Hello! > If you fix the vulnerability please also make sure to include the CVE (Common > Vulnerabilities & Exposures) id in your changelog entry.
I made a debdiff for myself according to upstream instructions from the patch [0]. It is attached to this e-mail. Link to the upstream patch was found here: https://security-tracker.debian.org/tracker/CVE-2021-23017 Note that the upstream patch by nginx is for fresh nginx versions, whereas my debdiff targets the 1.14.2-2+deb10u3 release in Debian 10 (buster), so there's a small possibility that the mentioned patch might not be enough to fix the vulnerability. But I tested the patch on the PoC python script that the research team provided and valgrind did not report invalid reads like it did in the current version in Debian repos. Applying my patch and building package: apt-get source nginx cd nginx-1.14.2 curl https://of.sijanec.eu/krneki/ngx-debdiff.txt | debdiff-apply # edit debian/changelog to set the target version (by default debdiff adds .1 to previous version), probably 1.14.2-2+deb10u4 debuild -uc -us Regards! [0] http://nginx.org/download/patch.2021.resolver.txt
diff -Nru nginx-1.14.2/debian/changelog nginx-1.14.2/debian/changelog --- nginx-1.14.2/debian/changelog 2020-08-24 12:18:43.000000000 +0200 +++ nginx-1.14.2/debian/changelog 2021-05-26 20:05:08.000000000 +0200 @@ -1,3 +1,11 @@ +nginx (1.14.2-2+deb10u4) buster-security; urgency=high + + * Non-maintainer upload by Anton Luka Å ijanec. + * Fixes CVE-2021-23017 according to the patch instructions from upstream + (Closes: #989095) + + -- Anton Luka Å ijanec <[email protected]> Wed, 26 May 2021 20:05:08 +0200 + nginx (1.14.2-2+deb10u3) buster-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru nginx-1.14.2/debian/patches/CVE-2021-23017.patch nginx-1.14.2/debian/patches/CVE-2021-23017.patch --- nginx-1.14.2/debian/patches/CVE-2021-23017.patch 1970-01-01 01:00:00.000000000 +0100 +++ nginx-1.14.2/debian/patches/CVE-2021-23017.patch 2021-05-26 20:05:08.000000000 +0200 @@ -0,0 +1,24 @@ +Index: nginx-1.14.2/src/core/ngx_resolver.c +=================================================================== +--- nginx-1.14.2.orig/src/core/ngx_resolver.c ++++ nginx-1.14.2/src/core/ngx_resolver.c +@@ -3975,15 +3975,15 @@ done: + n = *src++; + + } else { ++ if (dst != name->data) { ++ *dst++ = '.'; ++ } ++ + ngx_strlow(dst, src, n); + dst += n; + src += n; + + n = *src++; +- +- if (n != 0) { +- *dst++ = '.'; +- } + } + + if (n == 0) { diff -Nru nginx-1.14.2/debian/patches/series nginx-1.14.2/debian/patches/series --- nginx-1.14.2/debian/patches/series 2020-08-24 12:18:43.000000000 +0200 +++ nginx-1.14.2/debian/patches/series 2021-05-26 20:05:08.000000000 +0200 @@ -4,3 +4,4 @@ CVE-2019-9511.patch CVE-2019-9513.patch CVE-2019-20372.patch +CVE-2021-23017.patch
