Posted by & filed under Nginx.

Nginx 1.4.1 has been released on May 7th 2013, with the fix for the stack-based buffer overflow security problem in nginx 1.3.9 – 1.4.0, discovered by Greg MacManus, of iSIGHT Partners Labs (CVE-2013-2028).

As a consequence, Dotdeb’s packages of Nginx 1.4.1 are now available for both Debian 7.0 “Wheezy” and Debian 6.0 “Squeeze” (amd64/i386).

As usual, if you want to know which module has been included in each Nginx flavor, you just have to look at this document.

28 Responses to “Security : Nginx 1.4.1”

  1. pictu

    Seems to break with “listen [::]:80 default_server;” directive.
    When changing the directive to “listen *:80 default_server;” other weird things are happening at first glance. Hope this isn’t a configuration problem on my end…

    Reply
  2. pictu

    About my comment… nevermind. Seems something in my system has changed and I now need to use “ipv6only=on” and use 2 listen directives. Sorry about the false alarm.

    Reply
  3. kev

    @pictu upgraded to wheezy? wheezy is running nearly everything on ipv6 only.

    Reply
  4. msg7086

    I got a bunch of
    nginx: [emerg] bind() to [2606:2e00:0:1:--------]:80 failed (98: Address already in use)
    after upgrading from 1.4.0

    Reply
  5. ru_maniac

    nginx-full appears to have broken dependencies:

    root@snk-games ~ # apt-get install nginx-full
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Some packages could not be installed. This may mean that you have
    requested an impossible situation or if you are using the unstable
    distribution that some required packages have not yet been created
    or been moved out of Incoming.
    The following information may help to resolve the situation:

    The following packages have unmet dependencies:
    nginx-full : Depends: libgeoip1 (>= 1.4.8+dfsg) but 1.4.7~beta6+dfsg-1 is to be installed
    Depends: libpcre3 (>= 8.10) but 8.02-1.1 is to be installed
    Depends: libssl1.0.0 (>= 1.0.1) but it is not installable

    Reply
    • ru_maniac

      And yeah, I forgot to clarify – this is what happens under Squeeze. I tried to upgrade to Wheezy, of course, but due to some weird stuff I use, it’s not an option, at least, right now.

      Please check your packaging scripts, and if the error is there, please rebuild -full, -light and -common.

      Thanks in advance!

      Reply
      • Guillaume Plessis

        Wheezy is now “stable”, Squeeze is “oldstable”. Be sure to use “squeeze” explicitly in your sources.list instead of “stable”.

        Reply
  6. Haris

    I have the same issue, I managed to fixed the first dependency problem using the squeeze backports, but the other two remains.

    Any help is really appreciated, thanks in advance.

    Reply
    • Guillaume Plessis

      Wheezy is now “stable”, Squeeze is “oldstable”. Be sure to use “squeeze” explicitly in your sources.list instead of “stable”.

      Reply
  7. Andrew

    I’ve hit the same issue as ru_maniac, also on debian squeeze.

    Poking about, I discovered that my server was set to ‘stable’ from the dotdeb repositories rather than ‘squeeze’ As of a few days, ‘stable’ is now ‘wheezy’.

    According to http://packages.dotdeb.org/dists/{squeeze,stable}/all/binary-amd64/Packages , dotdeb version for squeeze is 1.4.1-1~dotdeb.0, whereas stable has 1.4.1-1~dotdeb.1. Is the squeeze version up to date with the required security fixes, or is it still one step behind?

    Reply
    • Guillaume Plessis

      Wheezy is now “stable”, Squeeze is “oldstable”. Be sure to use “squeeze” explicitly in your sources.list instead of “stable”.

      The squeeze version is 1.4.1-1~dotdeb.0 and the wheezy one is 1.4.1-1~dotdeb.1 (and any future release will have this one-index-interval scheme) to be sure that nginx is upgraded when migrating from Squeeze to Wheezy.

      Reply
  8. Andrew

    Further to the above, I tracked down the source of that error in my apt configuration down to a puppet template which uses lsbdistcodename from facter. Oddly facter is apparently giving ‘stable’ for this parameter when called from puppet, but gives ‘squeeze’ when run from the command line.

    This isn’t anything to do with the nginx release through dotdeb of course, but there’s a fair chance someone that someone else who is looking here is going down the same rabit hole as me.

    Reply
  9. Adrian

    Nginx 1.4.x for wheezy does not have SPDY enabled. Nginx docs state:

    The ngx_http_spdy_module module provides experimental support for SPDY. Currently, draft 2 of SPDY protocol is implemented.

