Categories
Nginx

Security : Nginx 1.4.4 for Wheezy and Squeeze

Nginx 1.4.4 has been released on November 19th 2013, fixing a request line parsing vulnerability by Ivan Fratric of the Google Security Team (CVE-2013-4547). More info in the changelog.

As a consequence, Dotdeb’s packages of Nginx 1.4.4 are now available for both Debian 7.0 “Wheezy” and Debian 6.0 “Squeeze” (amd64/i386).

Reminder : Users of naxsi-ui should be aware that it has been deprecated in the upcoming Naxsi 0.53 and that it won’t be provided by Dotdeb starting with the next Nginx packages.

As usual, if you want to know which module has been included in each Nginx flavor, you just have to look at this document.

22 replies on “Security : Nginx 1.4.4 for Wheezy and Squeeze”

What is wrong here, nginx still is 1.2.7 after upgrading to 1.4.4?
(sorry for german output)

root@server ~ # aptitude install nginx
Die folgenden Pakete werden aktualisiert:
nginx
1 Pakete aktualisiert, 0 zusätzlich installiert, 0 werden entfernt und 73 nicht aktualisiert.
Muss 67,0 kB an Archiven herunterladen. Nach dem Entpacken werden 4.096 B zusätzlich belegt sein.
Wollen Sie fortsetzen? [Y/n/?] Y
Hole:1 http://packages.dotdeb.org/ squeeze/all nginx all 1.4.4-1~dotdeb.0 [67,0 kB]
67,0 kB wurden in 0 s heruntergeladen (686 kB/s)
(Lese Datenbank … 30848 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Ersetzen von nginx 1.2.7-1~dotdeb.1 (durch …/nginx_1.4.4-1~dotdeb.0_all.deb) …
Ersatz für nginx wird entpackt …
nginx (1.4.4-1~dotdeb.0) wird eingerichtet …

Aktueller Status: 2 Aktualisierungen [-1].
root@server ~ # nginx -v
nginx version: nginx/1.2.7
root@server ~ # /etc/init.d/nginx restart
root@frontend2 ~ # nginx -v
nginx version: nginx/1.2.7

@guillaume: sorry for the delay, here is the output for which nginx
root@server ~ # which nginx
/usr/sbin/nginx

So remove nginx completely and install it again?

@guillaume: sorry for the delay, here is the output for which nginx
root@server ~ # which nginx
/usr/sbin/nginx

So remove nginx completely and install it again?

No, didn’t work. I’m using package nginx and not nginx-full:

aptitude reinstall nginx
nginx (1.4.4-1~dotdeb.0) wird eingerichtet …
which nginx
/usr/sbin/nginx

nginx -v
nginx version: nginx/1.4.2

Guillaume, same problem out there.
did a #apt-get install nginx (testing)
i should have 1.4.4-1
#dpkg -s nginx
> 1.4.4-1
…BUT :
# /usr/sbin/nginx -V gives the old one
#which nginx gives /usr/sbin/nginx (only)

thx for correcting it i’m stuck with 1.2.2 (no websockets…)

@eric, you could try apt-get purge nginx* and then reinstall it. (Also, using etckeeper is a good idea, so you won’t even accidentally lose config files.)

Maybe check for /etc/alternatives/? What is ls -al $(which nginx)?

Also you can check what package a file belongs to with dpkg -s $(which nginx)

Plus I usually use dpkg -l | grep nginx, faster than mucking with search in aptitude.

Also, ps aux | grep nginx | grep -v grep | awk ‘{ print $2 }’ | xargs -n1 -I {} ls -al /proc/{}/exe to check what binary is actually running.

Try a complete killall nginx, then start it, if you haven’t already.

Good luck hunting for this ghost in the shell.

@Pas, yes in fact dpkg -l gives :
nginx 1.4.4-1
nginx-common 1.2.1-2.2+wheezy1
nginx-full 1.2.1-2.2+wheezy1

it appears that the upgrade on “nginx” package didn’t upgrade the others.
i did a apt install on nginx-common and it also upgrade nginx-full, after a restart, binary was updated to 1.4.4
> so i still believe that something is broken in metapackage “nginx”, it should have upgraded “nginx-full” also.

Comments are closed.