Your message dated Sat, 22 Jul 2017 19:47:36 +0000
with message-id <e1dz0ne-0007vq...@fasolo.debian.org>
and subject line Bug#868109: fixed in nginx 1.6.2-5+deb8u5
has caused the Debian Bug report #868109,
regarding nginx: CVE-2017-7529 Integer overflow in the range filter
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
868109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868109
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: nginx
Severity: important
Tags: upstream security
A security issue was identified in nginx range filter. A specially
crafted request might result in an integer overflow and incorrect
processing of ranges, potentially resulting in sensitive information
leak (CVE-2017-7529).
When using nginx with standard modules this allows an attacker to
obtain a cache file header if a response was returned from cache.
In some configurations a cache file header may contain IP address
of the backend server or other sensitive information.
Besides, with 3rd party modules it is potentially possible that
the issue may lead to a denial of service or a disclosure of
a worker process memory. No such modules are currently known though.
The issue affects nginx 0.5.6 - 1.13.2.
The issue is fixed in nginx 1.13.3, 1.12.1.
For older versions, the following configuration can be used
as a temporary workaround:
max_ranges 1;
Patch for the issue can be found here:
http://nginx.org/download/patch.2017.ranges.txt
Announcement: http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.6.2-5+deb8u5
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 868...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christos Trochalakis <ctrochala...@debian.org> (supplier of updated nginx
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 12 Jul 2017 10:29:22 +0300
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-full-dbg nginx-light
nginx-light-dbg nginx-extras nginx-extras-dbg
Architecture: source all amd64
Version: 1.6.2-5+deb8u5
Distribution: jessie-security
Urgency: high
Maintainer: Kartik Mistry <kar...@debian.org>
Changed-By: Christos Trochalakis <ctrochala...@debian.org>
Description:
nginx - small, powerful, scalable web/proxy server
nginx-common - small, powerful, scalable web/proxy server - common files
nginx-doc - small, powerful, scalable web/proxy server - documentation
nginx-extras - nginx web/proxy server (extended version)
nginx-extras-dbg - nginx web/proxy server (extended version) - debugging
symbols
nginx-full - nginx web/proxy server (standard version)
nginx-full-dbg - nginx web/proxy server (standard version) - debugging symbols
nginx-light - nginx web/proxy server (basic version)
nginx-light-dbg - nginx web/proxy server (basic version) - debugging symbols
Closes: 868109
Changes:
nginx (1.6.2-5+deb8u5) jessie-security; urgency=high
.
* Handle CVE-2017-7529 Integer overflow in the range filter (Closes: #868109)
Checksums-Sha1:
2527db1f794788a538971737d27a2cddcb09b7db 2965 nginx_1.6.2-5+deb8u5.dsc
0b1e85eeeebfff8267d58ab82dc8f567d4c779b2 611576
nginx_1.6.2-5+deb8u5.debian.tar.xz
8ab91f3c757bee9988ddc63d23a1453761c778a8 72646 nginx_1.6.2-5+deb8u5_all.deb
2ceb850de8582c163fff74933ef5ab69a40b30c0 84094 nginx-doc_1.6.2-5+deb8u5_all.deb
a62623a0d02ef1af93e7cdfa794c0e90ed291777 88004
nginx-common_1.6.2-5+deb8u5_all.deb
4eb390d9973d4de27cd6140ed7958cca23472e3f 430500
nginx-full_1.6.2-5+deb8u5_amd64.deb
b87690f1b5143cc555876ffce72d657aa2ab6b8c 3145982
