Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2009.1448 New nginx packages fixs denial of service issue 27 October 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: nginx Publisher: Debian Operating System: Debian GNU/Linux 4 Debian GNU/Linux 5 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: http://www.debian.org/security/2009/dsa-1920 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running nginx check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - - ------------------------------------------------------------------------ Debian Security Advisory DSA-1920-1 security@debian.org http://www.debian.org/security/ Stefan Fritsch October 26, 2009 http://www.debian.org/security/faq - - ------------------------------------------------------------------------ Vulnerability : denial of service Problem type : remote Debian-specific: no CVE Id(s) : no CVE Id yet Debian Bug : 552035 A denial of service vulnerability has been found in nginx, a small and efficient web server. Jasson Bell discovered that a remote attacker could cause a denial of service (segmentation fault) by sending a crafted request. For the old stable distribution (etch), this problem has been fixed in version 0.4.13-2+etch3 For the stable distribution (lenny), this problem has been fixed in version 0.6.32-3+lenny3 For the testing (squeeze) and unstable (sid) distributions, this problem has been fixed in version 0.7.62-1 We recommend that you upgrade your nginx package. Upgrade instructions - - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - - ------------------------------- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13.orig.tar.gz Size/MD5 checksum: 436610 d385a1e7a23020d421531818d5606b5b http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3.dsc Size/MD5 checksum: 611 c4e1baf967a3dbb19a28bf2da8c32fdb http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3.diff.gz Size/MD5 checksum: 6822 794447a883501912bf6f448b9a561293 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_alpha.deb Size/MD5 checksum: 211432 14edf103968d05ed6b3f0149e790881c amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_amd64.deb Size/MD5 checksum: 196040 70ac342b4cf946ad70d9914c5bc54d38 arm architecture (ARM) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_arm.deb Size/MD5 checksum: 187230 0caef4e2898e11690a49eb45a539ad37 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_hppa.deb Size/MD5 checksum: 205304 05e92ede05223ee00832a7fa22f8712f i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_i386.deb Size/MD5 checksum: 184404 764b3c087859dcf45d888fe6c7f55176 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_ia64.deb Size/MD5 checksum: 278594 4ae16a2fe0a790a1eb567aa2a2c909ea mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_mips.deb Size/MD5 checksum: 208380 a7408a0c1f14f235aec3c9f3a12d5694 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_mipsel.deb Size/MD5 checksum: 207790 67255cb5b5848c714921d0a44abd449d powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_powerpc.deb Size/MD5 checksum: 186666 a0a0505d498f51d2a63e615e8e3e8fe7 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_s390.deb Size/MD5 checksum: 199838 b0d4f3cc9878b0280a8e56a0bd29bd53 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_sparc.deb Size/MD5 checksum: 185332 9fdd4b7725b4060a311d7f35f9266cfb Debian GNU/Linux 5.0 alias lenny - - -------------------------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32.orig.tar.gz Size/MD5 checksum: 522183 c09a2ace3c91f45dabbb608b11e48ed1 http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3.dsc Size/MD5 checksum: 1231 0acea5f6912c80de2c6b54b16c7f008b http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3.diff.gz Size/MD5 checksum: 10814 a5c652551a6457c8ead36578a5ba59bb alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_alpha.deb Size/MD5 checksum: 297934 72777a5e04e324eef3f97d93623a4559 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_amd64.deb Size/MD5 checksum: 268654 8ba00b9fa72c1b6d92ba1f4af5b95e2d arm architecture (ARM) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_arm.deb Size/MD5 checksum: 252062 7de60e3654a0aff273d3340dd46e2cda armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_armel.deb Size/MD5 checksum: 252764 f0ba676c131f1fc992e27cf1c50440d7 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_hppa.deb Size/MD5 checksum: 282454 7d9299fcc9ca9201905790eea2357527 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_i386.deb Size/MD5 checksum: 255294 c7e061bcc8d9272abd91c522e01e05dd ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_ia64.deb Size/MD5 checksum: 420106 3356229c7f62e64c19dd3c3853cb7a87 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_mips.deb Size/MD5 checksum: 283362 9c97f75512a4665c60e20f8fcfff6556 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_mipsel.deb Size/MD5 checksum: 283598 2ebafc8e613da6d28f09d91e1287055c powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_powerpc.deb Size/MD5 checksum: 276188 9c4e725628b775d77aa3a5ccce16063a s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_s390.deb Size/MD5 checksum: 274074 1bbc736cc9651bfd041042b29096bdfa sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_sparc.deb Size/MD5 checksum: 256738 eca03da76437d58f898a60c9cb5930d7 These files will probably be moved into the stable distribution on its next update. - - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFK5jmYNVH5XJJInbgRAvfOAJ9XSnaONG2m2LjtgZIC+W45w/EMGgCfYS6k 9zFdSDqBmoMfi6V3OpE5j2g= =ttrG -----END PGP SIGNATURE-----