Your message dated Fri, 10 Jul 2020 17:02:08 +0000
with message-id <[email protected]>
and subject line Bug#948579: fixed in nginx 1.14.2-2+deb10u2
has caused the Debian Bug report #948579,
regarding nginx: CVE-2019-20372
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
948579: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948579
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nginx
Version: 1.16.1-2
Severity: important
Tags: security upstream
Control: found -1 1.14.2-2+deb10u1
Hi,
The following vulnerability was published for nginx.
CVE-2019-20372[0]:
| NGINX before 1.17.7, with certain error_page configurations, allows
| HTTP request smuggling, as demonstrated by the ability of an attacker
| to read unauthorized web pages in environments where NGINX is being
| fronted by a load balancer.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-20372
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372
[1]
https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf
[2]
https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.14.2-2+deb10u2
Done: Christos Trochalakis <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christos Trochalakis <[email protected]> (supplier of updated nginx
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 11 Jan 2020 09:28:05 +0200
Source: nginx
Architecture: source
Version: 1.14.2-2+deb10u2
Distribution: buster
Urgency: medium
Maintainer: Debian Nginx Maintainers
<[email protected]>
Changed-By: Christos Trochalakis <[email protected]>
Closes: 948579
Changes:
nginx (1.14.2-2+deb10u2) buster; urgency=medium
.
* Handle CVE-2019-20372, error page request smuggling
(Closes: #948579)
Checksums-Sha1:
e8d468a74ef28eb7f886ad5fb71248275c6ab8e0 4181 nginx_1.14.2-2+deb10u2.dsc
a37d38aa5eab27300cdd9144cae3e5e7a7781afb 930804
nginx_1.14.2-2+deb10u2.debian.tar.xz
Checksums-Sha256:
c8d2e7aaba12b75faf59a3fa65ed858b1ff49620bb31678161928f509f83ae43 4181
nginx_1.14.2-2+deb10u2.dsc
edb7b4360d7bc1230197a0ade74e4bb74e0dca485f995f1eace75bf9ad4dcaeb 930804
nginx_1.14.2-2+deb10u2.debian.tar.xz
Files:
74810cc174e831dc42da8a3122d20275 4181 httpd optional nginx_1.14.2-2+deb10u2.dsc
a9de207d82667696205aeb8ae54140a8 930804 httpd optional
nginx_1.14.2-2+deb10u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl8FxHoACgkQiNJCh6LY
mLGd9Q/+L/1B1NZjZjSuujAb5ZaD/2c/wOOT8qXTL4o27oklLV7IEPCWjyO9mYNM
6h9CFYiXW/iuRC9sTK050lPxUfisdNz7b0DDH4tM91DjwNIT05XP/pKiCYky4e1Y
PNS4/sGO1vV2dpoJw7vHhT4XTbFgqy01Uc5NSQvcFDtgE0YH1X9N24FauB/GS1Bx
1asYPwrevdRFqix5qwdHqq97IsO5D9bZvoOW/A6bHm0SQlMbVngSQT90/vobfYLA
JMm88H3SFzW34lsIL2OfCJvs7zbqqGr7UJm8e5EAxS33oxV4C85RaG/rbBzwO9tp
bN+fZAyqHlXvkWhqOlN38CWPF2FEvlQPZx5xAutA8NrFXhKeaGrMW/d/HU/1qdoa
v8VRF90+Z1mWMCQUBckU+yr5ov4Dv0OuGKJBQggsIN52qbPR4za0n5BALgBzaCLr
afD2ZLPxdjJO+VpmCeSZ1CTKSdhUXxMfHlhvKEUEk+NzCse4tkPdhmjmJHffD3an
0Xc2wz+C8m98whaUAtROlRkBDBhoJJcS5h/qtbpb1WqqeqQZClZRg0JeHt0wMsdI
gL4M58A6RGXNKGqPq0KuUBrp2j/sjm6+cIss8FOTCGs1nCAHSqCNZtl1t/Dvzg8+
r1/JwMeEDjRwbLk8YwF/6YBNIZEmwvb5fsxZPH2jHB5G5dHgf6U=
=LzWb
-----END PGP SIGNATURE-----
--- End Message ---
