nginx not built as Position Independent; does not use BIND_NOW
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nginx (Debian) |
Fix Released
|
Unknown
|
|||
nginx (Ubuntu) |
Fix Released
|
Low
|
Thomas Ward | ||
Precise |
Won't Fix
|
Wishlist
|
Thomas Ward | ||
Trusty |
Won't Fix
|
Wishlist
|
Thomas Ward | ||
Utopic |
Won't Fix
|
Wishlist
|
Thomas Ward | ||
Vivid |
Fix Released
|
Low
|
Thomas Ward |
Bug Description
nginx (1.4.6-1ubuntu3) is not being built with -fPIE -pie. I am running ubuntu 14.04 LTS. I've included the output when scanning apache2 with hardening-check just for comparison purposes.
$ hardening-check /usr/sbin/nginx
/usr/sbin/nginx:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
$ dpkg -l | grep "nginx-core"
ii nginx-core 1.4.6-1ubuntu3 amd64 nginx web/proxy server (core version)
$ lsb_release -rd
Description: Ubuntu 14.04 LTS
Release: 14.04
$ hardening-check /usr/sbin/apache2
/usr/sbin/apache2:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
Related branches
Changed in nginx (Ubuntu): | |
status: | New → Confirmed |
assignee: | nobody → Thomas Ward (teward) |
Changed in nginx (Ubuntu): | |
status: | Confirmed → Triaged |
Changed in nginx (Debian): | |
status: | Unknown → New |
Changed in nginx (Debian): | |
status: | New → Fix Committed |
Changed in nginx (Ubuntu Precise): | |
importance: | Undecided → Wishlist |
Changed in nginx (Ubuntu Trusty): | |
importance: | Undecided → Wishlist |
Changed in nginx (Ubuntu Utopic): | |
importance: | Undecided → Wishlist |
Changed in nginx (Ubuntu Vivid): | |
importance: | Undecided → Wishlist |
Changed in nginx (Ubuntu Vivid): | |
importance: | Wishlist → Low |
Changed in nginx (Ubuntu Vivid): | |
status: | Triaged → Fix Committed |
Changed in nginx (Debian): | |
status: | Fix Committed → Fix Released |
Thomas, since the fix is trivial and the benefit would be very welcome, would it be possible to do SRU this?