[nginx-announce] nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)

Maxim Dounin mdounin at mdounin.ru
Tue Jan 26 19:48:36 UTC 2016


On Tue, Jan 26, 2016 at 09:11:39PM +0200, Christos Trochalakis wrote:

> On Tue, Jan 26, 2016 at 07:32:17PM +0300, Maxim Dounin wrote:
> >Hello!
> >
> >Several problems in nginx resolver were identified, which might allow
> >an attacker to cause worker process crash, or might have potential
> >other impact
> >
> >The problems are fixed in nginx 1.9.10, 1.8.1.
> >
> Hello all,
> I am one of debian's nginx maintainers, I have just uploaded
> nginx-1.9.10 for unstable, so we are ready on that front. But debian
> stable is also affected (1.6.x series) and we will need to prepare a
> patch. Is it possible to ask for a single combined patch (or even better
> an 1.6.x release)?
> I know that you have a policy of providing security support for mainline
> and stable (1.9, 1.8), but since there are a lot of nginx users using
> debian stable, we'd be glad if we could cooperate and make an exception
> whenever possible.

Just merging src/core/ngx_resolver.[ch] from 1.8.1 should 
be optimal solution for 1.6.x.

Maxim Dounin

More information about the nginx-devel mailing list