM authentication module for Nginx
libnginx-mod-http-cache-purge - Purge content from Nginx caches
libnginx-mod-http-dav-ext - WebDAV missing commands support for Nginx
libnginx-mod-http-echo - Bring echo and more shell style goodies to Nginx
libnginx-mod-http-fancyindex - Fancy indexes module for the Nginx
libnginx-mod-http-geoip - GeoIP HTTP module for Nginx
libnginx-mod-http-headers-more-filter - Set and clear input and output headers
for Nginx
libnginx-mod-http-image-filter - HTTP image filter module for Nginx
libnginx-mod-http-lua - Lua module for Nginx
libnginx-mod-http-ndk - Nginx Development Kit module
libnginx-mod-http-perl - Perl module for Nginx
libnginx-mod-http-subs-filter - Substitution filter module for Nginx
libnginx-mod-http-uploadprogress - Upload progress system for Nginx
libnginx-mod-http-upstream-fair - Nginx Upstream Fair Proxy Load Balancer
libnginx-mod-http-xslt-filter - XSLT Transformation module for Nginx
libnginx-mod-mail - Mail module for Nginx
libnginx-mod-nchan - Fast, flexible pub/sub server for Nginx
libnginx-mod-stream - Stream module for Nginx
nginx - small, powerful, scalable web/proxy server
nginx-common - small, powerful, scalable web/proxy server - common files
nginx-doc - small, powerful, scalable web/proxy server - documentation
nginx-extras - nginx web/proxy server (extended version)
nginx-full - nginx web/proxy server (standard version)
nginx-light - nginx web/proxy server (basic version)
Closes: 868109
Changes:
nginx (1.10.3-1+deb9u1) stretch-security; urgency=high
.
* Handle CVE-2017-7529 Integer overflow in the range filter (Closes: #868109)
Checksums-Sha1:
5c61cfb2e94c828582bbb1d28de5496123725623 4232 nginx_1.10.3-1+deb9u1.dsc
95cf32c3e33efc53ac81338a5779fbaa425f02e2 911509 nginx_1.10.3.orig.tar.gz
9e7ba00e4bd1dc17664e5cb5013ce5746afa5065 845032
nginx_1.10.3-1+deb9u1.debian.tar.xz
Checksums-Sha256:
1dd39577fd3eeb72a0681ce4694f86dc382f61e2f5fcaa36f5293aa4ec1fa969 4232
nginx_1.10.3-1+deb9u1.dsc
75020f1364cac459cb733c4e1caed2d00376e40ea05588fb8793076a4c69dd90 911509
nginx_1.10.3.orig.tar.gz
82ab74341dc79e22bf599e8d4ec910db11033c2bd63de11990e4e6e72bc1ed11 845032
nginx_1.10.3-1+deb9u1.debian.tar.xz
Files:
469e44849fe708928f187f05410ad76b 4232 httpd optional nginx_1.10.3-1+deb9u1.dsc
204a20cb4f0b0c9db746c630d89ff4ea 911509 httpd optional nginx_1.10.3.orig.tar.gz
0fd25c9dfe5bc5b9d9855ecbb7004e26 845032 httpd optional
nginx_1.10.3-1+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEf2SPbCEjyY+zKcgrETYmAKdH7NkFAlll7GQACgkQETYmAKdH
7NlJoA//ZB/l1fs7PzXTehCI/CqnPWuHDJMa5QzqXFQQLzbnRubfpTOrEIbDY7M5
Miul9Mt1JsdVLumuxIHnc2s4d85WjkQZgI5hlYy75vYas1lSLWmpRhz3lHLR9CRs
/Lb1BAPD7e/UufNAD2/LY991VrOah8+WIjsXA48bU0GtHsCnBTcr1QQTpcAYDLSA
bK7Gy5KGoAu8YkBkmKNPYyL54a76Yp1t/6YfB0DnATf7c7oW8ZnJ5GhWhJmlk/Ax
PjMTzS0FBuldZ8ZAofNWFa1Hk4qOqEYmv4KcQiz1zzD5dKPGBfTXv/7W3of8Mlw7
TSqo1aWkpr2Ry7R4tyBvBzA3kDBzlTfJp4bqr3l6tFrYQlbEazlZMixtoWW4P9we
AlBYI3C7SjtJ/v32wkM5TdAS0h7YPWi5+8YvHl6hfU6SVoXrPYfdLnDZFXIBIsGP
xr84VP+GX0pzHJwnfTJpkspcoOywEeYw0FquhElF6FT/lLlXtDII5HuSsBoPCBnf
OzFxetVvUvyLmGnfJAjJEdAVpFh0TIDyKdqBAZeRLy+9Kkjwrqjq8bb5fwpq3w/K
5Mi8XaTkHIhjIiZOzS2+3ItgEHge5jEbLQtjbbe9e7de85bKAfHudJ4y6X1LXiTR
wU0P2zYFvYGkxLFn8+fIJ9DKYKYj1jJkY4O3k+12ZOIRww1CM34=
=JL/2
-----END PGP SIGNATURE-----
--- End Message ---
