From owner-freebsd-ports@FreeBSD.ORG Thu May 16 22:57:24 2013 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id F29DAEC9 for ; Thu, 16 May 2013 22:57:24 +0000 (UTC) (envelope-from freebsd@grem.de) Received: from mail.grem.de (outcast.grem.de [213.239.217.27]) by mx1.freebsd.org (Postfix) with SMTP id 603B72AB for ; Thu, 16 May 2013 22:57:23 +0000 (UTC) Received: (qmail 26648 invoked by uid 89); 16 May 2013 22:57:23 -0000 Received: from unknown (HELO bsd64.grem.de) (mg@grem.de@93.215.169.247) by mail.grem.de with ESMTPA; 16 May 2013 22:57:23 -0000 Date: Fri, 17 May 2013 00:57:22 +0200 From: Michael Gmelin To: d@delphij.net Subject: Re: Portaudit claims nginx 1.2.x vulnerable Message-ID: <20130517005722.101dff23@bsd64.grem.de> In-Reply-To: <51955F6C.2090102@delphij.net> References: <20130517000431.0fab3a3a@bsd64.grem.de> <51955F6C.2090102@delphij.net> X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.6; amd64-portbld-freebsd9.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: delphij@delphij.net, freebsd-ports@freebsd.org, secteam@freebsd.org X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 May 2013 22:57:25 -0000 On Thu, 16 May 2013 15:36:28 -0700 Xin Li wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, Michael, > > On 05/16/13 15:04, Michael Gmelin wrote: > > Hi, > > > > I just noticed that portaudit considers www/nginx >=1.2.0,1 > > <1.4.1,1 to be affected by CVE-2013-2028, creating noise and > > preventing installation: > > > > http://portaudit.freebsd.org/efaa4071-b700-11e2-b1b9-f0def16c5c1b.html > > > > According to the announcement on the nginx mailing list, only > > versions of nginx >= 1.3.9 < 1.4.1,1 should be affected: > > > > http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html > > and the fix in nginx trac > > http://trac.nginx.org/nginx/changeset/5189/nginx > > > > I just checked the source of 1.2.8 (the current version in ports, > > www/nginx) and it doesn't even contain the affected functionality, > > nor the affected function implementing it (ngx_http_parse_chunked). > > This is in line with additional media and bugtracker coverage: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=960605 > > http://www.openwall.com/lists/oss-security/2013/05/07/3 > > http://www.ehackingnews.com/2013/05/cve-2013-2028-buffer-overflow.html > > > > > http://www.h-online.com/open/news/item/NGINX-patches-major-security-flaw-1858438.html > > > > Long story short: I would kindly ask you to correct the entry in > > the portaudit database to match only affected versions of nginx. > > I have took a look at these and found this: > > http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html > > I'll update the vuxml entry to include these information. > > Cheers, Hi Xin, I missed that nginx got updated to 1.4.0 and now 1.4.1,1 - seems like I've been working on an old copy of the ports tree. So recovering from this should be easy for users and at the same time my statement about the current version in the ports tree being 1.2.8 was clearly wrong. Anyway, thanks for the clarification, so basically CVE-2013-2070 and CVE-2013-2028 got mixed up (the former affecting only certain setups while the latter affecting everybody in a severe way unless they took special measures to harden their setup). Cheers & thanks for your swift response, Michael -- Michael Gmelin