Your message dated Fri, 10 Jul 2020 17:02:23 +0000
with message-id <[email protected]>
and subject line Bug#948579: fixed in nginx 1.10.3-1+deb9u4
has caused the Debian Bug report #948579,
regarding nginx: CVE-2019-20372
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
948579: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948579
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nginx
Version: 1.16.1-2
Severity: important
Tags: security upstream
Control: found -1 1.14.2-2+deb10u1
Hi,
The following vulnerability was published for nginx.
CVE-2019-20372[0]:
| NGINX before 1.17.7, with certain error_page configurations, allows
| HTTP request smuggling, as demonstrated by the ability of an attacker
| to read unauthorized web pages in environments where NGINX is being
| fronted by a load balancer.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-20372
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372
[1]
https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf
[2]
https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.10.3-1+deb9u4
Done: Christos Trochalakis <[email protected]>
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christos Trochalakis <[email protected]> (supplier of updated nginx
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 11 Jan 2020 09:28:05 +0200
Source: nginx
Binary: nginx nginx-doc nginx-common nginx-full nginx-light nginx-extras
libnginx-mod-http-geoip libnginx-mod-http-image-filter
libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream
libnginx-mod-http-perl libnginx-mod-http-auth-pam libnginx-mod-http-lua
libnginx-mod-http-ndk libnginx-mod-nchan libnginx-mod-http-echo
libnginx-mod-http-upstream-fair libnginx-mod-http-headers-more-filter
libnginx-mod-http-cache-purge libnginx-mod-http-fancyindex
libnginx-mod-http-uploadprogress libnginx-mod-http-subs-filter
libnginx-mod-http-dav-ext
Architecture: source
Version: 1.10.3-1+deb9u4
Distribution: stretch
Urgency: medium
Maintainer: Debian Nginx Maintainers
<[email protected]>
Changed-By: Christos Trochalakis <[email protected]>
Description:
libnginx-mod-http-auth-pam - PAM authentication module for Nginx
libnginx-mod-http-cache-purge - Purge content from Nginx caches
libnginx-mod-http-dav-ext - WebDAV missing commands support for Nginx
libnginx-mod-http-echo - Bring echo and more shell style goodies to Nginx
libnginx-mod-http-fancyindex - Fancy indexes module for the Nginx
libnginx-mod-http-geoip - GeoIP HTTP module for Nginx
libnginx-mod-http-headers-more-filter - Set and clear input and output headers
for Nginx
libnginx-mod-http-image-filter - HTTP image filter module for Nginx
libnginx-mod-http-lua - Lua module for Nginx
libnginx-mod-http-ndk - Nginx Development Kit module
libnginx-mod-http-perl - Perl module for Nginx
libnginx-mod-http-subs-filter - Substitution filter module for Nginx
libnginx-mod-http-uploadprogress - Upload progress system for Nginx
libnginx-mod-http-upstream-fair - Nginx Upstream Fair Proxy Load Balancer
libnginx-mod-http-xslt-filter - XSLT Transformation module for Nginx
libnginx-mod-mail - Mail module for Nginx
libnginx-mod-nchan - Fast, flexible pub/sub server for Nginx
libnginx-mod-stream - Stream module for Nginx
nginx - small, powerful, scalable web/proxy server
nginx-common - small, powerful, scalable web/proxy server - common files
nginx-doc - small, powerful, scalable web/proxy server - documentation
nginx-extras - nginx web/proxy server (extended version)
nginx-full - nginx web/proxy server (standard version)
nginx-light - nginx web/proxy server (basic version)
Closes: 948579
Changes:
nginx (1.10.3-1+deb9u4) stretch; urgency=medium
.
* Handle CVE-2019-20372, error page request smuggling
(Closes: #948579)
Checksums-Sha1:
4cadd67eeb4def67a73ea7cbaa858600696ee47d 4232 nginx_1.10.3-1+deb9u4.dsc
0d7a0cbc1830efeedf6b98bfd36725d39bee38cc 849236
nginx_1.10.3-1+deb9u4.debian.tar.xz
Checksums-Sha256:
8214f181f648e031e4e53a0246fe65b2fec9442bff245311e1a48bcaa2b52d9a 4232
nginx_1.10.3-1+deb9u4.dsc
48bc904dcd3dc4d0352133080aa8c90d36eb1b79f43737276c017da22d1f9cd6 849236
nginx_1.10.3-1+deb9u4.debian.tar.xz
Files:
26b142446e68d964645b9b8886f08269 4232 httpd optional nginx_1.10.3-1+deb9u4.dsc
7097a50e8ed366383915353f408c3c03 849236 httpd optional
nginx_1.10.3-1+deb9u4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl8FodYACgkQiNJCh6LY
mLGedxAAt2I9Fl6zL6UfmUx9Hpo5fT4USPVGfKiX3+Qa25cchWQdYNkwoHP+gJa+
itAZ6DK0J+T0uqC9NMzF79kMhksomS7ewSP7WniBw8CzaZa1DmP5eVCcjBmDlyur
sc2eKqvu9E/tAAi15wcWKEIWLplh9W6YxQ1vKBKSL3QRD5MVwqUBMNtPMrr+CACi
VSysVKvEvDBOBcfu5nPuMzn7pWBi26+LETfhMR97iwjiGAUpQ26U2mS0fO6FSiXd
TvIhLtfU3uaTZLRkkLRGlIAiMvuCXwzVsLBMe9dkcrJT+emGrhjfiGbaO5hD08sm
HFJMXgxNEvT0QB/11LID/MARzAQGZh+6tj4MhYdxXzBgL+A5zUtx58BVNe5tRuk4
CuCi/DzhGpbJWL13YRHkyu3jzB3TOkRAOr+qirG5CP9qWAxRLo98+6sIv4u4rir7
Am5Hw2GPSLlytpGcBiaksgOwcxNjXLzrzEjOjkIwgUI0ko1lP2XtkJnJKcTRKHjV
mIs6KeVfZ/AJDe79gYeAofiqEBy+fQV/tqSWDQc8uq2EcAbnXWwnS5CiMM6Nvybg
2CDEnqFbMPaTKSXY1VPsvUm6G8hjey6bofafgxgvhbTGRw6fOcdzcH6r6JnPhtw+
kf4dq9TwOClc1r2hQEze17C/+qV3VQZYMcFdqYaXd43JQHs0IFc=
=j6Pp
-----END PGP SIGNATURE-----
--- End Message ---
