Categories
Nginx

Security : Nginx 1.4.1

Nginx 1.4.1 has been released on May 7th 2013, with the fix for the stack-based buffer overflow security problem in nginx 1.3.9 – 1.4.0, discovered by Greg MacManus, of iSIGHT Partners Labs (CVE-2013-2028).

As a consequence, Dotdeb’s packages of Nginx 1.4.1 are now available for both Debian 7.0 “Wheezy” and Debian 6.0 “Squeeze” (amd64/i386).

As usual, if you want to know which module has been included in each Nginx flavor, you just have to look at this document.

29 replies on “Security : Nginx 1.4.1”

Seems to break with “listen [::]:80 default_server;” directive.
When changing the directive to “listen *:80 default_server;” other weird things are happening at first glance. Hope this isn’t a configuration problem on my end…

About my comment… nevermind. Seems something in my system has changed and I now need to use “ipv6only=on” and use 2 listen directives. Sorry about the false alarm.

@pictu upgraded to wheezy? wheezy is running nearly everything on ipv6 only.

I got a bunch of
nginx: [emerg] bind() to [2606:2e00:0:1:——–]:80 failed (98: Address already in use)
after upgrading from 1.4.0

nginx-full appears to have broken dependencies:

root@snk-games ~ # apt-get install nginx-full
Reading package lists… Done
Building dependency tree
Reading state information… Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
nginx-full : Depends: libgeoip1 (>= 1.4.8+dfsg) but 1.4.7~beta6+dfsg-1 is to be installed
Depends: libpcre3 (>= 8.10) but 8.02-1.1 is to be installed
Depends: libssl1.0.0 (>= 1.0.1) but it is not installable

And yeah, I forgot to clarify – this is what happens under Squeeze. I tried to upgrade to Wheezy, of course, but due to some weird stuff I use, it’s not an option, at least, right now.

Please check your packaging scripts, and if the error is there, please rebuild -full, -light and -common.

Thanks in advance!

I have the same issue, I managed to fixed the first dependency problem using the squeeze backports, but the other two remains.

Any help is really appreciated, thanks in advance.

I’ve hit the same issue as ru_maniac, also on debian squeeze.

Poking about, I discovered that my server was set to ‘stable’ from the dotdeb repositories rather than ‘squeeze’ As of a few days, ‘stable’ is now ‘wheezy’.

According to http://packages.dotdeb.org/dists/{squeeze,stable}/all/binary-amd64/Packages , dotdeb version for squeeze is 1.4.1-1~dotdeb.0, whereas stable has 1.4.1-1~dotdeb.1. Is the squeeze version up to date with the required security fixes, or is it still one step behind?

Further to the above, I tracked down the source of that error in my apt configuration down to a puppet template which uses lsbdistcodename from facter. Oddly facter is apparently giving ‘stable’ for this parameter when called from puppet, but gives ‘squeeze’ when run from the command line.

This isn’t anything to do with the nginx release through dotdeb of course, but there’s a fair chance someone that someone else who is looking here is going down the same rabit hole as me.

Wheezy is now “stable”, Squeeze is “oldstable”. Be sure to use “squeeze” explicitly in your sources.list instead of “stable”.

The squeeze version is 1.4.1-1~dotdeb.0 and the wheezy one is 1.4.1-1~dotdeb.1 (and any future release will have this one-index-interval scheme) to be sure that nginx is upgraded when migrating from Squeeze to Wheezy.

Dear Guillaume,
is it possible to update “http://packages.dotdeb.org/dists/*/Release” adding all the components (i.e. nginx, …) so we can follow only a part of your repo (i.e. “deb http://packages.dotdeb.org wheezy nginx”)?

Best Regards

Nginx 1.4.x for wheezy does not have SPDY enabled. Nginx docs state:

The ngx_http_spdy_module module provides experimental support for SPDY. Currently, draft 2 of SPDY protocol is implemented.

This module is not built by default, it should be enabled with the –with-http_spdy_module configuration parameter.

Can you enable it on the rules of nginx, so we can take advantage of this new feature ?

@Adrian : according to the linked-in-the-post document, SPDY is enabled in nginx-full and nginx-extras. Please consider installing one of these flavors instead of nginx-light

@Guillaume: I double checked it but in the compile options it does not appear.

# nginx -V
nginx version: nginx/1.4.1
TLS SNI support enabled
configure arguments: –prefix=/usr/share/nginx –conf-path=/etc/nginx/nginx.conf –error-log-path=/var/log/nginx/error.log –http-client-body-temp-path=/var/lib/nginx/body –http-fastcgi-temp-path=/var/lib/nginx/fastcgi –http-log-path=/var/log/nginx/access.log –http-proxy-temp-path=/var/lib/nginx/proxy –http-scgi-temp-path=/var/lib/nginx/scgi –http-uwsgi-temp-path=/var/lib/nginx/uwsgi –lock-path=/var/lock/nginx.lock –pid-path=/var/run/nginx.pid –with-pcre-jit –with-debug –with-file-aio –with-http_addition_module –with-http_dav_module –with-http_geoip_module –with-http_gzip_static_module –with-http_image_filter_module –with-http_realip_module –with-http_secure_link_module –with-http_stub_status_module –with-http_ssl_module –with-http_sub_module –with-http_xslt_module –with-ipv6 –with-mail –with-mail_ssl_module –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/nginx-auth-pam –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/nginx-dav-ext-module –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/nginx-echo –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/nginx-upstream-fair –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/nginx-syslog –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/nginx-cache-purge –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/ngx_http_pinba_module –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/ngx_http_substitutions_filter_module –add-module=/usr/src/nginx/source/nginx-1.4.1/debian/modules/nginx-x-rid-header –with-ld-opt=-lossp-uuid

# dpkg -l | grep nginx
ii nginx-common 1.4.1-1~dotdeb.0 small, powerful, scalable web/proxy server – common files
ii nginx-full 1.4.1-1~dotdeb.0 nginx web/proxy server (standard version)

@Adrian : oh, you talked about “nginx on wheezy” but you’re using Squeeze. This distribution has an outdated OpenSSL library that prevents SPDY from running. Upgrade to Wheezy if you want it.

It seems that the module nginx-cache-purge don’t work with nginx-extras 1.4.1. I was using it with nginx-extras 1.2.7 (and 1.2.6).

All seems to work (in the logs of my purge server) but the cached pages are not removed from the cache.

This module seems to not be compatible (yet) with nginx 1.4.1

Anybody try to use this module ?

Sorry…my mistake.
I believe it don’t work because of the opcode apc thant i just installed before. The page was cached in the RAM…

It’s works fine.

Having problems with showing full filesnames with Nginx autoindex and read that this should help, can you possible compile with this? could be great ๐Ÿ™‚

#define NGX_HTTP_AUTOINDEX_PREALLOCATE 50

#define NGX_HTTP_AUTOINDEX_NAME_LEN 50

to like 300?

#define NGX_HTTP_AUTOINDEX_PREALLOCATE 300

#define NGX_HTTP_AUTOINDEX_NAME_LEN 300

Hi, I use nginx-full because I use spdy a realip.
Now I would like to setup naxsi too but it asks me to remove nginx-full.
Do I need to recompile nginx-full to include naxsi?

Thanks

Hello, is there a planning for the future to integrate ModSecurity? http://www.modsecurity.org/
It is one of the largest WAF and also available for Nginx. This would be a very good possibility for protection of the webserver.

Comments are closed.