Hello! On Thu, Nov 19, 2020 at 02:06:46PM -0800, Frank Liu wrote:
> CVE-2019-20372 mentioned a security vulnerability, but I don't see it in > http://nginx.org/en/security_advisories.html > Does that mean CVE-2019-20372 is not considered a security vulnerability by > nginx? Or is it because nginx standard config won't be vulnerable, and > users have to enable error_log in order to be vulnerable? The CVE-2019-20372 corresponds to the following bugfix in nginx 1.17.7: *) Bugfix: requests with bodies were handled incorrectly when returning redirections with the "error_page" directive; the bug had appeared in 0.7.12. It only affects rarely used configurations with error_page returning redirects by itself, that is, configurations with "error_page ... http://...". Further, it can only have any security impact if nginx is used behind another HTTP proxy, and the configuration relies on security checks on this proxy. Given the above, it is not considered to be a security issue, but rather treated as a bug. This bug is already fixed in all supported nginx versions. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx