Changes with nginx 1.13.3 11 Jul 2017 *) Security: a specially crafted request might result in an integer overflow and incorrect processing of ranges in the range filter, potentially resulting in sensitive information leak (CVE-2017-7529). -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-announce mailing list nginx-announce@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-announce Continue reading...
centmin.sh menu option 4 to upgrade nginx specifying version = 1.13.3 Code (Text): -------------------------------------------------------- Centmin Mod Menu 123.09beta01 centminmod.com -------------------------------------------------------- 1). Centmin Install 2). Add Nginx vhost domain 3). NSD setup domain name DNS 4). Nginx Upgrade / Downgrade 5). PHP Upgrade / Downgrade 6). XCache Re-install 7). APC Cache Re-install 8). XCache Install 9). APC Cache Install 10). Memcached Server Re-install 11). MariaDB MySQL Upgrade & Management 12). Zend OpCache Install/Re-install 13). Install/Reinstall Redis PHP Extension 14). SELinux disable 15). Install/Reinstall ImagicK PHP Extension 16). Change SSHD Port Number 17). Multi-thread compression: pigz,pbzip2,lbzip2... 18). Suhosin PHP Extension install 19). Install FFMPEG and FFMPEG PHP Extension 20). NSD Install/Re-Install 21). Update - Nginx + PHP-FPM + Siege 22). Add Wordpress Nginx vhost + Cache Plugin 23). Update Centmin Mod Code Base 24). Exit -------------------------------------------------------- Enter option [ 1 - 24 ] 4 -------------------------------------------------------- Code (Text): Do you want to run YUM install checks ? [y/n] This will increase your upgrade duration time wise. Check the change log centminmod.com/changelog.html to see if any Nginx or PHP related new additions which require checking YUM prequisites are met. If no new additions made, you can skip the YUM install check to speed up upgrade time. [y/n]: n ********************************************************************** * Nginx Update script - Included in Centmin Extras * Version: 1.2.3-eva2000.09.005 - Date: 31/05/2017 - Copyright 2011-2017 CentminMod.com ********************************************************************** This software comes with no warranty of any kind. You are free to use it for both personal and commercial use as licensed under the GPL. Nginx Upgrade - Would you like to continue? [y/n] y Install which version of Nginx? (version i.e. type 1.13.3): 1.13.3 looking good on my end too
Code: nginx version: nginx/1.13.3 built by clang 3.4.2 (tags/RELEASE_34/dot2-final) built with LibreSSL 2.5.4 TLS SNI support enabled configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -mtune=native -DTCP_FASTOPEN=23 -g -O3 -fstack-protector -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-sign-compare -Wno-string-plus-int -Wno-deprecated-declarations -Wno-unused-parameter -Wno-unused-const-variable -Wno-conditional-uninitialized -Wno-mismatched-tags -Wno-sometimes-uninitialized -Wno-parentheses-equality -Wno-tautological-compare -Wno-self-assign -Wno-deprecated-register -Wno-deprecated -Wno-invalid-source-encoding -Wno-pointer-sign -Wno-parentheses -Wno-enum-conversion -Wno-c++11-compat-deprecated-writable-strings -Wno-write-strings -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.14 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.41 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../libressl-2.5.4
Glad to see some folks are updating. Here's nginx's official security vulnerabilities listing page nginx security advisories scary to think some other LEMP stack installers are still stuck on several past nginx versions so they now have numerous security vulnerabilities in their running nginx servers !
Indeed it's why i made sure Centmin Mod's nginx and php-fpm upgrade routines are end user triggered so users don't need to wait for me to update and can initiate an upgrade themselves. @RoldanLT updated his server within 15 mins of this post and ~35 mins of the official Nginx 1.13.3 announcement mailing list post
Other bug trackers for CVE-2017-7529 all have hidden vulnerability details to give users time to update CVE-2017-7529 - Red Hat Customer Portal CVE - CVE-2017-7529 Nginx CVE-2017-7529 Remote Integer Overflow Vulnerability CVE-2017-7529 CVE-2017-7529 in Ubuntu
Yeah for more serious bugs it's standard practice to not reveal the details to give folks time to update IF there are no known exploits of the vulnerability. If there are known exploits out there, then more like to reveal specifics much earlier.
nginx -version Code: nginx -V nginx version: nginx/1.13.3 built by gcc 6.2.1 20160916 (Red Hat 6.2.1-3) (GCC) built with LibreSSL 2.5.4 TLS SNI support enabled configure arguments: --with-ld-opt='-lrt -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.0 --add-module=../ngx_cache_purge-2.3 --add-module=../ngx_devel_kit-0.3.0 --add-module=../set-misc-nginx-module-0.31 --add-module=../echo-nginx-module-0.60 --add-module=../redis2-nginx-module-0.14 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-module=../headers-more-nginx-module-0.32 --with-pcre=../pcre-8.41 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-http_v2_hpack_enc --with-openssl=../libressl-2.5.4 pcre with pcretest -C Code: pcretest -C PCRE version 8.40 2017-01-11 Compiled with 8-bit support UTF-8 support 16-bit support UTF-16 support 32-bit support UTF-32 support Unicode properties support Just-in-time compiler support: x86 64bit (little endian + unaligned) Newline sequence is LF \R matches all Unicode newlines Internal link size = 2 POSIX malloc threshold = 10 Parentheses nest limit = 250 Default match limit = 10000000 Default recursion depth limit = 10000000 Match recursion uses stack why with pcretest -c pcre version 8.40 not 8.41 ?
nginx static compiled pcre version isn't available as binary and the binary you run pcretest against is one compiled for wget 1.19.1 at initial Centmin Mod install time which would of been pcre 8.40 as 8.41 only was just released Code (Text): wget -V GNU Wget 1.19.1 built on linux-gnu. -cares +digest -gpgme +https +ipv6 -iri +large-file -metalink +nls +ntlm +opie -psl +ssl/openssl Wgetrc: /usr/local/etc/wgetrc (system) Locale: /usr/local/share/locale Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc" -DLOCALEDIR="/usr/local/share/locale" -I. -I../lib -I../lib -I /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic Link: gcc -I /usr/local/include -DHAVE_LIBSSL -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -L /usr/local/lib -lpcre -lssl -lcrypto -lz ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a Code (Text): which pcretest /usr/local/bin/pcretest Code (Text): pcretest -C PCRE version 8.40 2017-01-11 Compiled with 8-bit support UTF-8 support 16-bit support UTF-16 support 32-bit support UTF-32 support Unicode properties support Just-in-time compiler support: x86 64bit (little endian + unaligned) Newline sequence is LF \R matches all Unicode newlines Internal link size = 2 POSIX malloc threshold = 10 Parentheses nest limit = 250 Default match limit = 10000000 Default recursion depth limit = 10000000 Match recursion uses stack If you want to update that version of pcre, run Centmin Mod 123.09beta01's addons/wget.sh install to recompile Code (Text): cd /usr/local/src/centminmod git pull /usr/local/src/centminmod/addons/wget.sh install updated will show Code (Text): pcretest -C PCRE version 8.41 2017-07-05 Compiled with 8-bit support UTF-8 support 16-bit support UTF-16 support 32-bit support UTF-32 support Unicode properties support Just-in-time compiler support: x86 64bit (little endian + unaligned) Newline sequence is LF \R matches all Unicode newlines Internal link size = 2 POSIX malloc threshold = 10 Parentheses nest limit = 250 Default match limit = 10000000 Default recursion depth limit = 10000000 Match recursion uses stack
thank you Code: Total wget Install Time: 74.092821840 seconds # pcretest -C PCRE version 8.41 2017-07-05 Compiled with 8-bit support UTF-8 support 16-bit support UTF-16 support 32-bit support UTF-32 support Unicode properties support Just-in-time compiler support: x86 64bit (little endian + unaligned) Newline sequence is LF \R matches all Unicode newlines Internal link size = 2 POSIX malloc threshold = 10 Parentheses nest limit = 250 Default match limit = 10000000 Default recursion depth limit = 10000000 Match recursion uses stack