[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#948650: stretch-pu: package nginx/1.10.3-1+deb9u3

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

I'd like to upload nginx 1.10.3-1+deb9u4, addressing the non-critical
CVE-2019-20372.

Attaching a debdiff.

[0] https://security-tracker.debian.org/tracker/CVE-2019-20372
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948579

-- System Information:
Debian Release: 10.2
 APT prefers unstable-debug
 APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable'), (4, 'unstable'), (2, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru nginx-1.10.3/debian/changelog nginx-1.10.3/debian/changelog
--- nginx-1.10.3/debian/changelog	2019-08-19 12:31:19.000000000 +0300
+++ nginx-1.10.3/debian/changelog	2020-01-11 09:28:05.000000000 +0200
@@ -1,3 +1,10 @@
+nginx (1.10.3-1+deb9u4) stretch; urgency=medium
+
+  * Handle CVE-2019-20372, error page request smuggling
+    (Closes: #948579)
+
+ -- Christos Trochalakis <ctrochalakis@debian.org>  Sat, 11 Jan 2020 09:28:05 +0200
+
 nginx (1.10.3-1+deb9u3) stretch-security; urgency=high
 
   * Backport upstream fixes for 3 CVEs (Closes: #935037)
diff -Nru nginx-1.10.3/debian/patches/CVE-2019-20372.patch nginx-1.10.3/debian/patches/CVE-2019-20372.patch
--- nginx-1.10.3/debian/patches/CVE-2019-20372.patch	1970-01-01 02:00:00.000000000 +0200
+++ nginx-1.10.3/debian/patches/CVE-2019-20372.patch	2020-01-11 09:28:05.000000000 +0200
@@ -0,0 +1,31 @@
+From 8bffc01d084b4881e3eed2052c115b8f04268cb9 Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru@nginx.com>
+Date: Mon, 23 Dec 2019 15:45:46 +0300
+Subject: [PATCH] Discard request body when redirecting to a URL via
+ error_page.
+
+Reported by Bert JW Regeer and Francisco Oca Gonzalez.
+---
+ src/http/ngx_http_special_response.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c
+index 2c1ff174..e2a5e9dc 100644
+--- a/src/http/ngx_http_special_response.c
++++ b/src/http/ngx_http_special_response.c
+@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page)
+         return ngx_http_named_location(r, &uri);
+     }
+ 
++    r->expect_tested = 1;
++
++    if (ngx_http_discard_request_body(r) != NGX_OK) {
++        r->keepalive = 0;
++    }
++
+     location = ngx_list_push(&r->headers_out.headers);
+ 
+     if (location == NULL) {
+-- 
+2.23.0
+
diff -Nru nginx-1.10.3/debian/patches/series nginx-1.10.3/debian/patches/series
--- nginx-1.10.3/debian/patches/series	2019-08-19 12:31:19.000000000 +0300
+++ nginx-1.10.3/debian/patches/series	2020-01-11 09:28:05.000000000 +0200
@@ -13,3 +13,4 @@
 CVE-2019-9516.patch
 CVE-2019-9511.patch
 CVE-2019-9513.patch
+CVE-2019-20372.patch

Attachment: signature.asc
Description: PGP signature

Reply to: