When will this package be updated to resolve CVE-2017-7529 security vulnerability? This needs to be updated to at least 1.13.2 to resolve it.

Asked by Sova on 2018-09-28

This package needs a security update.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7529

    An integer overflow has been found in the HTTP range module of Nginx, a high-performance web and reverse proxy server, which may result in information disclosure.

    We recommend that you upgrade your nginx packages.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu nginx Edit question
Assignee:
No assignee Edit question
Last query:
2018-09-29
Last reply:
2018-10-02
Thomas Ward (teward) said : #1

This is already patched in all releases of Ubuntu:

https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7529.html

We backported the specific patch.

We are not going to update the packages to 1.14.x just to fix the CVE, since we can backport the fixes to affected releases (which we did a while ago).

Sova (sovamind) said : #2

I don't understand, are you saying that you expect users to install from source on the Long Term Support branch?

Thomas Ward (teward) said : #3

Which Ubuntu package revisions are you referring to, specifically?

Of relevance is that we **do not update versions in already-released Ubuntu releases for new major releases**, at least for NGINX. Please read https://askubuntu.com/questions/151283/why-dont-the-ubuntu-repositories-have-the-latest-versions-of-software for some helpful info on this.

Note we track NGINX Stable where we can in LTS releases, but we track Mainline in some interim releases. The package versions in all Ubuntu releases are version-locked to the versions that are present in those releases once that Ubuntu version is released.

For Trusty and later, when a security vulnerability is discovered, myself and the Security Team work together to get the security patches from upstream backported into the specific Ubuntu releases which are affected. Therefore, Trusty and Xenial have both received patches to patch against CVE-2017-7529.

Thomas Ward (teward) said : #4

Please also read https://wiki.ubuntu.com/SecurityTeam/FAQ#Versions from the Security Team about the version locking (and why we don't update the entire version and instead backport security patches), and this is what is done typically in Debian too based on https://www.debian.org/security/faq#version

Sova (sovamind) said : #5

You said this is patched in all releases. Does this mean that the binary packages have had the patch applied and been rereleased with the same version numbers? Our vulnerability scanner has identified the software as being vulnerable, but I don't think it is actually checking for the vulnerability as much as detecting that the version number matches a version that is vulnerable.

Thanks for helping clear things up.

Thomas Ward (teward) said : #6

As a certified IT Security Professional, who has been doing this for a number of years, **do not trust Vulnerability Scanner Results verbatim**!

Vulnerability Scanners work off of major upstream providers' version data, they aren't in sync with the OS-specific patch sets of what is or isn't patched.

OpenVAS is superior to Nessus for this reason, they pull vendor patch data down at times, including Ubuntu's and use that in their evaluations. (That said, OpenVAS actually *tests* for the vulnerability, not just the version string). Scanners like Nessus base it solely on the version strings and that's alone, and don't pay attention to vendor downstream patching.

Ubuntu's versions are patched with the patches, and the same version string released (with a -XubuntuY specific string added where appropriate, you can see from the previously mentioned CVE tracker link you can see the Ubuntu specific package version strings which have the patch). So yes, the binaries are patched and released (but NOT version bumped or updated to the latest upstream supported versions, for the same reason as the FAQ links I provided stated).

Sova (sovamind) said : #7

I appreciate your concern about vulnerability scanners reporting false positives. It is funny you mention using OpenVAS because that is what we are using and it is detecting that version 1.10.3-0ubuntu0.16.04.2 is installed and reporting it as vulnerable. Dpkg reports the same version on the box and we are using the Ubuntu LTS 16 security repository with APT for updates. There is no newer package being reported available by Apt.

Since I'm unaware of an actual exploit to test the vulnerability we were led to believe that this vulnerability has not been address yet by Ubuntu . This was based from the scan and version number being reported. We have not done binary analysis of the package and didn't really think we'd need to do so. I apologize for starting from a position of assumption that it is vulnerable but I think many others would be confused given similar information.

At this point, my goal is to determine whether or not this is a false positive.

You have indicated that Ubuntu may have patched the vulnerability for the release. So I'm trying now to figure out if the latest package available in LTS 16 security repository is actually patched. Is there a way to confirm this? If we can confirm it then we can mark this as a false positive and configure overrides to prevent additional alerts.

In the meantime, we have grabbed newer binary packages from the Ubuntu LTS 18 repo and manually installed for critical hosts.

Sova (sovamind) said : #8

Based on the link to the bug tracker [ https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1704151 ] included on this discussion it looks like this was fixed in package version 1.12. Your comment closing the bug is: "This bug was fixed in the package nginx - 1.12.1-0ubuntu1"

However, I'm looking at the Xenial package listing and it looks like the most currently available package is the 1.10.3-0ubuntu0.16.04.2.
[ https://packages.ubuntu.com/xenial/nginx ]

The Xenial updates page also has the same version (1.10.3).
 [ https://packages.ubuntu.com/xenial-updates/nginx ]

The Backports has nothing listed.
[ https://packages.ubuntu.com/search?suite=xenial-backports&searchon=names&keywords=nginx ]

Again, unless I'm missing something, it doesn't appear that the version available for U16/Xenial is patched.

Steve Beattie (sbeattie) said : #9

Hi Sova,

CVE-2017-7529 was fixed in Ubuntu 16.04 LTS (xenial) in nginx 1.10.3-0ubuntu0.16.04.2 (https://launchpad.net/ubuntu/+source/nginx/1.10.3-0ubuntu0.16.04.2) as announced in USN 3352-1 (https://usn.ubuntu.com/3352-1/).

As Thomas has pointed out repeatedly, vulnerability scanners are often implemented in a naive fashion and report inaccurate results. Ubuntu (with a few exceptions) does not pull new major versions into older releases because of the risk of introducing regressions and breaking people's confgurations. Furthermore, by pulling in the version of nginix from 18.04 LTS into your 16.04 LTS system, your system is currently running a setup that has not been tested, particularly in an integrated fashion, that is, with the library versions in Ubuntu 16.04 that nginx makes use of.

Thomas Ward (teward) said : #10

And specifically about your last statement, when I say "backport the patch" I mean we take the patch written for later versions and adjust it to work with the older version, then apply that and release to -security and -updates. Not to the Backports repository which is a completely different thing.

As for the *bug* not stating that it was fixed, Steve Beattie when they uploaded accidentally left the bug out of the changelog, which is why the thing didn't report there was a Xenial fix.

When in doubt, refer to the USNs and the CVE tracker, not the bugs.

Can you help with this problem?

Provide an answer of your own, or ask Sova for more information if necessary.

To post a message you must log in.