ACK on the debdiffs. I've uploaded packages that are building now.
I slightly adjusted them:
- Oneiric had a change in debian/modules/nginx-lua/.gitmodules, which I removed
- I retargeted them to the security pocket (ie: oneiric-security instead of
oneiric)
- I adjusted the version numbers as
This bug was fixed in the package nginx - 1.0.5-1ubuntu0.1
---
nginx (1.0.5-1ubuntu0.1) oneiric-security; urgency=low
* Security update (closes LP: #956150):
* Patch to fix 'Use-after-free vulnerability' (CVE-2012-1180).
* Patch to fix 'Heap-based buffer overflow in
This bug was fixed in the package nginx - 0.8.54-4ubuntu0.1
---
nginx (0.8.54-4ubuntu0.1) natty-security; urgency=low
* Security update (closes LP: #956150):
* Patch to fix 'Use-after-free vulnerability' (CVE-2012-1180).
* Patch to fix 'Heap-based buffer overflow in
This bug was fixed in the package nginx - 0.7.65-1ubuntu2.3
---
nginx (0.7.65-1ubuntu2.3) lucid-security; urgency=low
* Security update (closes LP: #956150):
* Patch to fix 'Use-after-free vulnerability' (CVE-2012-1180).
* Patch to fix 'Heap-based buffer overflow in
Okay, lets try this again. I've changed my debdiff command to --exclude
git, so git changes shouldnt exist anymore.
I am going to be uploading the updated debdiffs shortly.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
This is an updated version of the previous Lucid debdiff uploaded.
** Attachment added: Debdiff for Lucid (includes patches for the upstream code
changes) (June 12 2012)
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/956150/+attachment/3186747/+files/lucid-cve-debdiff-20120612
--
Updated Natty debdiff
** Attachment added: Debdiff for Natty (includes patches for the upstream code
changes) (June 12 2012)
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/956150/+attachment/3186748/+files/natty-cve-debdiff-20120612
--
You received this bug notification because you
Updated Oneiric debdiff
** Attachment added: Debdiff for Oneiric (includes patches for the upstream
code changes) (June 12 2012)
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/956150/+attachment/3186749/+files/oneiric-cve-debdiff-20120612
--
You received this bug notification
Resubscribing the security sponsors team since there are new debdiffs
uploaded.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/956150
Title:
March 15th 2012 Security Advisory
To manage
Thanks. I think there might have been miscommunication on the changelog.
While you do not want to include changes to the upstream changelog in
SRUs or security updates, you do want to update debian/changelog.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Possibly. I will modify my system to correctly allow for the changelog to
be included. I will be adding an exclude rule for the git items you
mentioned, those shouldn't be changed, and that may have happened by pure
accident when my system was building the package.
--
Thomas
On Thu, May 31,
Thanks for the debdiffs! Unfortunately they do not follow the guidelines
specified in https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging.
Specifically:
* debian/changelog was not updated
* the patches do not have DEP-3 comments that describe their origin and why
they are needed
sbeattie already addressed that on IRC. I am working on fixing them.
Also note that I did not include change logs per previous SRU
occurrences where I was told to omit the change log when possible.
The changes to git related items are unintended, as I did not modify
them. I can add an exclude
** Changed in: nginx (Ubuntu)
Status: Confirmed = Fix Released
** Changed in: nginx (Ubuntu Precise)
Status: Confirmed = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Additional Details (#11):
CVE-2009-4487
Considered a non-issue by the upstream developers, hence the requirement of
marking as 'Ignore' or similar in Ubuntu
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Debdiff for Lucid that includes fixes for the following CVEs:
CVE-2011-4315
CVE-2012-1180
--
Fixes not included for CVE-2009-4487, as it is being ignored upstream,
and should accordingly be ignored in Ubuntu.
** Attachment added: Debdiff for Lucid (includes patches for the upstream code
Debdiff for Natty that includes fixes for the following CVEs:
CVE-2011-4315
CVE-2012-1180
--
Fixes not included for CVE-2009-4487, as it is being ignored upstream,
and should accordingly be ignored in Ubuntu.
** Attachment added: Debdiff for Natty (includes patches for the upstream code
Debdiff for Oneiric that includes fixes for the following CVEs:
CVE-2011-4315
CVE-2012-1180
--
Fixes not included for CVE-2009-4487, as it is being ignored upstream,
and should accordingly be ignored in Ubuntu.
** Attachment added: Debdiff for Oneiric (includes patches for the upstream
code
The following CVEs do not apply to Precise or Quantal, as the versions
in Precise and Quantal already contain upstream code changes which fixed
these CVEs:
CVE-2011-4315
CVE-2012-1180
--
The following CVE should be marked as 'Ignored' or similar for Ubuntu,
as this CVE is being ignored
** Changed in: nginx (Ubuntu Precise)
Assignee: Michael Lustfield (michaellustfield) = Thomas Ward
(trekcaptainusa-tw)
** Changed in: nginx (Ubuntu Oneiric)
Assignee: Michael Lustfield (michaellustfield) = Thomas Ward
(trekcaptainusa-tw)
** Changed in: nginx (Ubuntu Natty)
** Changed in: nginx (Ubuntu Lucid)
Assignee: Michael Lustfield (michaellustfield) = Thomas Ward
(trekcaptainusa-tw)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/956150
Title:
March 15th
** Changed in: nginx (Ubuntu Maverick)
Assignee: Michael Lustfield (michaellustfield) = Thomas Ward
(trekcaptainusa-tw)
** Changed in: nginx (Ubuntu)
Assignee: Michael Lustfield (michaellustfield) = Thomas Ward
(trekcaptainusa-tw)
--
You received this bug notification because you
Is there an ETA for when this patch will be available as a security
update? Thanks.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/956150
Title:
March 15th 2012 Security Advisory
To manage
It looks like CVE-2009-4487 should be marked ignore. Upstream has no
intention of ever touching this CVE and does not see it as legitimate
issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/956150
Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or
multiverse, it is community maintained. If you are able, I suggest
coordinating with upstream and posting a debdiff for this issue. When a
debdiff is
If anyone works on debdiffs for this, please also include the other CVEs
with are currently unfixed:
http://people.canonical.com/~ubuntu-security/cve/pkg/nginx.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Hi.
We are preparing a 1.1.17 package for Nginx which may be uploaded in
Debian Unstable tomorrow.
We also plan to fix the 0.7.67 release (Debian Stable) in the next days.
For the other versions, I may try to apply the patch and propose the
source packages, but if somebody has time to apply the
Hi.
So here is the patch adapted for nginx 0.7.67 (which is in maverick) :
http://paste.davromaniak.eu/index.php?show=71
Thanks.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/956150
Title:
March
** Changed in: nginx (Ubuntu Lucid)
Assignee: (unassigned) = Michael Lustfield (michaellustfield)
** Changed in: nginx (Ubuntu Maverick)
Assignee: (unassigned) = Michael Lustfield (michaellustfield)
** Changed in: nginx (Ubuntu Natty)
Assignee: (unassigned) = Michael Lustfield
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-4315
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-4487
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
30 matches
Mail list logo