Security : Nginx 1.0.14

Nginx 1.0.14 packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. They fix a potential memory disclosure :

  • Security: content of previously freed memory might be sent to a client if backend returned specially crafted response. Thanks to Matthew Daley.

Upgrading is strongly recommended.

15 replies on “Security : Nginx 1.0.14”

I’m getting an error trying to install this update:

sudo apt-get upgrade

Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages will be upgraded:
nginx-common nginx-full
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/449 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue [Y/n]?
Reading changelogs… Done
dpkg: parse error, in file ‘/var/lib/dpkg/available’ near line 162440 package ‘spyder’:
too many values in file details field `MD5sum’ (compared to others)
E: Sub-process /usr/bin/dpkg returned an error code (2)

Disregard this, I fixed the problem by clearing and recreating the available packages list.

I have problems with “server_tokens off;”, too. I found out, that it only doesn’t work, if “passenger_enabled on;” is set. On a vhost without it http header looks like

“Server: nginx”

With passenger_enabled it looks like:

Server: nginx/1.0.14 + Phusion Passenger 3.0.11

I am using nginx-extras as package.

Hi, I tried it with “passenger_show_version_in_header off;” but no difference. HTTP header information is still the same.
I also tried more_clear_headers for X-Powered_By, but in combination with “passenger_enabled on;” this isn’t working, too.

Hi again,
sorry, my last information was wrong. The workaround with more_clear_headers worked. If I set

more_clear_headers ‘Server’ ‘X-Powered-By’ ‘X-Runtime’;

then “nginx/1.0.14 + Phusion Passenger 3.0.11” is removed, too! Thanks for the hint!

But passenger_enabled and passenger_show_version_in_header didn’t change anything.

Thanks for the precious work Guillaume!
I wanted to know if there is any reason why nginx is compiled without any hardening flag?

# hardening-check /usr/sbin/nginx
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: no, not found!
Read-only relocations: no, not found!
Immediate binding: no, not found!

Comments are closed.