subject:"Bug#868109\: marked as done \(nginx\: CVE\-2017\-7529 Integer overflow in the range filter\)"

Bug#868109: marked as done (nginx: CVE-2017-7529 Integer overflow in the range filter)

2017-07-22 Thread Debian Bug Tracking System

Your message dated Sat, 22 Jul 2017 19:47:36 +
with message-id 
and subject line Bug#868109: fixed in nginx 1.6.2-5+deb8u5
has caused the Debian Bug report #868109,
regarding nginx: CVE-2017-7529 Integer overflow in the range filter
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
868109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868109
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Source: nginx
Severity: important
Tags: upstream security

A security issue was identified in nginx range filter.  A specially
crafted request might result in an integer overflow and incorrect
processing of ranges, potentially resulting in sensitive information
leak (CVE-2017-7529).

When using nginx with standard modules this allows an attacker to
obtain a cache file header if a response was returned from cache.
In some configurations a cache file header may contain IP address
of the backend server or other sensitive information.

Besides, with 3rd party modules it is potentially possible that
the issue may lead to a denial of service or a disclosure of
a worker process memory.  No such modules are currently known though.

The issue affects nginx 0.5.6 - 1.13.2.
The issue is fixed in nginx 1.13.3, 1.12.1.

For older versions, the following configuration can be used
as a temporary workaround:

   max_ranges 1;

Patch for the issue can be found here:
http://nginx.org/download/patch.2017.ranges.txt

Announcement: http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.6.2-5+deb8u5

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christos Trochalakis  (supplier of updated nginx 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Wed, 12 Jul 2017 10:29:22 +0300
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-full-dbg nginx-light 
nginx-light-dbg nginx-extras nginx-extras-dbg
Architecture: source all amd64
Version: 1.6.2-5+deb8u5
Distribution: jessie-security
Urgency: high
Maintainer: Kartik Mistry 
Changed-By: Christos Trochalakis 
Description:
 nginx  - small, powerful, scalable web/proxy server
 nginx-common - small, powerful, scalable web/proxy server - common files
 nginx-doc  - small, powerful, scalable web/proxy server - documentation
 nginx-extras - nginx web/proxy server (extended version)
 nginx-extras-dbg - nginx web/proxy server (extended version) - debugging 
symbols
 nginx-full - nginx web/proxy server (standard version)
 nginx-full-dbg - nginx web/proxy server (standard version) - debugging symbols
 nginx-light - nginx web/proxy server (basic version)
 nginx-light-dbg - nginx web/proxy server (basic version) - debugging symbols
Closes: 868109
Changes:
 nginx (1.6.2-5+deb8u5) jessie-security; urgency=high
 .
   * Handle CVE-2017-7529 Integer overflow in the range filter (Closes: #868109)
Checksums-Sha1:
 2527db1f794788a538971737d27a2cddcb09b7db 2965 nginx_1.6.2-5+deb8u5.dsc
 0b1e85bfff8267d58ab82dc8f567d4c779b2 611576 
nginx_1.6.2-5+deb8u5.debian.tar.xz
 8ab91f3c757bee9988ddc63d23a1453761c778a8 72646 nginx_1.6.2-5+deb8u5_all.deb
 2ceb850de8582c163fff74933ef5ab69a40b30c0 84094 nginx-doc_1.6.2-5+deb8u5_all.deb
 a62623a0d02ef1af93e7cdfa794c0e90ed291777 88004 
nginx-common_1.6.2-5+deb8u5_all.deb
 4eb390d9973d4de27cd6140ed7958cca23472e3f 430500 
nginx-full_1.6.2-5+deb8u5_amd64.deb
 b87690f1b5143cc555876ffce72d657aa2ab6b8c 3145982 
nginx-full-dbg_1.6.2-5+deb8u5_amd64.deb
 6ae0ecf6929cd932b52970a3edf4664bfd85ae2a 333136 
nginx-light_1.6.2-5+deb8u5_amd64.deb
 a9dd80ad12d3380e1ba5e4ab436f0056f45f7686 2179620 
nginx-light-dbg_1.6.2-5+deb8u5_amd64.deb
 a7738eca627e0463b9d00f559368181b28cd1c84 595492 
nginx-extras_1.6.2-5+deb8u5_amd64.deb
 91b180712bca4eaa315579706fa445dab02c52b2 4979316 
nginx-extras-dbg_1.6.2-5+deb8u5_amd64.deb
Checksums-Sha256:

