[nginx-announce] nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)

Andrew Hutchings ahutchings at nginx.com
Tue Jan 26 19:49:21 UTC 2016

Hi Christos,

On 26/01/16 19:11, Christos Trochalakis wrote:
> On Tue, Jan 26, 2016 at 07:32:17PM +0300, Maxim Dounin wrote:
>> Hello!
>> Several problems in nginx resolver were identified, which might allow
>> an attacker to cause worker process crash, or might have potential
>> other impact
>> The problems are fixed in nginx 1.9.10, 1.8.1.
> I am one of debian's nginx maintainers, I have just uploaded
> nginx-1.9.10 for unstable, so we are ready on that front. But debian
> stable is also affected (1.6.x series) and we will need to prepare a
> patch. Is it possible to ask for a single combined patch (or even better
> an 1.6.x release)?

It should be possible to get a combined patch straight out of the 
mercurial repository just by doing a range on the diff. Alternatively 
Fedora has already backported the patches to 1.6 which can be found 
here: http://koji.fedoraproject.org/koji/buildinfo?buildID=713981

Hope this helps

Kind Regards
Andrew Hutchings (LinuxJedi)
Technical Product Manager, NGINX Inc.

More information about the nginx-devel mailing list