[nginx/f20] Fix CVE-2014-3616 virtual host confusion

Jamie Nguyen jamielinux at fedoraproject.org
Mon Sep 22 08:28:21 UTC 2014 

commit 812ed44cf41c36170090faf7dcb28300949141d9
Author: Jamie Nguyen <j at jamielinux.com>
Date:   Mon Sep 22 09:27:56 2014 +0100

    Fix CVE-2014-3616 virtual host confusion

 nginx-1.4.7-fix-CVE-2014-3616.patch |   23 +++++++++++++++++++++++
 nginx.spec                          |    9 ++++++++-
 2 files changed, 31 insertions(+), 1 deletions(-)
---
diff --git a/nginx-1.4.7-fix-CVE-2014-3616.patch b/nginx-1.4.7-fix-CVE-2014-3616.patch
new file mode 100644
index 0000000..6395395
--- /dev/null
+++ b/nginx-1.4.7-fix-CVE-2014-3616.patch
@@ -0,0 +1,23 @@
+Subject: fix CVE-2014-3616, Reuse cached SSL sessions in unrelated contexts
+Origin: http://mailman.nginx.org/pipermail/nginx-devel/2014-September/005948.html
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -1498,14 +1498,16 @@ ngx_int_t
+ ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
+     ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout)
+ {
+-    long  cache_mode;
++    long    cache_mode;
++    u_char  buf[16];
+ 
+     if (builtin_session_cache == NGX_SSL_NO_SCACHE) {
+         SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF);
+         return NGX_OK;
+     }
+ 
+-    SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len);
++    RAND_pseudo_bytes(buf, 16);
++    SSL_CTX_set_session_id_context(ssl->ctx, buf, 16);
+ 
+     if (builtin_session_cache == NGX_SSL_NONE_SCACHE) {
+ 
diff --git a/nginx.spec b/nginx.spec
index 3c20ef3..9692969 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -16,7 +16,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.4.7
-Release:           1%{?dist}
+Release:           2%{?dist}
 
 Summary:           A high performance web server and reverse proxy server
 Group:             System Environment/Daemons
@@ -44,6 +44,9 @@ Source104:         50x.html
 # -D_FORTIFY_SOURCE=2 causing warnings to turn into errors.
 Patch0:            nginx-auto-cc-gcc.patch
 
+# CVE-2014-3616 virtual host confusion
+Patch1:            %{name}-1.4.7-fix-CVE-2014-3616.patch
+
 BuildRequires:     GeoIP-devel
 BuildRequires:     gd-devel
 %if 0%{?with_gperftools}
@@ -83,6 +86,7 @@ memory usage.
 %prep
 %setup -q
 %patch0 -p0
+%patch1 -p1
 
 
 %build
@@ -268,6 +272,9 @@ fi
 
 
 %changelog
+* Mon Sep 22 2014 Jamie Nguyen <jamielinux at fedoraproject.org> - 1:1.4.7-2
+- patch for CVE-2014-3616 virtual host confusion (#1142573, #1142575)
+
 * Tue Mar 18 2014 Jamie Nguyen <jamielinux at fedoraproject.org> - 1:1.4.7-1
 - update to upstream release 1.4.7

More information about the scm-commits mailing list