一 查看版本及配置
# nginx -V
nginx version: nginx/1.8.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre
二 查看nginx所在目录,并备份下
# find / -name nginx
find: ‘/run/user/42/gvfs’: 权限不够
三 编译安装
3.1解压 nginx-1.12.1
# tar xf nginx-1.12.1.tar.gz
3.2进入nginx-1.12.1/ 目录
#cd nginx-1.12.1/
# ./configure --prefix=/usr --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre
checking for OS
+ Linux 3.10.0-327.el7.x86_64 x86_64
checking for C compiler ... found
+ using GNU C compiler
+ gcc version: 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
checking for gcc -pipe switch ... found
checking for -Wl,-E switch ... found
checking for gcc builtin atomic operations ... found
checking for C99 variadic macros ... found
checking for gcc variadic macros ... found
checking for gcc builtin 64 bit byteswap ... found
checking for unistd.h ... found
checking for inttypes.h ... found
checking for limits.h ... found
checking for sys/filio.h ... not
3.4 只编译make ,不执行make install
# make
make -f objs/Makefile
make[1]: 进入目录“/usr/local/src/nginx-1.12.1”
cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs \
-o objs/src/core/nginx.o \
cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs \
-o objs/src/core/ngx_log.o \
cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs \
-o objs/src/core/ngx_palloc.o \
3.5 备份sbin目录下的nginx文件(提前备份)
# cp -a /usr/sbin/nginx /usr/sbin/nginx20170715.bak
3.6 执行完后,这里不用在make install了,接下来重命名/sbin/nginx为nginx.old
#mv /usr/sbin/nginx /usr/sbin/nginx.old
3.7 复制/usr/local/src/nginx-1.12.1/objs
下的nginx文件到 /sbin/目录下的nginx文件
# cp -a nginx /usr/sbin/
3.8 升级nginx:
# make upgrade
/usr/sbin/nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
kill -USR2 `cat /var/run/nginx/nginx.pid`
kill: 用法:kill [-s 信号声明 | -n 信号编号 | -信号声明] 进程号 | 任务声明 ... 或 kill -l [信号声明]
make: *** [upgrade] 错误 1
3.9 查看版本升级是否成功:
# nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --http-scgi-temp-path=/var/tmp/nginx/scgi --with-pcre
四 测试配置
# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# nginx -s reload
# ps -ef |grep nginx
avahi 741 1 0 3月28 ? 00:00:20 avahi-daemon: running [pv-ecmnginx02.local]
nginx 18418 21249 0 10:40 ? 00:00:00 nginx: worker process
nginx 18419 21249 0 10:40 ? 00:00:00 nginx: worker process
nginx 18420 21249 0 10:40 ? 00:00:00 nginx: worker process
nginx 18421 21249 0 10:40 ? 00:00:00 nginx: worker process
nginx 18422 21249 0 10:40 ? 00:00:00 nginx: worker process
nginx 18423 21249 0 10:40 ? 00:00:00 nginx: worker process
root 18425 15358 0 10:40 pts/0 00:00:00 grep --color=auto nginx
root 21249 1 0 5月25 ? 00:00:00 nginx: master process nginx
五 关于漏洞描述:
攻击者可构造恶意请求来触发Nginx Web Server 0.5.6-1.13.2版本的一个整数溢出漏洞,进而获取服务器缓存返回的、包括后端服务器的真实IP等在内的敏感信息。此外,部分Nginx第三方模块(影响范围暂未知)受此漏洞影响,将使服务器面临可能无法提供web服务(拒绝服务)、Worker进程内存内容泄漏等风险。
漏洞代码位于src/http/modules/ngx_http_range_filter_module.c。该模块是header filter,负责处理含有Ranges的请求头。由于max_ranges默认不限制大小,同时又因为相关代码处理逻辑限制不严,进而导致一个整数溢出漏洞,攻击者可构造恶意请求触发整数溢出漏洞,进而获取服务器缓存中的敏感信息。其修复细节技术如下:
@@ -377,6 +377,10 @@ ngx_http_range_parse(ngx_http_request_t
range->start = start;
range->end = end;
if (ranges– == 0) {
Nginx Web Server 0.5.6-1.13.2 版本
Nginx Web Server 1.13.3+, 1.12.1+版本
方案一: 根据Ubuntu系统版本,升级到指定版本即可。运行“sudo apt-get update && sudo apt-get install nginx”命令,升级到如下版本:
Ubuntu 16.04 LTS:
nginx-extras 1.10.3-0ubuntu0.16.04.2
nginx-full 1.10.3-0ubuntu0.16.04.2
nginx-common 1.10.3-0ubuntu0.16.04.2
nginx-light 1.10.3-0ubuntu0.16.04.2
nginx-core 1.10.3-0ubuntu0.16.04.2
Ubuntu 14.04 LTS:
nginx-extras 1.4.6-1ubuntu3.8
nginx-full 1.4.6-1ubuntu3.8
nginx-common 1.4.6-1ubuntu3.8
nginx-light 1.4.6-1ubuntu3.8
nginx-core 1.4.6-1ubuntu3.8
方案二: 如果您Nginx服务为官方源码方式安装,建议您参照上述【安全版本】升级到官方提供的Nginx Web Server1.12.1(Stable version)或1.13.3(Mainline version)最新版本。
[1.12.1] http://nginx.org/download/nginx-1.12.1.tar.gz
[1.13.3] http://nginx.org/download/nginx-1.13.3.tar.gz
方案三: 如果您的Nginx服务受某些因素限制,暂时无法升级到上述最新版本。建议您采取以下漏洞临时缓解措施进行防御:
即,在Nginx的配置文件nginx.conf中,将max_ranges设置为1。形如:max_ranges 1;