Posted by & filed under Nginx.

Nginx 1.0.14 packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. They fix a potential memory disclosure :

  • Security: content of previously freed memory might be sent to a client if backend returned specially crafted response. Thanks to Matthew Daley.

Upgrading is strongly recommended.

15 Responses to “Security : Nginx 1.0.14”

  1. Justin

    I’m getting an error trying to install this update:

    sudo apt-get upgrade

    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    The following packages will be upgraded:
    nginx-common nginx-full
    2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
    Need to get 0 B/449 kB of archives.
    After this operation, 0 B of additional disk space will be used.
    Do you want to continue [Y/n]?
    Reading changelogs… Done
    dpkg: parse error, in file ‘/var/lib/dpkg/available’ near line 162440 package ‘spyder’:
    too many values in file details field `MD5sum’ (compared to others)
    E: Sub-process /usr/bin/dpkg returned an error code (2)

  2. Justin

    Disregard this, I fixed the problem by clearing and recreating the available packages list.

  3. Alexander Meindl

    I have problems with “server_tokens off;”, too. I found out, that it only doesn’t work, if “passenger_enabled on;” is set. On a vhost without it http header looks like

    “Server: nginx”

    With passenger_enabled it looks like:

    Server: nginx/1.0.14 + Phusion Passenger 3.0.11

    I am using nginx-extras as package.

  4. Alexander Meindl

    Hi, I tried it with “passenger_show_version_in_header off;” but no difference. HTTP header information is still the same.
    I also tried more_clear_headers for X-Powered_By, but in combination with “passenger_enabled on;” this isn’t working, too.

  5. Alexander Meindl

    Hi again,
    sorry, my last information was wrong. The workaround with more_clear_headers worked. If I set

    more_clear_headers ‘Server’ ‘X-Powered-By’ ‘X-Runtime’;

    then “nginx/1.0.14 + Phusion Passenger 3.0.11” is removed, too! Thanks for the hint!

    But passenger_enabled and passenger_show_version_in_header didn’t change anything.

  6. Kevin

    Thanks for the precious work Guillaume!
    I wanted to know if there is any reason why nginx is compiled without any hardening flag?

    # hardening-check /usr/sbin/nginx
    Position Independent Executable: no, normal executable!
    Stack protected: no, not found!
    Fortify Source functions: no, not found!
    Read-only relocations: no, not found!
    Immediate binding: no, not found!

  7. Kevin

    Thanks 🙂
    I realized it is also the case in debian stable..