[nginx-announce] nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)

Christos Trochalakis yatiohi at ideopolis.gr
Tue Jan 26 19:11:39 UTC 2016

On Tue, Jan 26, 2016 at 07:32:17PM +0300, Maxim Dounin wrote:
>Several problems in nginx resolver were identified, which might allow
>an attacker to cause worker process crash, or might have potential
>other impact
>The problems are fixed in nginx 1.9.10, 1.8.1.

Hello all,

I am one of debian's nginx maintainers, I have just uploaded
nginx-1.9.10 for unstable, so we are ready on that front. But debian
stable is also affected (1.6.x series) and we will need to prepare a
patch. Is it possible to ask for a single combined patch (or even better
an 1.6.x release)?

I know that you have a policy of providing security support for mainline
and stable (1.9, 1.8), but since there are a lot of nginx users using
debian stable, we'd be glad if we could cooperate and make an exception
whenever possible.

Thanks again,

More information about the nginx-devel mailing list