Package: nginx / 1.6.2-5+deb8u5
Metadata
Package | Version | Patches format |
---|---|---|
nginx | 1.6.2-5+deb8u5 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
perl use dpkg buildflags.patch | (download) |
src/http/modules/perl/Makefile.PL |
4 4 + 0 - 0 ! |
use linker flags from environment for perl (dpkg-buildflags). Necessary for hardening flags. |
0003 Resolver fixed possible segmentation fault on DNS fo.patch | (download) |
src/core/ngx_resolver.c |
2 1 + 1 - 0 ! |
resolver: fixed possible segmentation fault on dns format error. |
0004 Resolver fixed crashes in timeout handler.patch | (download) |
src/core/ngx_resolver.c |
50 34 + 16 - 0 ! |
resolver: fixed crashes in timeout handler. If one or more requests were waiting for a response, then after getting a CNAME response, the timeout event on the first request remained active, pointing to the wrong node with an empty rn->waiting list, and that could cause either null pointer dereference or use-after-free memory access if this timeout expired. If several requests were waiting for a response, and the first request terminated (e.g., due to client closing a connection), other requests were left without a timeout and could potentially wait indefinitely. This is fixed by introducing per-request independent timeouts. This change also reverts 954867a2f0a6 and 5004210e8c78. |
0005 Resolver fixed CNAME processing for several requests.patch | (download) |
src/core/ngx_resolver.c |
21 15 + 6 - 0 ! |
resolver: fixed cname processing for several requests. When several requests were waiting for a response, then after getting a CNAME response only the last request was properly processed, while others were left waiting. |
0006 Resolver changed the ngx_resolver_create_ _query arg.patch | (download) |
src/core/ngx_resolver.c |
57 27 + 30 - 0 ! |
resolver: changed the ngx_resolver_create_*_query() arguments. No functional changes. This is needed by the following change. |
0007 Resolver fixed use after free memory accesses with C.patch | (download) |
src/core/ngx_resolver.c |
72 33 + 39 - 0 ! |
resolver: fixed use-after-free memory accesses with cname. When several requests were waiting for a response, then after getting a CNAME response only the last request's context had the name updated. Contexts of other requests had the wrong name. This name was used by ngx_resolve_name_done() to find the node to remove the request context from. When the name was wrong, the request could not be properly cancelled, its context was freed but stayed linked to the node's waiting list. This happened e.g. when the first request was aborted or timed out before the resolving completed. When it completed, this triggered a use-after-free memory access by calling ctx->handler of already freed request context. The bug manifests itself by "could not cancel <name> resolving" alerts in error_log. When a request was responded with a CNAME, the request context kept the pointer to the original node's rn->u.cname. If the original node expired before the resolving timed out or completed with an error, this would trigger a use-after-free memory access via ctx->name in ctx->handler(). The fix is to keep ctx->name unmodified. The name from context is no longer used by ngx_resolve_name_done(). Instead, we now keep the pointer to resolver node to which this request is linked. Keeping the original name intact also improves logging. |
0008 Resolver limited CNAME recursion.patch | (download) |
src/core/ngx_resolver.c |
28 22 + 6 - 0 ! |
resolver: limited cname recursion. Previously, the recursion was only limited for cached responses. |
0009 Core skip special buffers on writing ticket 981.patch | (download) |
src/os/unix/ngx_files.c |
6 6 + 0 - 0 ! |
core: skip special buffers on writing (ticket #981). A special last buffer with cl->buf->pos set to NULL can be present in a chain when writing request body if chunked encoding was used. This resulted in a NULL pointer dereference if it happened to be the only buffer left after a do...while loop iteration in ngx_write_chain_to_file(). The problem originally appeared in nginx 1.3.9 with chunked encoding support. Additionally, rev. 3832b608dc8d (nginx 1.9.13) changed the minimum number of buffers to trigger this from IOV_MAX (typically 1024) to NGX_IOVS_PREALLOCATE (typically 64). Fix is to skip such buffers in ngx_chain_to_iovec(), much like it is done in other places. Backported by 1.11.1 for debian. |
CVE 2017 7529 Range filter.patch | (download) |
src/http/modules/ngx_http_range_filter_module.c |
4 4 + 0 - 0 ! |
[patch] range filter: protect from total size overflows. The overflow can be used to circumvent the restriction on total size of ranges introduced in c2a91088b0c0 (1.1.2). Additionally, overflow allows producing ranges with negative start (such ranges can be created by using a suffix, "bytes=-100"; normally this results in 200 due to the total size check). These can result in the following errors in logs: [crit] ... pread() ... failed (22: Invalid argument) [alert] ... sendfile() failed (22: Invalid argument) When using cache, it can be also used to reveal cache file header. It is believed that there are no other negative effects, at least with standard nginx modules. In theory, this can also result in memory disclosure and/or segmentation faults if multiple ranges are allowed, and the response is returned in a single in-memory buffer. This never happens with standard nginx modules though, as well as known 3rd party modules. Fix is to properly protect from possible overflow when incrementing size. |