Nginx 1.4.4 has been released on November 19th 2013, fixing a request line parsing vulnerability by Ivan Fratric of the Google Security Team (CVE-2013-4547). More info in the changelog.
As a consequence, Dotdeb’s packages of Nginx 1.4.4 are now available for both Debian 7.0 “Wheezy” and Debian 6.0 “Squeeze” (amd64/i386).
Reminder : Users of naxsi-ui should be aware that it has been deprecated in the upcoming Naxsi 0.53 and that it won’t be provided by Dotdeb starting with the next Nginx packages.
As usual, if you want to know which module has been included in each Nginx flavor, you just have to look at this document.
22 replies on “Security : Nginx 1.4.4 for Wheezy and Squeeze”
root@debian:/usr/local/nginx/sbin# ./nginx -V
nginx version: nginx/1.5.7
built by gcc 4.7.2 (Debian 4.7.2-5)
configure arguments: –add-module=./nginx-upload-module
https://github.com/clemensg/nginx-upload-module
Already can use, trouble to rejoin the source!
What is wrong here, nginx still is 1.2.7 after upgrading to 1.4.4?
(sorry for german output)
root@server ~ # aptitude install nginx
Die folgenden Pakete werden aktualisiert:
nginx
1 Pakete aktualisiert, 0 zusätzlich installiert, 0 werden entfernt und 73 nicht aktualisiert.
Muss 67,0 kB an Archiven herunterladen. Nach dem Entpacken werden 4.096 B zusätzlich belegt sein.
Wollen Sie fortsetzen? [Y/n/?] Y
Hole:1 http://packages.dotdeb.org/ squeeze/all nginx all 1.4.4-1~dotdeb.0 [67,0 kB]
67,0 kB wurden in 0 s heruntergeladen (686 kB/s)
(Lese Datenbank … 30848 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Ersetzen von nginx 1.2.7-1~dotdeb.1 (durch …/nginx_1.4.4-1~dotdeb.0_all.deb) …
Ersatz für nginx wird entpackt …
nginx (1.4.4-1~dotdeb.0) wird eingerichtet …
Aktueller Status: 2 Aktualisierungen [-1].
root@server ~ # nginx -v
nginx version: nginx/1.2.7
root@server ~ # /etc/init.d/nginx restart
root@frontend2 ~ # nginx -v
nginx version: nginx/1.2.7
@Tom : could you tell me what is the result of which nginx. I suppose you have a nginx binary that has priority on the one installed by the Dotdeb package (/usr/local/*bin/).
@guillaume: sorry for the delay, here is the output for which nginx
root@server ~ # which nginx
/usr/sbin/nginx
So remove nginx completely and install it again?
@guillaume: sorry for the delay, here is the output for which nginx
root@server ~ # which nginx
/usr/sbin/nginx
So remove nginx completely and install it again?
@Tom : this could be a solution. apt-get install --reinstall nginx-full should overwrite your /usr/sbin/nginx and display the right version.
No, didn’t work. I’m using package nginx and not nginx-full:
aptitude reinstall nginx
nginx (1.4.4-1~dotdeb.0) wird eingerichtet …
which nginx
/usr/sbin/nginx
nginx -v
nginx version: nginx/1.4.2
@Tom : what about /usr/sbin/nginx -v ?
/usr/sbin/nginx -v
nginx version: nginx/1.4.2
and I don’t have a nginx binary in /usr/lobal/bin or /usr/local/sbin
@Guillaume Plessis Why don’t you give me a reply?
@ccne : I’ll take a look at the updated module. Thanks for the notice
@Guillaume Plessis Ok, looking forward to your update! 🙂
Guillaume, same problem out there.
did a #apt-get install nginx (testing)
i should have 1.4.4-1
#dpkg -s nginx
> 1.4.4-1
…BUT :
# /usr/sbin/nginx -V gives the old one
#which nginx gives /usr/sbin/nginx (only)
thx for correcting it i’m stuck with 1.2.2 (no websockets…)
@Guillaume Plessis Would you be able to update nginx pagespeed module in the next update? 🙂
Thanks
@Thomas : yes
@eric, you could try apt-get purge nginx* and then reinstall it. (Also, using etckeeper is a good idea, so you won’t even accidentally lose config files.)
Maybe check for /etc/alternatives/? What is ls -al $(which nginx)?
Also you can check what package a file belongs to with dpkg -s $(which nginx)
Plus I usually use dpkg -l | grep nginx, faster than mucking with search in aptitude.
Also, ps aux | grep nginx | grep -v grep | awk ‘{ print $2 }’ | xargs -n1 -I {} ls -al /proc/{}/exe to check what binary is actually running.
Try a complete killall nginx, then start it, if you haven’t already.
Good luck hunting for this ghost in the shell.
@Pas, yes in fact dpkg -l gives :
nginx 1.4.4-1
nginx-common 1.2.1-2.2+wheezy1
nginx-full 1.2.1-2.2+wheezy1
it appears that the upgrade on “nginx” package didn’t upgrade the others.
i did a apt install on nginx-common and it also upgrade nginx-full, after a restart, binary was updated to 1.4.4
> so i still believe that something is broken in metapackage “nginx”, it should have upgraded “nginx-full” also.
nginx-extras is so good!
Would you mind adding Mod_Security to the nginx-extras?
Why there is no GZIP module in standard instalation? There is only GZIP_STATIC.
@Grzegorz Dribczak : gzip module is activated by default in all flavors
Would it be possible to update the pagespeed module in nginx-extras to the latest release ?
@Steve Durrheimer : Sure, I’ll do it with the next Nginx stable release.