NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. https://nginx.org/en/CHANGES doesn't reference the CVE, only stating: *) Bugfix: requests with bodies were handled incorrectly when returning redirections with the "error_page" directive; the bug had appeared in 0.7.12. Further upstream and other references exist in the Mitre CVE entry. The upstream commit reference is: https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e The 1.16.x stable branch may or may not have received a backport of the patch(es) to fix the issue. This should be investigated/verified. A manual backport may be necessary.
Debian patch (backport to 1.16.1) available here: https://sources.debian.org/patches/nginx/1.16.1-3/ https://sources.debian.org/data/main/n/nginx/1.16.1-3/debian/patches/CVE-2019-20372.patch
A commit references this bug: Author: joneum Date: Sun Feb 9 11:10:36 UTC 2020 New revision: 525646 URL: https://svnweb.freebsd.org/changeset/ports/525646 Log: Add entry for nginx PR: 243952 Sponsored by: Netzkommune GmbH Changes: head/security/vuxml/vuln.xml
A commit references this bug: Author: joneum Date: Sun Feb 9 11:16:41 UTC 2020 New revision: 525647 URL: https://svnweb.freebsd.org/changeset/ports/525647 Log: Add patch for CVE-2019-20372 NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372 PR: 243952 Reported by: koobs and many more MFH: 2020Q1 Security: c1202de8-4b29-11ea-9673-4c72b94353b5 Sponsored by: Netzkommune GmbH Changes: head/www/nginx/Makefile head/www/nginx/files/patch-CVE-2019-20372
A commit references this bug: Author: joneum Date: Sun Feb 9 11:19:02 UTC 2020 New revision: 525648 URL: https://svnweb.freebsd.org/changeset/ports/525648 Log: MFH: r525647 Add patch for CVE-2019-20372 NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372 PR: 243952 Reported by: koobs and many more Security: c1202de8-4b29-11ea-9673-4c72b94353b5 Sponsored by: Netzkommune GmbH Approved by: ports-secteam (with hat) Changes: _U branches/2020Q1/ branches/2020Q1/www/nginx/Makefile branches/2020Q1/www/nginx/files/patch-CVE-2019-20372
thx for reporting :)
reopen for commit nginx-devel to MFH @osa: can you pls commit -devel to MFH, too? :-) Approved by: ports-secteam (joneum)
(In reply to Jochen Neumeister from comment #6) www/nginx-devel has 1.17.8 already.
which version is currently from -devel in 2020Q1? If this is a version before 1.17.7, the current version after 2020Q1 should also be
(In reply to Jochen Neumeister from comment #8) It's 1.17.7, please visit the following link for details: https://svnweb.freebsd.org/ports/branches/2020Q1/www/nginx-devel/Makefile?revision=521721&view=markup