# Updating nginx silently fails because of a vulnerability



## AzaShog (Aug 10, 2014)

I tried to update www/nginx today because there's a new version. However, building www/nginx stopped with *Error code 1* and no additional explanation. Below is the output of running `make` in the port's dir, but same output is given by `portmaster`.


```
root@azathoth:/usr/ports/www/nginx # make
 
 
*** Error code 1
 
Stop.
make[1]: stopped in /usr/ports/www/nginx
*** Error code 1
 
Stop.
make: stopped in /usr/ports/www/nginx
```

Only after running in debug mode (`make -dA`) I got the following explanation:


```
1 problem(s) in the installed packages found.'

*** Failed target:  check-vulnerable
*** Failed command: if [ -f "/var/db/pkg/vuln.xml" ]; then if [ -n "yes" ]; then if [ -x "/usr/local/sbin/pkg-static" ]; then vlist=`/usr/local/sbin/pkg-static audit "nginx-1.6.1,2"`; if [ "${vlist}" = "0 problem(s) in the installed packages found." ]; then vlist=""; fi; elif [ "nginx" = "pkg" ]; then vlist=""; fi; elif [ -x "/usr/local/sbin/portaudit" ]; then vlist=`/usr/local/sbin/portaudit -X 14 "nginx-1.6.1,2" 2>&1 | grep -vE '^[0-9]+ problem\(s\) found.' || true`; if [ -n "$vlist" ]; then vlist=`/usr/local/sbin/portaudit -X 14 "nginx-1.6.1,2" 2>&1 | grep -vE '^[0-9]+ problem\(s\) found.' || true`; fi ; else echo "===> portaudit database exists, however, portaudit is not installed!"; fi; if [ -n "$vlist" ]; then echo "===> nginx-1.6.1,2 has known vulnerabilities:"; echo "$vlist"; echo "=> Please update your ports tree and try again."; echo "=> Note: Vulnerable ports are marked as such even if there is no update available."; echo "=> If you wish to ignore this vulnerability rebuild with 'make DISABLE_VULNERABILITIES=yes'"; exit 1; fi; fi
*** Error code 1

Stop.
```

So my question is, am I doing something wrong, or should the ports have explained the problem without running make in debug mode? I did run portmaster with the verbose flag on too, but that produced no additional explanation. Another question, why did this block? According to the listed vulnerability (CVE-2014-3556) it affects nginx >=1.6.0,2 <1.6.1,2, meaning the version I was upgrading *from*. Is this a bug worth reporting, and if so, what should I report?

Thanks.

Edit: I forgot to mention, running with `DISABLE_VULNERABILITIES=yes` fixed the issue and I was able to update nginx.


----------



## drhowarddrfine (Aug 10, 2014)

AzaShog said:
			
		

> why did this block?


Cause there was a vulnerability.



> Is this a bug worth reporting


The vulnerability was probably found after you installed the previous version so it's not a bug.



> running with `DISABLE_VULNERABILITIES=yes` fixed the issue and I was able to update nginx.
> am I doing something wrong



Yes. You installed a vulnerable copy of nginx. 

Of course, the vulnerability may be something that doesn't affect you but that needs to be taken into account.


----------



## AzaShog (Aug 10, 2014)

drhowarddrfine said:
			
		

> Yes. You installed a vulnerable copy of nginx.



I installed (updated to) nginx version *1.6.1,2*. According to the above linked portaudit page that's not the vulnerable version (as the portadit page says it affects nginx >=1.6.0,2 <1.6.1,2). So either *1.6.1,2* is vulnerable, but the reported CVE ID is wrong, or there's a bug blocking the update to non-vulnearble version.


----------



## drhowarddrfine (Aug 10, 2014)

FreshPorts says the vulnerability is in "older versions" so you may be right and the port should have let you install it. Just recently, Firefox and Chromium had similar mistakes (but not the same) in handling this.


----------



## Rolfieo (Aug 11, 2014)

I had exacly the same issue. 
Cost me several hours to troubleshoot.

Solution was indeed to make it with the disabled vulnerabilities.


```
make install DISABLE_VULNERABILITIES=yes
```


----------



## AzaShog (Aug 12, 2014)

The question remains: why didn't the *check-vulnerable* target echo the error in question. Is it a config option I missed, or a bug?


----------



## kpa (Aug 12, 2014)

The issue has been fixed, the newest version of www/nginx is no longer flagged as vulnerable.


----------



## problame (Aug 22, 2014)

On my system the issue still exists. I updates the ports tree and _portmaster -L_ does not show any packages to update.

I managed to build _nginx-1.6.1_1,2_ by disabling the vulnerability check, but as you pointed out above, that's just a temporary fix.

Check out my bugreport: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192568


----------

