ESB-2009.1448

Operating System:
[WIN][UNIX/Linux][Debian]
Published:
27 October 2009
Protect yourself against future threats.
//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.
Resources > Security Bulletins > ESB-2009.1448
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2009.1448
              New nginx packages fixs denial of service issue
                              27 October 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           nginx
Publisher:         Debian
Operating System:  Debian GNU/Linux 4
                   Debian GNU/Linux 5
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://www.debian.org/security/2009/dsa-1920

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running nginx check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1920-1                  security@debian.org
http://www.debian.org/security/                           Stefan Fritsch
October 26, 2009                      http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE Id(s)      : no CVE Id yet
Debian Bug     : 552035

A denial of service vulnerability has been found in nginx, a small and
efficient web server.

Jasson Bell discovered that a remote attacker could cause a denial of service
(segmentation fault) by sending a crafted request.

For the old stable distribution (etch), this problem has been fixed in version
0.4.13-2+etch3

For the stable distribution (lenny), this problem has been fixed in version
0.6.32-3+lenny3

For the testing (squeeze) and unstable (sid) distributions, this problem has
been fixed in version 0.7.62-1


We recommend that you upgrade your nginx package.

Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips,
mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13.orig.tar.gz
    Size/MD5 checksum:   436610 d385a1e7a23020d421531818d5606b5b
  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3.dsc
    Size/MD5 checksum:      611 c4e1baf967a3dbb19a28bf2da8c32fdb
  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3.diff.gz
    Size/MD5 checksum:     6822 794447a883501912bf6f448b9a561293

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_alpha.deb
    Size/MD5 checksum:   211432 14edf103968d05ed6b3f0149e790881c

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_amd64.deb
    Size/MD5 checksum:   196040 70ac342b4cf946ad70d9914c5bc54d38

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_arm.deb
    Size/MD5 checksum:   187230 0caef4e2898e11690a49eb45a539ad37

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_hppa.deb
    Size/MD5 checksum:   205304 05e92ede05223ee00832a7fa22f8712f

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_i386.deb
    Size/MD5 checksum:   184404 764b3c087859dcf45d888fe6c7f55176

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_ia64.deb
    Size/MD5 checksum:   278594 4ae16a2fe0a790a1eb567aa2a2c909ea

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_mips.deb
    Size/MD5 checksum:   208380 a7408a0c1f14f235aec3c9f3a12d5694

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_mipsel.deb
    Size/MD5 checksum:   207790 67255cb5b5848c714921d0a44abd449d

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_powerpc.deb
    Size/MD5 checksum:   186666 a0a0505d498f51d2a63e615e8e3e8fe7

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_s390.deb
    Size/MD5 checksum:   199838 b0d4f3cc9878b0280a8e56a0bd29bd53

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_sparc.deb
    Size/MD5 checksum:   185332 9fdd4b7725b4060a311d7f35f9266cfb


Debian GNU/Linux 5.0 alias lenny
- - --------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64,
mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32.orig.tar.gz
    Size/MD5 checksum:   522183 c09a2ace3c91f45dabbb608b11e48ed1
  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3.dsc
    Size/MD5 checksum:     1231 0acea5f6912c80de2c6b54b16c7f008b
  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3.diff.gz
    Size/MD5 checksum:    10814 a5c652551a6457c8ead36578a5ba59bb

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_alpha.deb
    Size/MD5 checksum:   297934 72777a5e04e324eef3f97d93623a4559

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_amd64.deb
    Size/MD5 checksum:   268654 8ba00b9fa72c1b6d92ba1f4af5b95e2d

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_arm.deb
    Size/MD5 checksum:   252062 7de60e3654a0aff273d3340dd46e2cda

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_armel.deb
    Size/MD5 checksum:   252764 f0ba676c131f1fc992e27cf1c50440d7

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_hppa.deb
    Size/MD5 checksum:   282454 7d9299fcc9ca9201905790eea2357527

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_i386.deb
    Size/MD5 checksum:   255294 c7e061bcc8d9272abd91c522e01e05dd

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_ia64.deb
    Size/MD5 checksum:   420106 3356229c7f62e64c19dd3c3853cb7a87

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_mips.deb
    Size/MD5 checksum:   283362 9c97f75512a4665c60e20f8fcfff6556

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_mipsel.deb
    Size/MD5 checksum:   283598 2ebafc8e613da6d28f09d91e1287055c

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_powerpc.deb
    Size/MD5 checksum:   276188 9c4e725628b775d77aa3a5ccce16063a

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_s390.deb
    Size/MD5 checksum:   274074 1bbc736cc9651bfd041042b29096bdfa

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_sparc.deb
    Size/MD5 checksum:   256738 eca03da76437d58f898a60c9cb5930d7


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFK5jmYNVH5XJJInbgRAvfOAJ9XSnaONG2m2LjtgZIC+W45w/EMGgCfYS6k
9zFdSDqBmoMfi6V3OpE5j2g=
=ttrG
-----END PGP SIGNATURE-----