Posted by & filed under Nginx.

Nginx 1.4.4 has been released on November 19th 2013, fixing a request line parsing vulnerability by Ivan Fratric of the Google Security Team (CVE-2013-4547). More info in the changelog.

As a consequence, Dotdeb’s packages of Nginx 1.4.4 are now available for both Debian 7.0 “Wheezy” and Debian 6.0 “Squeeze” (amd64/i386).

Reminder : Users of naxsi-ui should be aware that it has been deprecated in the upcoming Naxsi 0.53 and that it won’t be provided by Dotdeb starting with the next Nginx packages.

As usual, if you want to know which module has been included in each Nginx flavor, you just have to look at this document.

22 Responses to “Security : Nginx 1.4.4 for Wheezy and Squeeze”

  1. Tom

    What is wrong here, nginx still is 1.2.7 after upgrading to 1.4.4?
    (sorry for german output)

    root@server ~ # aptitude install nginx
    Die folgenden Pakete werden aktualisiert:
    1 Pakete aktualisiert, 0 zusätzlich installiert, 0 werden entfernt und 73 nicht aktualisiert.
    Muss 67,0 kB an Archiven herunterladen. Nach dem Entpacken werden 4.096 B zusätzlich belegt sein.
    Wollen Sie fortsetzen? [Y/n/?] Y
    Hole:1 squeeze/all nginx all 1.4.4-1~dotdeb.0 [67,0 kB]
    67,0 kB wurden in 0 s heruntergeladen (686 kB/s)
    (Lese Datenbank … 30848 Dateien und Verzeichnisse sind derzeit installiert.)
    Vorbereitung zum Ersetzen von nginx 1.2.7-1~dotdeb.1 (durch …/nginx_1.4.4-1~dotdeb.0_all.deb) …
    Ersatz für nginx wird entpackt …
    nginx (1.4.4-1~dotdeb.0) wird eingerichtet …

    Aktueller Status: 2 Aktualisierungen [-1].
    root@server ~ # nginx -v
    nginx version: nginx/1.2.7
    root@server ~ # /etc/init.d/nginx restart
    root@frontend2 ~ # nginx -v
    nginx version: nginx/1.2.7

  2. Guillaume Plessis

    @Tom : could you tell me what is the result of which nginx. I suppose you have a nginx binary that has priority on the one installed by the Dotdeb package (/usr/local/*bin/).

  3. Tom

    @guillaume: sorry for the delay, here is the output for which nginx
    root@server ~ # which nginx

    So remove nginx completely and install it again?

  4. Tom

    @guillaume: sorry for the delay, here is the output for which nginx
    root@server ~ # which nginx

    So remove nginx completely and install it again?

  5. Tom

    No, didn’t work. I’m using package nginx and not nginx-full:

    aptitude reinstall nginx
    nginx (1.4.4-1~dotdeb.0) wird eingerichtet …
    which nginx

    nginx -v
    nginx version: nginx/1.4.2

  6. Tom

    /usr/sbin/nginx -v
    nginx version: nginx/1.4.2

    and I don’t have a nginx binary in /usr/lobal/bin or /usr/local/sbin

  7. eric

    Guillaume, same problem out there.
    did a #apt-get install nginx (testing)
    i should have 1.4.4-1
    #dpkg -s nginx
    > 1.4.4-1
    …BUT :
    # /usr/sbin/nginx -V gives the old one
    #which nginx gives /usr/sbin/nginx (only)

    thx for correcting it i’m stuck with 1.2.2 (no websockets…)

  8. Thomas

    @Guillaume Plessis Would you be able to update nginx pagespeed module in the next update? 🙂


  9. Pas

    @eric, you could try apt-get purge nginx* and then reinstall it. (Also, using etckeeper is a good idea, so you won’t even accidentally lose config files.)

    Maybe check for /etc/alternatives/? What is ls -al $(which nginx)?

    Also you can check what package a file belongs to with dpkg -s $(which nginx)

    Plus I usually use dpkg -l | grep nginx, faster than mucking with search in aptitude.

    Also, ps aux | grep nginx | grep -v grep | awk ‘{ print $2 }’ | xargs -n1 -I {} ls -al /proc/{}/exe to check what binary is actually running.

    Try a complete killall nginx, then start it, if you haven’t already.

    Good luck hunting for this ghost in the shell.

  10. eric

    @Pas, yes in fact dpkg -l gives :
    nginx 1.4.4-1
    nginx-common 1.2.1-2.2+wheezy1
    nginx-full 1.2.1-2.2+wheezy1

    it appears that the upgrade on “nginx” package didn’t upgrade the others.
    i did a apt install on nginx-common and it also upgrade nginx-full, after a restart, binary was updated to 1.4.4
    > so i still believe that something is broken in metapackage “nginx”, it should have upgraded “nginx-full” also.

  11. Grzegorz Dribczak

    Why there is no GZIP module in standard instalation? There is only GZIP_STATIC.

  12. Steve Durrheimer

    Would it be possible to update the pagespeed module in nginx-extras to the latest release ?