nginx-full-dbg_1.6.2-5+deb8u5_amd64.deb
6ae0ecf6929cd932b52970a3edf4664bfd85ae2a 333136
nginx-light_1.6.2-5+deb8u5_amd64.deb
a9dd80ad12d3380e1ba5e4ab436f0056f45f7686 2179620
nginx-light-dbg_1.6.2-5+deb8u5_amd64.deb
a7738eca627e0463b9d00f559368181b28cd1c84 595492
nginx-extras_1.6.2-5+deb8u5_amd64.deb
91b180712bca4eaa315579706fa445dab02c52b2 4979316
nginx-extras-dbg_1.6.2-5+deb8u5_amd64.deb
Checksums-Sha256:
70d8e0fca4155ee7efee3b052a5182b7aa8300f68e4e7e07d7b4c70fa6036705 2965
nginx_1.6.2-5+deb8u5.dsc
0775bf1407067b888ab3cb4d2325a81e4c74eae30f753f1b38d0a52fa1f7e9d3 611576
nginx_1.6.2-5+deb8u5.debian.tar.xz
207d94e1110dc1ab751078a78ac73e2479970115a869f040567c078be3de0c55 72646
nginx_1.6.2-5+deb8u5_all.deb
67dc496a3d39078dbe734b9a1173265a28e8ea7f201329e4b894c704f837c437 84094
nginx-doc_1.6.2-5+deb8u5_all.deb
af32af58e7a89d0f6f6aa85eeef59168536405c4ec0196e3c0bc5d176bb82949 88004
nginx-common_1.6.2-5+deb8u5_all.deb
5de2491552a365bc5bd33185a78e689efa4ba4e613e3b3f01bf8443ab773c6d6 430500
nginx-full_1.6.2-5+deb8u5_amd64.deb
61e3fc92e9df588bffa95e638df389ee425c134ec5fdd71c307ff67352791316 3145982
nginx-full-dbg_1.6.2-5+deb8u5_amd64.deb
77c0cb01f56b8f9530dd510fd601f348cdc1e77cfc0a7d2e89ccddbc991a4345 333136
nginx-light_1.6.2-5+deb8u5_amd64.deb
4ffa7af8c897545e3a73a32a076ce242f461a7c2c635e26632a0fa6d855a5b10 2179620
nginx-light-dbg_1.6.2-5+deb8u5_amd64.deb
622103e16fccc11d70fa1cce8afa99cfd3bf83ee97090ec49f9d96254a36011b 595492
nginx-extras_1.6.2-5+deb8u5_amd64.deb
463128befba5ba561938d6639d8086c747bf4e5f09ad71cbea5932265339cf26 4979316
nginx-extras-dbg_1.6.2-5+deb8u5_amd64.deb
Files:
f6c3096ccb162de4d5823e48c74f7166 2965 httpd optional nginx_1.6.2-5+deb8u5.dsc
27edceb6b52a57ca76af729f5b1ccb86 611576 httpd optional
nginx_1.6.2-5+deb8u5.debian.tar.xz
b59ccad401b9c2328769bba45e5c2038 72646 httpd optional
nginx_1.6.2-5+deb8u5_all.deb
0018600bf428cfe1a1663eedab4b9a92 84094 doc optional
nginx-doc_1.6.2-5+deb8u5_all.deb
403ef8f2b60bbfb2e9aee5ea113369e6 88004 httpd optional
nginx-common_1.6.2-5+deb8u5_all.deb
93ba37dd8eff3ca894990a54d5b78bbf 430500 httpd optional
nginx-full_1.6.2-5+deb8u5_amd64.deb
b25ba045f9bb4996982c5ae92840891e 3145982 debug extra
nginx-full-dbg_1.6.2-5+deb8u5_amd64.deb
6d4f755cc392024f8117ce4f1c205cf8 333136 httpd extra
nginx-light_1.6.2-5+deb8u5_amd64.deb
13ae7d750d505df27b88c9545a305528 2179620 debug extra
nginx-light-dbg_1.6.2-5+deb8u5_amd64.deb
7d6be0e4ddc8db9c014d96d3832bc507 595492 httpd extra
nginx-extras_1.6.2-5+deb8u5_amd64.deb
a2ad537b700d7c7b97c39eb9426cf7b4 4979316 debug extra
nginx-extras-dbg_1.6.2-5+deb8u5_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEf2SPbCEjyY+zKcgrETYmAKdH7NkFAlll8CQACgkQETYmAKdH
7NmsjQ//TWj91BewH4/RMWk/H4A7mPb9CRzSf8IaNeK2CQlI1Zg5zEyS2ClaDurs
2CsmA/j9I6P310H1XI3KykurE16O/k9lNbvFqSUyUaYPeVHQBtItjkQlaK0nxXL/
82Q+CM1p8+fY5lWYhJV5DFjcrbm8R1os8aneNvL83MpSzPGZ3ywaR08L1K/rz6lA
5/khAgOIRdPV31/H61sc13Gv5d8Ix0MaJdLyPhR7hPAT17NvtHpRKb0fZwTGT0Vo
sbt6i0kaEsnStiDVgbWKsL3oNH/KZkPykBDF5FoaUr+p4gGrxC623XbykUbmwgj1
Edgun4zZdSSQExMu8HrinbIJLJVKf45KrwmdruJngsjblrQNDczUqJI29nAsJQU3
U+5To2pexBrC4XZPfSMftAu18W8vrAkR+VEfNnF6vAUArzoCDcmw8/VpfDNESwKq
K8qmPOqwCLuksS9JW4p4Zeo5qnhuaO25B1Te076nsLbZW3v6D7hwflw8M8tWGNhy
IIs/sIsEI7WpVYfU8sk2sdxvn6aYxRnNVip52TQA0jVXdrMRTiaa3A4CzhuP0jwQ
TX7s67qmCxeaRL6TaS1LFQul7TcwmYr+XfMBppXeHYFrz1aUoVpt91y2AqDODoE9
R3jJNriPwIjNE05F96wm/p/mGErAoN2SvkHslPyjZxSY8JDkHho=
=Qq7v
-----END PGP SIGNATURE-----
--- End Message ---
