Proposed stable update: nginx
Dear Release team,
Security team has recently identify possible security issue [0] in Stable release for nginx which only affects Stable release for Debian [1]. It is suggested by Security team member that issue can be better fixed by Stable upload.
So, I've prepared and tested nginx stable packages and are available at [2]. Debdiff is at [3] and also attached.
If this is ok, I'll upload package to Stable.
Thanks.
[0] CVE-2011-4315
[1] https://bugzilla.redhat.com/show_bug.cgi?id=754757
[2] http://people.debian.org/~kartik/packages/nginx/
[3] http://people.debian.org/~kartik/packages/nginx/0.7.67-3-to-0.7.67-3+squeeze1.diff
--
Kartik Mistry | IRC: kart_
{0x1f1f, kartikm}.wordpress.com
diff -Nru nginx-0.7.67/debian/changelog nginx-0.7.67/debian/changelog
--- nginx-0.7.67/debian/changelog 2010-07-29 21:42:02.000000000 +0530
+++ nginx-0.7.67/debian/changelog 2011-11-23 13:47:19.000000000 +0530
@@ -1,3 +1,11 @@
+nginx (0.7.67-3+squeeze1) stable; urgency=low
+
+ * debian/patches/CVE-2011-4315.diff:
+ + Fixed compression pointer processing in DNS response greater than 255
+ bytes. See: CVE-2011-4315 for more details.
+
+ -- Kartik Mistry <kartik@debian.org> Wed, 23 Nov 2011 13:47:10 +0530
+
nginx (0.7.67-3) unstable; urgency=low
* debian/rules:
diff -Nru nginx-0.7.67/debian/patches/CVE-2011-4315.diff nginx-0.7.67/debian/patches/CVE-2011-4315.diff
--- nginx-0.7.67/debian/patches/CVE-2011-4315.diff 1970-01-01 05:30:00.000000000 +0530
+++ nginx-0.7.67/debian/patches/CVE-2011-4315.diff 2011-11-23 11:44:56.000000000 +0530
@@ -0,0 +1,26 @@
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -1953,5 +1953,11 @@
+
+ for ( ;; ) {
+- if (n != 0xc0) {
++ if (n & 0xc0) {
++ n = ((n & 0x3f) << 8) + *src;
++ src = &buf[n];
++
++ n = *src++;
++
++ } else {
+ ngx_memcpy(dst, src, n);
+ dst += n;
+@@ -1963,10 +1969,4 @@
+ *dst++ = '.';
+ }
+-
+- } else {
+- n = ((n & 0x3f) << 8) + *src;
+- src = &buf[n];
+-
+- n = *src++;
+ }
+
diff -Nru nginx-0.7.67/debian/patches/series nginx-0.7.67/debian/patches/series
--- nginx-0.7.67/debian/patches/series 2010-04-13 10:11:34.000000000 +0530
+++ nginx-0.7.67/debian/patches/series 2011-11-23 11:40:59.000000000 +0530
@@ -1,3 +1,4 @@
nginx-upstream-fair.diff
dlopen.diff
fix_reloading_ipv6.diff
+CVE-2011-4315.diff
Reply to: