Get the most out of your Centmin Mod LEMP stack
Become a Member

Nginx [nginx-announce] nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Jan 27, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:27 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Hello!

    Several problems in nginx resolver were identified, which might
    allow an attacker to cause worker process crash, or might have
    potential other impact:

    - Invalid pointer dereference might occur during DNS server response
    processing, allowing an attacker who is able to forge UDP
    packets from the DNS server to cause worker process crash
    (CVE-2016-0742).

    - Use-after-free condition might occur during CNAME response
    processing. This problem allows an attacker who is able to trigger
    name resolution to cause worker process crash, or might
    have potential other impact (CVE-2016-0746).

    - CNAME resolution was insufficiently limited, allowing an attacker who
    is able to trigger arbitrary name resolution to cause excessive resource
    consumption in worker processes (CVE-2016-0747).

    The problems affect nginx 0.6.18 - 1.9.9 if the "resolver" directive
    is used in a configuration file.

    The problems are fixed in nginx 1.9.10, 1.8.1.


    --
    Maxim Dounin
    http://nginx.org/

    _______________________________________________
    nginx-announce mailing list
    nginx-announce@nginx.org
    http://mailman.nginx.org/mailman/listinfo/nginx-announce

    Continue reading...

     
  2. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:27 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Updated both Centmin Mod 123.08stable and 123.09beta01 builds to default to Nginx 1.9.10 for security fixes CVE-2016-0742, CVE-2016-0746, and CVE-2016-0747. You can update your existing Centmin Mod Nginx server via centmin.sh menu option 4.

    Code:
    --------------------------------------------------------
    Centmin Mod 1.2.3-eva2000.08 - http://centminmod.com
    --------------------------------------------------------
                       Centmin Mod Menu                 
    --------------------------------------------------------
    1).  Centmin Install
    2).  Add Nginx vhost domain
    3).  NSD setup domain name DNS
    4).  Nginx Upgrade / Downgrade
    5).  PHP Upgrade / Downgrade
    6).  XCache Re-install
    7).  APC Cache Re-install
    8).  XCache Install
    9).  APC Cache Install
    10). Memcached Server Re-install
    11). MariaDB 5.2/5.5 & 10.x Upgrade Sub-Menu
    12). Zend OpCache Install/Re-install
    13). Install ioping.sh vbtechsupport.com/1239/
    14). SELinux disable
    15). Install/Reinstall ImagicK PHP Extension
    16). Change SSHD Port Number
    17). Multi-thread compression: pigz,pbzip2,lbzip2...
    18). Suhosin PHP Extension install
    19). Install FFMPEG and FFMPEG PHP Extension
    20). NSD Re-install
    21). Update - Nginx + PHP-FPM + Siege
    22). Add Wordpress Nginx vhost + WP Super Cache
    23). Update Centmin Mod Code Base
    24). Exit
    --------------------------------------------------------
    Enter option [ 1 - 24 ] 4
    --------------------------------------------------------
    Code:
    Do you want to run YUM install checks ?  [y/n]
    
    This will increase your upgrade duration time wise.
    Check the change log centminmod.com/changelog.html
    to see if any Nginx or PHP related new additions
    which require checking YUM prequisites are met.
    If no new additions made, you can skip the
    YUM install check to speed up upgrade time.
    
    [y/n]: n
    **********************************************************************
    * Nginx Update script - Included in Centmin Extras
    * Version: 1.2.3-eva2000.08 - Date: 30/04/2016 - Copyright 2011-2016 CentminMod.com
    **********************************************************************
    This software comes with no warranty of any kind. You are free to use
    it for both personal and commercial use as licensed under the GPL.
    Nginx Upgrade - Would you like to continue? [y/n] y
    
    Install which version of Nginx? (version i.e. 1.9.10}): 1.9.10
    To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:
     
    Last edited: Jan 27, 2016
  3. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:27 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  4. trxerz

    trxerz Member

    69
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    4:27 AM
    Hi George,
    How to know if "resolver" directive was used on my server?
    I only use the server for wordpress.

     
  5. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:27 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You can use grep to recursively check all files in /usr/local/nginx/conf/*
    Code:
    grep -R 'resolver' /usr/local/nginx/conf/*
    any Centmin Mod SSL generated domain.com.ssl.conf vhost config file will have resolver in use for
    Code:
    resolver 8.8.8.8 8.8.4.4 valid=10m;
     
  6. trxerz

    trxerz Member

    69
    5
    8
    Jun 25, 2015
    Ratings:
    +7
    Local Time:
    4:27 AM
    My instance compiled with "Lite" version of Nginx (Centminmod FAQ No 31).
    How to properly upgrade it?

    Update:
    Amazon EC2 always give me error when upgrading PHP or Nginx,
    I think should install it from scratch.
     
  7. eva2000

    eva2000 Administrator Staff Member

    53,554
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    1:27 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    if you used FAQ item 31 instructions and set the NGINX options for lite install via persistent config file at /etc/centminmod/custom_config.inc then after updating centmin mod code itself as instructed here, then just doing centmin.sh menu option 4 recompile of Nginx is enough as the persistent settings /etc/centminmod/custom_config.inc override whatever is set in centmin.sh. This allows you to use centmin.sh menu option 23 submenu option 2 to update centmin mod without overwriting any persistent settings in /etc/centminmod/custom_config.inc as outlined at Upgrade Centmin Mod - CentminMod.com LEMP Nginx web stack for CentOS