Security fix in recent release 0.6.39/DSA-1884-1

patch: http://sysoev.ru/nginx/patch.180065.txt
Affected 0.1.0-0.8.14.
Not affected 0.8.15, 0.7.62, 0.6.39 and 0.5.38

Dear Andres
Can you please change nginx version from 0.5.33 to 0.6.39 (which is patched one too) in 8.0.4 LTS
We're very interesting in this by using new nginx features and options
Thanks in advance, Max&Igor

There is already a backports package that has 0.6: http://packages.ubuntu.com/hardy-backports/nginx

This bug was fixed in the package nginx - 0.7.61-1ubuntu2

---------------
nginx (0.7.61-1ubuntu2) karmic; urgency=low

  * Install html files.
    - debian/dirs: Add 'var/www/nginx-default'.
    - debian/nginx.install: Add 'html/* var/www/nginx-default'.
  * SECURITY UPDATE (CVE-2009-2629): Buffer underflow vulnerability, which
    allows remote attackers to execute arbitrary code via crafted HTTP
    request. (LP: #430064)
    - src/http/ngx_http_parse.c patched.

 -- Andres Rodriguez <email address hidden> Thu, 24 Sep 2009 17:28:34 -0400

Attaching security update debdiff for Jaunty.

Attaching Security update debdiff for Intrepid.

Attaching Security Update debdiff for Hardy

Test performed to this point where to verify the build and normal installation and operation of nginx, this far everything works as expected.

Built packages can be found at: https://launchpad.net/~andreserl/+archive/ha

In prior comments it was said that this security problem was fixed in 0.7.61. According to http://nginx.net/CHANGES-0.7 it was actually fixed in 0.7.62. There were also a number of other bug fixes in 0.7.62. The karmic package page currently lists 0.7.61 as the distribution release. Please recheck the nginx release notes link included here, and consider if karmic should actually go out with 0.7.62 as opposed to 0.7.61.

Regarding last comment, as of this writing Debian sid is at 0.7.62-1.

mdepot: I think the fix has been backported to Ubuntu's 0.7.61-1ubuntu2 - at least that's what I understand from the changelog.

What's in progress now is probably the processing for previous Ubuntu releases, and it should get handled through tasks for the particular releases (i.e. a task for Hardy, Jaunty etc).

Getting 0.7.62 into Karmic would be a new bug, and given the bugfixes, I'd support it. There's only one new feature, and that will either work or not, and given the time passed since 0.7.62 has been released, did not cause a regression.

This bug was fixed in the package nginx - 0.6.35-0ubuntu1.1

---------------
nginx (0.6.35-0ubuntu1.1) jaunty-security; urgency=low

  * SECURITY UPDATE: Buffer underflow vulnerability, which allows remote
    attackers to execute arbitrary code via crafted HTTP request. (LP: #430064)
    - src/http/ngx_http_parse.c patched.
    - CVE-2009-2629.

 -- Andres Rodriguez <email address hidden> Sat, 26 Sep 2009 13:13:57 -0400