    This module is not built by default, it should be enabled with the –with-http_spdy_module configuration parameter.

    Can you enable it on the rules of nginx, so we can take advantage of this new feature ?

    Reply
    • Guillaume Plessis

      @Adrian : according to the linked-in-the-post document, SPDY is enabled in nginx-full and nginx-extras. Please consider installing one of these flavors instead of nginx-light

      Reply
      • Adrian

        @Guillaume: I double checked it but in the compile options it does not appear.

        # nginx -V
        nginx version: nginx/1.4.1
        TLS SNI support enabled
        configure arguments: –prefix=/usr/share/nginx –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-client-body-temp-path=/var/lib/nginx/body –http-fastcgi-temp-path=/var/lib/nginx/fastcgi –http-log-path=/var/log/nginx/access.log –http-proxy-temp-path=/var/lib/nginx/proxy –http-scgi-temp-path=/var/lib/nginx/scgi –http-uwsgi-temp-path=/var/lib/nginx/uwsgi –lock-path=/var/lock/nginx.lock –pid-path=/var/run/nginx.pid –with-pcre-jit –with-debug –with-file-aio –with-http_addition_module –with-http_dav_module –with-http_geoip_module –with-http_gzip_static_module –with-http_image_filter_module –with-http_realip_module –with-http_secure_link_module –with-http_stub_status_module –with-http_ssl_module –with-http_sub_module –with-http_xslt_module –with-ipv6 –with-mail –with-mail_ssl_module –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/nginx-auth-pam –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/nginx-dav-ext-module –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/nginx-echo –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/nginx-upstream-fair –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/nginx-syslog –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/nginx-cache-purge –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/ngx_http_pinba_module –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/ngx_http_substitutions_filter_module –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/nginx-x-rid-header –with-ld-opt=-lossp-uuid

        # dpkg -l | grep nginx
        ii nginx-common 1.4.1-1~dotdeb.0 small, powerful, scalable web/proxy server – common files
        ii nginx-full 1.4.1-1~dotdeb.0 nginx web/proxy server (standard version)

        Reply
        • Guillaume Plessis

          @Adrian : oh, you talked about “nginx on wheezy” but you’re using Squeeze. This distribution has an outdated OpenSSL library that prevents SPDY from running. Upgrade to Wheezy if you want it.

          Reply
  10. fabrice

    It seems that the module nginx-cache-purge don’t work with nginx-extras 1.4.1. I was using it with nginx-extras 1.2.7 (and 1.2.6).

    All seems to work (in the logs of my purge server) but the cached pages are not removed from the cache.

    This module seems to not be compatible (yet) with nginx 1.4.1

    Anybody try to use this module ?

    Reply
  11. fabrice

    Sorry…my mistake.
    I believe it don’t work because of the opcode apc thant i just installed before. The page was cached in the RAM…

    It’s works fine.

    Reply
  12. Pawel

    Hello,
    it would be nice if You also add pagespeed and drizzle module, maybe mongo 3rd party module as well :)

    Reply
  13. cronner

    Having problems with showing full filesnames with Nginx autoindex and read that this should help, can you possible compile with this? could be great :)

    #define NGX_HTTP_AUTOINDEX_PREALLOCATE 50

    #define NGX_HTTP_AUTOINDEX_NAME_LEN 50

    to like 300?

    #define NGX_HTTP_AUTOINDEX_PREALLOCATE 300

    #define NGX_HTTP_AUTOINDEX_NAME_LEN 300

    Reply
  14. Nuno

    Hi, I use nginx-full because I use spdy a realip.
    Now I would like to setup naxsi too but it asks me to remove nginx-full.
    Do I need to recompile nginx-full to include naxsi?

    Thanks

    Reply
    • Guillaume Plessis

      @Nuno : yes, you’ll have to rebuild it because I’ll keep Naxsi in a separate package. FYI, I’ll enable spdy in all the flavors in the next Nginx packages

      Reply
  15. Ma

    Hello, is there a planning for the future to integrate ModSecurity? http://www.modsecurity.org/
    It is one of the largest WAF and also available for Nginx. This would be a very good possibility for protection of the webserver.

    Reply

Trackbacks/Pingbacks

  1.  Debian Squeeze で dotdeb の nginx 1.4.1 にアップデートできない場合の対処法 | 暇人じゃない

Leave a Reply

  • (will not be published)


− 2 = five