Nginx 1.0.14 packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. They fix a potential memory disclosure :
- Security: content of previously freed memory might be sent to a client if backend returned specially crafted response. Thanks to Matthew Daley.
Upgrading is strongly recommended.
15 replies on “Security : Nginx 1.0.14”
I’m getting an error trying to install this update:
sudo apt-get upgrade
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following packages will be upgraded:
nginx-common nginx-full
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/449 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue [Y/n]?
Reading changelogs… Done
dpkg: parse error, in file ‘/var/lib/dpkg/available’ near line 162440 package ‘spyder’:
too many values in file details field `MD5sum’ (compared to others)
E: Sub-process /usr/bin/dpkg returned an error code (2)
Disregard this, I fixed the problem by clearing and recreating the available packages list.
server_tokens off; doesnt work or its only me ?
@hanti : it works on the server you’re querying now. It only displays “Server: nginx”
Just upgraded my server without any issues, thanks!
I have problems with “server_tokens off;”, too. I found out, that it only doesn’t work, if “passenger_enabled on;” is set. On a vhost without it http header looks like
“Server: nginx”
With passenger_enabled it looks like:
Server: nginx/1.0.14 + Phusion Passenger 3.0.11
I am using nginx-extras as package.
@Alexander Meindi : thanks for your bug report and for making the link with passenger. This bug should be resolved with recent versions of passenger, but it’s not :
http://code.google.com/p/phusion-passenger/issues/detail?id=289
As a workaround you could add this line to /etc/nginx/conf.d/security.conf :
more_clear_headers ‘Server’ ‘X-Powered-By’ ‘X-Runtime’;
Tell me if it solves your issue.
@Alexander Meindi : could you also try to set passenger_show_version_in_header to off?
Hi, I tried it with “passenger_show_version_in_header off;” but no difference. HTTP header information is still the same.
I also tried more_clear_headers for X-Powered_By, but in combination with “passenger_enabled on;” this isn’t working, too.
Hi again,
sorry, my last information was wrong. The workaround with more_clear_headers worked. If I set
more_clear_headers ‘Server’ ‘X-Powered-By’ ‘X-Runtime’;
then “nginx/1.0.14 + Phusion Passenger 3.0.11” is removed, too! Thanks for the hint!
But passenger_enabled and passenger_show_version_in_header didn’t change anything.
Thanks for the precious work Guillaume!
I wanted to know if there is any reason why nginx is compiled without any hardening flag?
# hardening-check /usr/sbin/nginx
/usr/sbin/nginx:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: no, not found!
Read-only relocations: no, not found!
Immediate binding: no, not found!
@Kevin : I’ll take a look at it in the next releases. Thanks for this feedback.
Thanks 🙂
I realized it is also the case in debian stable..
Hello, it’s possible to use this module ( http://wiki.nginx.org/HttpLimitZoneModule ) with this package?
I’m trying to setup a connection limit for each IP, but no luck so far.
Thanks.
@Arthur : HTTPLimitZone is present in nginx-full and nginx-extras.
For a digest of the included modules by nginx flavor, take a look on this doc : https://docs.google.com/a/moolfreet.com/spreadsheet/ccc?key=0AjuNPnOoex7SdG5fUkhfc3BCSjJQbVVrQTg4UGU2YVE#gid=0