Bug 243952 - www/nginx: Versions < 1.17.7, with certain error_page configurations, allows HTTP request smuggling (CVE-2019-20372)
Summary: www/nginx: Versions < 1.17.7, with certain error_page configurations, allows ...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Jochen Neumeister
URL: https://cve.mitre.org/cgi-bin/cvename...
Keywords: security
Depends on:
Blocks:
 
Reported: 2020-02-07 04:38 UTC by Kubilay Kocak
Modified: 2020-02-21 16:12 UTC (History)
4 users (show)

See Also:
koobs: maintainer-feedback+
joneum: merge-quarterly+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kubilay Kocak freebsd_committer freebsd_triage 2020-02-07 04:38:48 UTC
NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.

https://nginx.org/en/CHANGES doesn't reference the CVE, only stating:

    *) Bugfix: requests with bodies were handled incorrectly when returning
       redirections with the "error_page" directive; the bug had appeared in
       0.7.12.

Further upstream and other references exist in the Mitre CVE entry. The upstream commit reference is:

https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e

The 1.16.x stable branch may or may not have received a backport of the patch(es) to fix the issue. This should be investigated/verified. A manual backport may be necessary.
Comment 2 commit-hook freebsd_committer 2020-02-09 11:11:02 UTC
A commit references this bug:

Author: joneum
Date: Sun Feb  9 11:10:36 UTC 2020
New revision: 525646
URL: https://svnweb.freebsd.org/changeset/ports/525646

Log:
  Add entry for nginx

  PR:		243952
  Sponsored by:	Netzkommune GmbH

Changes:
  head/security/vuxml/vuln.xml
Comment 3 commit-hook freebsd_committer 2020-02-09 11:17:03 UTC
A commit references this bug:

Author: joneum
Date: Sun Feb  9 11:16:41 UTC 2020
New revision: 525647
URL: https://svnweb.freebsd.org/changeset/ports/525647

Log:
  Add patch for CVE-2019-20372

  NGINX before 1.17.7, with certain error_page configurations,
  allows HTTP request smuggling, as demonstrated by the ability
  of an attacker to read unauthorized web pages in environments
  where NGINX is being fronted by a load balancer.

  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372

  PR:		243952
  Reported by:	koobs and many more
  MFH:		2020Q1
  Security:	c1202de8-4b29-11ea-9673-4c72b94353b5
  Sponsored by:	Netzkommune GmbH

Changes:
  head/www/nginx/Makefile
  head/www/nginx/files/patch-CVE-2019-20372
Comment 4 commit-hook freebsd_committer 2020-02-09 11:19:05 UTC
A commit references this bug:

Author: joneum
Date: Sun Feb  9 11:19:02 UTC 2020
New revision: 525648
URL: https://svnweb.freebsd.org/changeset/ports/525648

Log:
  MFH: r525647

  Add patch for CVE-2019-20372

  NGINX before 1.17.7, with certain error_page configurations,
  allows HTTP request smuggling, as demonstrated by the ability
  of an attacker to read unauthorized web pages in environments
  where NGINX is being fronted by a load balancer.

  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372

  PR:		243952
  Reported by:	koobs and many more
  Security:	c1202de8-4b29-11ea-9673-4c72b94353b5
  Sponsored by:	Netzkommune GmbH

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2020Q1/
  branches/2020Q1/www/nginx/Makefile
  branches/2020Q1/www/nginx/files/patch-CVE-2019-20372
Comment 5 Jochen Neumeister freebsd_committer 2020-02-09 11:21:57 UTC
thx for reporting :)
Comment 6 Jochen Neumeister freebsd_committer 2020-02-11 08:55:32 UTC
reopen for commit nginx-devel to MFH

@osa: can you pls commit -devel to MFH, too? :-)

Approved by: ports-secteam (joneum)
Comment 7 Sergey A. Osokin freebsd_committer 2020-02-11 14:56:14 UTC
(In reply to Jochen Neumeister from comment #6)
www/nginx-devel has 1.17.8 already.
Comment 8 Jochen Neumeister freebsd_committer 2020-02-11 15:10:09 UTC
which version is currently from -devel in 2020Q1? If this is a version before 1.17.7, the current version after 2020Q1 should also be
Comment 9 Sergey A. Osokin freebsd_committer 2020-02-21 16:12:57 UTC
(In reply to Jochen Neumeister from comment #8)
It's 1.17.7, please visit the following link for details:
https://svnweb.freebsd.org/ports/branches/2020Q1/www/nginx-devel/Makefile?revision=521721&view=markup