CVE-2016-0746

Published: 26 January 2016

Use-after-free vulnerability in the resolver in nginx 0.6.18 through 1.8.0 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (worker process crash) or possibly have unspecified other impact via a crafted DNS response related to CNAME response processing.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
nginx
Launchpad, Ubuntu, Debian
Upstream
Released (1.9.10-1, 1.9.10, 1.8.1.)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.9.10-0ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.4.6-1ubuntu3.4)
Patches:
Upstream: https://github.com/nginx/nginx/commit/a3d42258d97ebd0b638c20976654d3edfbaf943f
Upstream: https://github.com/nginx/nginx/commit/4b581a7c21e4328d059bf400a059c0458fc9f806
Upstream: https://github.com/nginx/nginx/commit/b1a110e3a457d98f0eaffb0cb0e646df9178024f