Bugzilla – Bug 982505
VUL-1: CVE-2016-4450: nginx-1.0: NULL pointer dereference while writing client request body
Last modified: 2019-02-06 15:46:22 UTC
rh#1341462 (for internal it) A vulnerability was found in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file. External references: http://mailman.nginx.org/pipermail/nginx-announce/2016/000179.html Upstream patches: [nginx 1.9.13 - 1.11.0] http://nginx.org/download/patch.2016.write.txt [nginx 1.3.9 - 1.9.12] http://nginx.org/download/patch.2016.write2.txt References: https://bugzilla.redhat.com/show_bug.cgi?id=1341462 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4450 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4450.html
(actually we ship nginx-1.0 for webyast 1.3 / studio onsite)
*** Bug 982484 has been marked as a duplicate of this bug. ***
bugbot adjusting priority
SR for SUSE_SLE-11-SP2_Update created request id 116511 For nginx-1.0.SUSE_SLE-11-SP1_Update_ATK_1.2_Update it has returned: WARNING: This project is not maintained in the maintenance project specified by 'OBS:MaintenanceProject', looking elsewhere BuildService API error: Server did not define a default maintenance project, can't submit. The submitted packages are in: https://build.suse.de/package/show/home:schubi2:branches:OBS_Maintained:nginx-1.0/nginx-1.0.SUSE_SLE-11-SP1_Update_ATK_1.2_Update https://build.suse.de/package/show/home:schubi2:branches:OBS_Maintained:nginx-1.0/nginx-1.0.SUSE_SLE-11-SP2_Update I have tested the new nginx version with WebYAST.
nginx-1.0.SUSE_SLE-11-SP1_Update_ATK_1.2_Update is not needed I think, the 11-sp2-update is sufficient.
SUSE-SU-2017:0190-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 982505,988491 CVE References: CVE-2016-1000105,CVE-2016-4450 Sources used: SUSE Webyast 1.3 (src): nginx-1.0-1.0.15-0.34.1 SUSE Studio Onsite 1.3 (src): nginx-1.0-1.0.15-0.34.1 SUSE Lifecycle Management Server 1.3 (src): nginx-1.0-1.0.15-0.34.1
unfixed for openSUSE
https://build.opensuse.org/request/show/452119
both SUSE and openSUSE fix released. fixed.
openSUSE-SU-2017:0361-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 982505 CVE References: CVE-2016-4450 Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): nginx-1.8.1-9.1
openSUSE-SU-2017:0362-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 982505 CVE References: CVE-2016-4450 Sources used: openSUSE Leap 42.2 (src): nginx-1.8.1-8.1 openSUSE Leap 42.1 (src): nginx-1.8.1-8.1