Re: Portaudit claims nginx 1.2.x vulnerable

2013-05-16 Thread Xin Li 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi, Michael,

On 05/16/13 15:04, Michael Gmelin wrote:
 Hi,
 
 I just noticed that portaudit considers www/nginx =1.2.0,1
 1.4.1,1 to be affected by CVE-2013-2028, creating noise and
 preventing installation:
 
 http://portaudit.freebsd.org/efaa4071-b700-11e2-b1b9-f0def16c5c1b.html

  According to the announcement on the nginx mailing list, only
 versions of nginx = 1.3.9  1.4.1,1 should be affected:
 
 http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html 
 and the fix in nginx trac 
 http://trac.nginx.org/nginx/changeset/5189/nginx
 
 I just checked the source of 1.2.8 (the current version in ports, 
 www/nginx) and it doesn't even contain the affected functionality,
 nor the affected function implementing it (ngx_http_parse_chunked).
 This is in line with additional media and bugtracker coverage:
 
 https://bugzilla.redhat.com/show_bug.cgi?id=960605 
 http://www.openwall.com/lists/oss-security/2013/05/07/3 
 http://www.ehackingnews.com/2013/05/cve-2013-2028-buffer-overflow.html

 
http://www.h-online.com/open/news/item/NGINX-patches-major-security-flaw-1858438.html
 
 Long story short: I would kindly ask you to correct the entry in
 the portaudit database to match only affected versions of nginx.

I have took a look at these and found this:

http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html

I'll update the vuxml entry to include these information.

Cheers,
- -- 
Xin LI delp...@delphij.nethttps://www.delphij.net/
FreeBSD - The Power to Serve!   Live free or die
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJRlV9sAAoJEG80Jeu8UPuzmM4H/i66ifeXHOJX8cle5cf9ATXt
Y5G74TCLqLlxEv+1DCGh8Wks/JvN7KVsLNieXkf+jVonuXr4O5LCV7Pgj3SQ6EQK
TISbHwDDnwBqIvNncO4uZxOs6JbuTKWh43YdoPG7Rfpb0AJWJl/N8LFtxEckohyu
jWfyK6n1ftnjtaHoXZ63hF3daMHJwxtj8nJmHOqD1O7LbI+UCTPDwuYDb6BJGq9h
1JNt/NUyuANupRHftKa42+NLBa8zeGSggu7nYFhjuhcQN1ts31klKC/ReUIoUrTI
09+6Eu6AwpTvVa+rSRv6WUvLuG2srEKHS8zS+toFINAcY5EUO0zdqTglXGL8/E8=
=fQL9
-END PGP SIGNATURE-
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org

Re: Portaudit claims nginx 1.2.x vulnerable

2013-05-16 Thread Michael Gmelin 
On Thu, 16 May 2013 15:36:28 -0700
Xin Li delp...@delphij.net wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA512
 
 Hi, Michael,
 
 On 05/16/13 15:04, Michael Gmelin wrote:
  Hi,
  
  I just noticed that portaudit considers www/nginx =1.2.0,1
  1.4.1,1 to be affected by CVE-2013-2028, creating noise and
  preventing installation:
  
  http://portaudit.freebsd.org/efaa4071-b700-11e2-b1b9-f0def16c5c1b.html
 
   According to the announcement on the nginx mailing list, only
  versions of nginx = 1.3.9  1.4.1,1 should be affected:
  
  http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html 
  and the fix in nginx trac 
  http://trac.nginx.org/nginx/changeset/5189/nginx
  
  I just checked the source of 1.2.8 (the current version in ports, 
  www/nginx) and it doesn't even contain the affected functionality,
  nor the affected function implementing it (ngx_http_parse_chunked).
  This is in line with additional media and bugtracker coverage:
  
  https://bugzilla.redhat.com/show_bug.cgi?id=960605 
  http://www.openwall.com/lists/oss-security/2013/05/07/3 
  http://www.ehackingnews.com/2013/05/cve-2013-2028-buffer-overflow.html
 
  
 http://www.h-online.com/open/news/item/NGINX-patches-major-security-flaw-1858438.html
  
  Long story short: I would kindly ask you to correct the entry in
  the portaudit database to match only affected versions of nginx.
 
 I have took a look at these and found this:
 
 http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html
 
 I'll update the vuxml entry to include these information.
 
 Cheers,

Hi Xin,

I missed that nginx got updated to 1.4.0 and now 1.4.1,1 - seems like
I've been working on an old copy of the ports tree. So recovering from
this should be easy for users and at the same time my statement about
the current version in the ports tree being 1.2.8 was clearly wrong.

Anyway, thanks for the clarification, so basically CVE-2013-2070 and
CVE-2013-2028 got mixed up (the former affecting only certain setups
while the latter affecting everybody in a severe way unless they took
special measures to harden their setup).

Cheers  thanks for your swift response,
Michael

-- 
Michael Gmelin
___
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to freebsd-ports-unsubscr...@freebsd.org