commit nginx for openSUSE:Leap:15.2

Sun, 09 Feb 2020 02:25:56 -0800 

Hello community,

here is the log from the commit of package nginx for openSUSE:Leap:15.2 checked 
in at 2020-02-09 11:25:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/nginx (Old)
 and      /work/SRC/openSUSE:Leap:15.2/.nginx.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "nginx"

Sun Feb  9 11:25:17 2020 rev:44 rq:770781 version:1.14.2

Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/nginx/nginx.changes    2020-01-15 
15:33:31.250863896 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.nginx.new.26092/nginx.changes 2020-02-09 
11:25:20.199296143 +0100
@@ -1,0 +2,8 @@
+Thu Jan 30 12:58:15 UTC 2020 - Alexandros Toptsoglou <[email protected]>
+
+- CVE-2019-20372: Fixed an HTTP request smuggling with certain error_page 
+  configurations which could have allowed unauthorized web page reads 
+  (bsc#1160682). 
+  Added CVE-2019-20372.patch 
+
+-------------------------------------------------------------------

New:
----
  CVE-2019-20372.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ nginx.spec ++++++
--- /var/tmp/diff_new_pack.j4TeZW/_old  2020-02-09 11:25:20.759296462 +0100
+++ /var/tmp/diff_new_pack.j4TeZW/_new  2020-02-09 11:25:20.763296465 +0100
@@ -119,6 +119,8 @@
 Patch7:         CVE-2019-9513.patch
 # PATCH-FIX-UPSTREAM CVE-2019-9516.patch
 Patch8:         CVE-2019-9516.patch
+# PATCH-FIX-UPSTREAM CVE-2019-20372.patch
+Patch9:         CVE-2019-20372.patch
 BuildRequires:  gcc-c++
 BuildRequires:  gd-devel
 BuildRequires:  libxslt-devel
@@ -191,6 +193,7 @@
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 perl -pi -e 's|\r\n|\n|g' contrib/geo2nginx.pl
 # we just use lib here because nginx loads them relative to _prefix

++++++ CVE-2019-20372.patch ++++++
Index: nginx-1.14.2/src/http/ngx_http_special_response.c
===================================================================
--- nginx-1.14.2.orig/src/http/ngx_http_special_response.c
+++ nginx-1.14.2/src/http/ngx_http_special_response.c
@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_reques
         return ngx_http_named_location(r, &uri);
     }
 
+    r->expect_tested = 1;
+
+    if (ngx_http_discard_request_body(r) != NGX_OK) {
+        r->keepalive = 0;
+    }
+
     location = ngx_list_push(&r->headers_out.headers);
 
     if (location == NULL) {

Reply via email to