Security vulnerability found in Nginx

Arch Linux already has the 1.0.14 release available in the community repo[1].<p>There are still no new patch level version of 0.7.67 available for Debian Squeeze[2] or Ubutu 10.4 LTS' 0.7.65 version[3]. EPEL for RHEL and derivatives also lack a new upstream version[4].<p>[1]: <a href="http://projects.archlinux.org/svntogit/community.git/commit/trunk?h=packages/nginx&#38;id=9fa938f3189c65b4d4e30d6f82868f59b8dce503" rel="nofollow">http://projects.archlinux.org/svntogit/community.git/commit/...</a><p>[2]: <a href="http://packages.debian.org/changelogs/pool/main/n/nginx/?C=M;O=D" rel="nofollow">http://packages.debian.org/changelogs/pool/main/n/nginx/?C=M...</a><p>[3]: <a href="http://changelogs.ubuntu.com/changelogs/pool/universe/n/nginx/?C=M;O=D" rel="nofollow">http://changelogs.ubuntu.com/changelogs/pool/universe/n/ngin...</a><p>[4]: <a href="http://dl.fedoraproject.org/pub/epel/6/x86_64/repoview/nginx.html" rel="nofollow">http://dl.fedoraproject.org/pub/epel/6/x86_64/repoview/nginx...</a>

I may be misinterpreting the patch, but it seems like this is a NULL byte injection vulnerability, all stemming from '\0' termination in C-strings. I wonder if length-buffer pairs are more practical when security is a consideration?<p>Similar issues in Perl: <a href="http://www.phrack.org/issues.html?issue=55&#38;id=7#article" rel="nofollow">http://www.phrack.org/issues.html?issue=55&#38;id=7#article</a> and other languages: <a href="http://hakipedia.com/index.php/Poison_Null_Byte#Perl_PHP_Null_Byte_Injection" rel="nofollow">http://hakipedia.com/index.php/Poison_Null_Byte#Perl_PHP_Nul...</a>

This is a very bad bug, and you should fix it ASAP. Don't wait.

This is particularly interesting because in a lot of deployments, nginx sits out in front of a lot of other stuff as a load balancer, where it is nicely exposed.<p>You REALLY should be using multiple boxes if you're running load balancers (especially sw load balancers) with some kind of heartbeat failover. That way you can upgrade single boxes easily, and are ok in case one of them dies. With a bug of this severity, you won't have time to test the patch, so it's probably best to upgrade one at a time in production.<p>Remember, even if you're running Apache or something else for your actual web server, you can easily have something like nginx sitting in front as a proxy/load balancer. Often in front of your security monitoring devices... and you may have forgotten about it.

This only matters if your backend is going to set a header that contains a null byte. Since some people echo back user data in headers (ugh) this could cause an issue. Rails is more than happy to let you put NULLs in response headers, btw. Of course, all of the ASCII CTL characters (0..27) are forbidden by the spec: <a href="http://www.ietf.org/rfc/rfc2068.txt" rel="nofollow">http://www.ietf.org/rfc/rfc2068.txt</a>

Hey guys,<p>Looking for a consensus on the most stable way to update nginx installations from source.<p>Thanks!

The ides of march bug.