Summary: | www/nginx: Versions < 1.17.7, with certain error_page configurations, allows HTTP request smuggling (CVE-2019-20372) | ||
---|---|---|---|
Product: | Ports & Packages | Reporter: | Kubilay Kocak <koobs> |
Component: | Individual Port(s) | Assignee: | Jochen Neumeister <joneum> |
Status: | Closed FIXED | ||
Severity: | Affects Many People | CC: | joneum, koobs, osa, ports-secteam |
Priority: | Normal | Keywords: | security |
Version: | Latest | Flags: | koobs:
maintainer-feedback+
joneum: merge-quarterly+ |
Hardware: | Any | ||
OS: | Any | ||
URL: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372 |
Description
Kubilay Kocak
2020-02-07 04:38:48 UTC
Debian patch (backport to 1.16.1) available here: https://sources.debian.org/patches/nginx/1.16.1-3/ https://sources.debian.org/data/main/n/nginx/1.16.1-3/debian/patches/CVE-2019-20372.patch A commit references this bug: Author: joneum Date: Sun Feb 9 11:10:36 UTC 2020 New revision: 525646 URL: https://svnweb.freebsd.org/changeset/ports/525646 Log: Add entry for nginx PR: 243952 Sponsored by: Netzkommune GmbH Changes: head/security/vuxml/vuln.xml A commit references this bug: Author: joneum Date: Sun Feb 9 11:16:41 UTC 2020 New revision: 525647 URL: https://svnweb.freebsd.org/changeset/ports/525647 Log: Add patch for CVE-2019-20372 NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372 PR: 243952 Reported by: koobs and many more MFH: 2020Q1 Security: c1202de8-4b29-11ea-9673-4c72b94353b5 Sponsored by: Netzkommune GmbH Changes: head/www/nginx/Makefile head/www/nginx/files/patch-CVE-2019-20372 A commit references this bug: Author: joneum Date: Sun Feb 9 11:19:02 UTC 2020 New revision: 525648 URL: https://svnweb.freebsd.org/changeset/ports/525648 Log: MFH: r525647 Add patch for CVE-2019-20372 NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372 PR: 243952 Reported by: koobs and many more Security: c1202de8-4b29-11ea-9673-4c72b94353b5 Sponsored by: Netzkommune GmbH Approved by: ports-secteam (with hat) Changes: _U branches/2020Q1/ branches/2020Q1/www/nginx/Makefile branches/2020Q1/www/nginx/files/patch-CVE-2019-20372 thx for reporting :) reopen for commit nginx-devel to MFH @osa: can you pls commit -devel to MFH, too? :-) Approved by: ports-secteam (joneum) (In reply to Jochen Neumeister from comment #6) www/nginx-devel has 1.17.8 already. which version is currently from -devel in 2020Q1? If this is a version before 1.17.7, the current version after 2020Q1 should also be (In reply to Jochen Neumeister from comment #8) It's 1.17.7, please visit the following link for details: https://svnweb.freebsd.org/ports/branches/2020Q1/www/nginx-devel/Makefile?revision=521721&view=markup |