Bug#868109: marked as done (nginx: CVE-2017-7529 Integer overflow in the range filter)

2017-07-15 Thread Debian Bug Tracking System

Your message dated Sat, 15 Jul 2017 21:47:38 +
with message-id 
and subject line Bug#868109: fixed in nginx 1.10.3-1+deb9u1
has caused the Debian Bug report #868109,
regarding nginx: CVE-2017-7529 Integer overflow in the range filter
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
868109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868109
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Source: nginx
Severity: important
Tags: upstream security

A security issue was identified in nginx range filter.  A specially
crafted request might result in an integer overflow and incorrect
processing of ranges, potentially resulting in sensitive information
leak (CVE-2017-7529).

When using nginx with standard modules this allows an attacker to
obtain a cache file header if a response was returned from cache.
In some configurations a cache file header may contain IP address
of the backend server or other sensitive information.

Besides, with 3rd party modules it is potentially possible that
the issue may lead to a denial of service or a disclosure of
a worker process memory.  No such modules are currently known though.

The issue affects nginx 0.5.6 - 1.13.2.
The issue is fixed in nginx 1.13.3, 1.12.1.

For older versions, the following configuration can be used
as a temporary workaround:

   max_ranges 1;

Patch for the issue can be found here:
http://nginx.org/download/patch.2017.ranges.txt

Announcement: http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.10.3-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christos Trochalakis  (supplier of updated nginx 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Wed, 12 Jul 2017 08:44:59 +0300
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-light nginx-extras 
libnginx-mod-http-geoip libnginx-mod-http-image-filter 
libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream 
libnginx-mod-http-perl libnginx-mod-http-auth-pam libnginx-mod-http-lua 
libnginx-mod-http-ndk libnginx-mod-nchan libnginx-mod-http-echo 
libnginx-mod-http-upstream-fair libnginx-mod-http-headers-more-filter 
libnginx-mod-http-cache-purge libnginx-mod-http-fancyindex 
libnginx-mod-http-uploadprogress libnginx-mod-http-subs-filter 
libnginx-mod-http-dav-ext
Architecture: source
Version: 1.10.3-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Nginx Maintainers 

Changed-By: Christos Trochalakis 
Description:
 libnginx-mod-http-auth-pam - PAM authentication module for Nginx
 libnginx-mod-http-cache-purge - Purge content from Nginx caches
 libnginx-mod-http-dav-ext - WebDAV missing commands support for Nginx
 libnginx-mod-http-echo - Bring echo and more shell style goodies to Nginx
 libnginx-mod-http-fancyindex - Fancy indexes module for the Nginx
 libnginx-mod-http-geoip - GeoIP HTTP module for Nginx
 libnginx-mod-http-headers-more-filter - Set and clear input and output headers 
for Nginx
 libnginx-mod-http-image-filter - HTTP image filter module for Nginx
 libnginx-mod-http-lua - Lua module for Nginx
 libnginx-mod-http-ndk - Nginx Development Kit module
 libnginx-mod-http-perl - Perl module for Nginx
 libnginx-mod-http-subs-filter - Substitution filter module for Nginx
 libnginx-mod-http-uploadprogress - Upload progress system for Nginx
 libnginx-mod-http-upstream-fair - Nginx Upstream Fair Proxy Load Balancer
 libnginx-mod-http-xslt-filter - XSLT Transformation module for Nginx
 libnginx-mod-mail - Mail module for Nginx
 libnginx-mod-nchan - Fast, flexible pub/sub server for Nginx
 libnginx-mod-stream - Stream module for Nginx
 nginx  - small, powerful, scalable web/proxy server
 nginx-common - small, powerful, scalable web/proxy server - common files
 nginx-doc  -

Bug#868109: marked as done (nginx: CVE-2017-7529 Integer overflow in the range filter)

2017-07-14 Thread Debian Bug Tracking System

Your message dated Fri, 14 Jul 2017 12:00:40 +
with message-id 
and subject line Bug#868109: fixed in nginx 1.13.3-1
has caused the Debian Bug report #868109,
regarding nginx: CVE-2017-7529 Integer overflow in the range filter
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
868109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868109
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---

Source: nginx
Severity: important
Tags: upstream security

A security issue was identified in nginx range filter.  A specially
crafted request might result in an integer overflow and incorrect
processing of ranges, potentially resulting in sensitive information
leak (CVE-2017-7529).

When using nginx with standard modules this allows an attacker to
obtain a cache file header if a response was returned from cache.
In some configurations a cache file header may contain IP address
of the backend server or other sensitive information.

Besides, with 3rd party modules it is potentially possible that
the issue may lead to a denial of service or a disclosure of
a worker process memory.  No such modules are currently known though.

The issue affects nginx 0.5.6 - 1.13.2.
The issue is fixed in nginx 1.13.3, 1.12.1.

For older versions, the following configuration can be used
as a temporary workaround:

   max_ranges 1;

Patch for the issue can be found here:
http://nginx.org/download/patch.2017.ranges.txt

Announcement: http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.13.3-1

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christos Trochalakis  (supplier of updated nginx 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Wed, 12 Jul 2017 11:20:27 +0300
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-light nginx-extras 
libnginx-mod-http-geoip libnginx-mod-http-image-filter 
libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream 
libnginx-mod-http-perl libnginx-mod-http-auth-pam libnginx-mod-http-lua 
libnginx-mod-http-ndk libnginx-mod-nchan libnginx-mod-http-echo 
libnginx-mod-http-upstream-fair libnginx-mod-http-headers-more-filter 
libnginx-mod-http-cache-purge libnginx-mod-http-fancyindex 
libnginx-mod-http-uploadprogress libnginx-mod-http-subs-filter 
libnginx-mod-http-dav-ext libnginx-mod-rtmp
Architecture: source amd64 all
Version: 1.13.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian Nginx Maintainers 

Changed-By: Christos Trochalakis 
Description:
 libnginx-mod-http-auth-pam - PAM authentication module for Nginx
 libnginx-mod-http-cache-purge - Purge content from Nginx caches
 libnginx-mod-http-dav-ext - WebDAV missing commands support for Nginx
 libnginx-mod-http-echo - Bring echo and more shell style goodies to Nginx
 libnginx-mod-http-fancyindex - Fancy indexes module for the Nginx
 libnginx-mod-http-geoip - GeoIP HTTP module for Nginx
 libnginx-mod-http-headers-more-filter - Set and clear input and output headers 
for Nginx
 libnginx-mod-http-image-filter - HTTP image filter module for Nginx
 libnginx-mod-http-lua - Lua module for Nginx
 libnginx-mod-http-ndk - Nginx Development Kit module
 libnginx-mod-http-perl - Perl module for Nginx
 libnginx-mod-http-subs-filter - Substitution filter module for Nginx
 libnginx-mod-http-uploadprogress - Upload progress system for Nginx
 libnginx-mod-http-upstream-fair - Nginx Upstream Fair Proxy Load Balancer
 libnginx-mod-http-xslt-filter - XSLT Transformation module for Nginx
 libnginx-mod-mail - Mail module for Nginx
 libnginx-mod-nchan - Fast, flexible pub/sub server for Nginx
 libnginx-mod-rtmp - RTMP support for Nginx
 libnginx-mod-stream - Stream module for Nginx
 nginx  - small, powerful, scalable web/proxy server
 nginx-common - small, powerful, scalable

Bug#868109: marked as done (nginx: CVE-2017-7529 Integer overflow in the range filter)

Bug#868109: marked as done (nginx: CVE-2017-7529 Integer overflow in the range filter)

Bug#868109: marked as done (nginx: CVE-2017-7529 Integer overflow in the range filter)

3 matches

Site Navigation

Mail list logo

Footer information