[Debian] Schwachstelle in nginx - DSA-1920-1

WiN Site Security Contacts win-sec-ssc at lists.dfn-cert.de
Di Okt 27 13:58:40 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung des Debian-Teams. Wir geben
diese Informationen unveraendert an Sie weiter.

Debian 552035 - Denial of Service Schwachstelle in nginx

  Eine nicht naeher beschriebene Schwachstelle in nginx erlaubt es einem
  Angreifer, den Webserver durch Senden eines entsprechend aufgebauten
  HTTP Requests zum Absturz zu bringen.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Paket nginx in der old stable Distribution (etch) vor Version
  0.4.13-2+etch3
  Paket nginx in der stable Distribution (lenny) vor Version 0.6.32-3+lenny3
  Paket nginx in der testing Distribution (squeeze) vor Version 0.7.62-1
  Paket nginx in der unstable Distribution (sid) vor Version 0.7.62-1

  Old Stable Distribution (etch)
  Stable Distribution (lenny)
  Testing Distribution (squeeze)
  Unstable Distribution (sid)

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  http://www.debian.org/security/2009/dsa-1920


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
		Klaus Moeller, DFN-CERT

- -- 
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1920-1                  security at debian.org
http://www.debian.org/security/                           Stefan Fritsch
October 26, 2009                      http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE Id(s)      : no CVE Id yet
Debian Bug     : 552035

A denial of service vulnerability has been found in nginx, a small and
efficient web server.

Jasson Bell discovered that a remote attacker could cause a denial of service
(segmentation fault) by sending a crafted request.

For the old stable distribution (etch), this problem has been fixed in version
0.4.13-2+etch3

For the stable distribution (lenny), this problem has been fixed in version
0.6.32-3+lenny3

For the testing (squeeze) and unstable (sid) distributions, this problem has
been fixed in version 0.7.62-1


We recommend that you upgrade your nginx package.

Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- - -------------------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips,
mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13.orig.tar.gz
    Size/MD5 checksum:   436610 d385a1e7a23020d421531818d5606b5b
  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3.dsc
    Size/MD5 checksum:      611 c4e1baf967a3dbb19a28bf2da8c32fdb
  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3.diff.gz
    Size/MD5 checksum:     6822 794447a883501912bf6f448b9a561293

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_alpha.deb
    Size/MD5 checksum:   211432 14edf103968d05ed6b3f0149e790881c

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_amd64.deb
    Size/MD5 checksum:   196040 70ac342b4cf946ad70d9914c5bc54d38

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_arm.deb
    Size/MD5 checksum:   187230 0caef4e2898e11690a49eb45a539ad37

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_hppa.deb
    Size/MD5 checksum:   205304 05e92ede05223ee00832a7fa22f8712f

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_i386.deb
    Size/MD5 checksum:   184404 764b3c087859dcf45d888fe6c7f55176

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_ia64.deb
    Size/MD5 checksum:   278594 4ae16a2fe0a790a1eb567aa2a2c909ea

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_mips.deb
    Size/MD5 checksum:   208380 a7408a0c1f14f235aec3c9f3a12d5694

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_mipsel.deb
    Size/MD5 checksum:   207790 67255cb5b5848c714921d0a44abd449d

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_powerpc.deb
    Size/MD5 checksum:   186666 a0a0505d498f51d2a63e615e8e3e8fe7

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_s390.deb
    Size/MD5 checksum:   199838 b0d4f3cc9878b0280a8e56a0bd29bd53

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.4.13-2+etch3_sparc.deb
    Size/MD5 checksum:   185332 9fdd4b7725b4060a311d7f35f9266cfb


Debian GNU/Linux 5.0 alias lenny
- - --------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64,
mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32.orig.tar.gz
    Size/MD5 checksum:   522183 c09a2ace3c91f45dabbb608b11e48ed1
  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3.dsc
    Size/MD5 checksum:     1231 0acea5f6912c80de2c6b54b16c7f008b
  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3.diff.gz
    Size/MD5 checksum:    10814 a5c652551a6457c8ead36578a5ba59bb

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_alpha.deb
    Size/MD5 checksum:   297934 72777a5e04e324eef3f97d93623a4559

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_amd64.deb
    Size/MD5 checksum:   268654 8ba00b9fa72c1b6d92ba1f4af5b95e2d

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_arm.deb
    Size/MD5 checksum:   252062 7de60e3654a0aff273d3340dd46e2cda

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_armel.deb
    Size/MD5 checksum:   252764 f0ba676c131f1fc992e27cf1c50440d7

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_hppa.deb
    Size/MD5 checksum:   282454 7d9299fcc9ca9201905790eea2357527

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_i386.deb
    Size/MD5 checksum:   255294 c7e061bcc8d9272abd91c522e01e05dd

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_ia64.deb
    Size/MD5 checksum:   420106 3356229c7f62e64c19dd3c3853cb7a87

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_mips.deb
    Size/MD5 checksum:   283362 9c97f75512a4665c60e20f8fcfff6556

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_mipsel.deb
    Size/MD5 checksum:   283598 2ebafc8e613da6d28f09d91e1287055c

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_powerpc.deb
    Size/MD5 checksum:   276188 9c4e725628b775d77aa3a5ccce16063a

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_s390.deb
    Size/MD5 checksum:   274074 1bbc736cc9651bfd041042b29096bdfa

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/n/nginx/nginx_0.6.32-3+lenny3_sparc.deb
    Size/MD5 checksum:   256738 eca03da76437d58f898a60c9cb5930d7


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce at lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFK5fmgbxelr8HyTqQRAh6TAKCaQPAvBocbzorUrCvwS4rXYScsMACdHwBR
vxiw12cmLhOR49R5TZI0wno=
=2CaQ
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFK5u6Ak0kIxZMiiQ8RAnoqAJ0VSbLLAhBDrgeioDCeOPMITgsBQwCgwDty
6/AGuvAx2SWxsSs/N7VGA2A=
=WrDc
-----END PGP SIGNATURE-----