Bug#1010963: bullseye-pu: package nginx/1.18.0-6.1

2022-05-28 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sat, 2022-05-14 at 09:11 +0200, Jan Mojzis wrote:
> fixes ALPACA attack CVE-2021-3618:
> ALPACA is an application layer protocol content confusion attack,
> exploiting TLS servers implementing different protocols but using
> compatible certificates, such as multi-domain or wildcard
> certificates.  A MiTM attacker having access to victim's traffic at
> the TCP/IP layer can redirect traffic from one subdomain to another,
> resulting in a valid TLS session. This breaks the authentication of
> TLS and cross-protocol attacks may be possible where the behavior of
> one protocol service may compromise the other at the application
> layer.
> 
> [ Impact ]
> 
> Similarly to smtpd_hard_error_limit in Postfix and
> smtp_max_unknown_commands
> in Exim, specifies the number of errors after which the connection is
> closed.
> 

Please go ahead.

Regards,

Adam

Bug#1010963: bullseye-pu: package nginx/1.18.0-6.1

2022-05-14 Thread Jan Mojzis 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu

CVE-2021-3618 fix

[ Reason ]
fixes ALPACA attack CVE-2021-3618:
ALPACA is an application layer protocol content confusion attack, exploiting 
TLS servers implementing different protocols but using compatible certificates, 
such as multi-domain or wildcard certificates.  A MiTM attacker having access 
to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain 
to another, resulting in a valid TLS session. This breaks the authentication of 
TLS and cross-protocol attacks may be possible where the behavior of one 
protocol service may compromise the other at the application layer.

[ Impact ]

Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
in Exim, specifies the number of errors after which the connection is closed.

[ Tests ]
Patch sets default '5' error-cmd-tries.
It means, the server must close connection after 5 'bad commands'.

config:
~~~
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
}

mail {
auth_http   localhost/cgi-bin/nginxauth.cgi;
server {
listen localhost:25;
protocol   smtp;
proxy  on;
smtp_auth login plain cram-md5;
}
}
~~~

~~~
# telnet 0 25
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
220 localtest ESMTP ready
badcommand1
500 5.5.1 Invalid command
badcommand2
500 5.5.1 Invalid command
badcommand3
500 5.5.1 Invalid command
badcommand4
500 5.5.1 Invalid command
badcommand5
500 5.5.1 Invalid command
Connection closed by foreign host.
root@dev:~/nginx/nginx-1.18.0#
~~~


[ Risks ]
A MiTM attacker having access to victim's traffic at the TCP/IP layer can 
redirect traffic from one subdomain to another, resulting in a valid TLS 
session. This breaks the authentication   of TLS and cross-protocol attacks may 
be possible where the behavior of one protocol service may compromise the other 
at the application layer.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
in Exim, specifies the number of errors after which the connection is closed.

diff -Nru nginx-1.18.0/debian/changelog nginx-1.18.0/debian/changelog
--- nginx-1.18.0/debian/changelog   2022-03-15 21:36:18.0 +0100
+++ nginx-1.18.0/debian/changelog   2022-05-14 08:27:08.0 +0200
@@ -1,3 +1,11 @@
+nginx (1.18.0-6.1+deb11u2) bullseye; urgency=medium
+
+  * d/patches/CVE-2021-3618.patch: Include upstream changeset from NGINX
+that adds mitigations into the Mail module for CVE-2021-3618.patch.
+(Closes: #991328)
+
+ -- Jan Mojžíš   Sat, 14 May 2022 08:27:08 +0200
+
 nginx (1.18.0-6.1+deb11u1) bullseye; urgency=medium

   * Backport upstream bugfix for segfault in nginx core >= 1.15.0 when
diff -Nru nginx-1.18.0/debian/patches/CVE-2021-3618.patch 
nginx-1.18.0/debian/patches/CVE-2021-3618.patch
--- nginx-1.18.0/debian/patches/CVE-2021-3618.patch 1970-01-01 
01:00:00.0 +0100
+++ nginx-1.18.0/debian/patches/CVE-2021-3618.patch 2022-05-14 
08:23:49.0 +0200
@@ -0,0 +1,84 @@
+Subject: Patch mitigation for CVE-2021-3618
+ Mail: max_errors directive.
+ .
+ Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
+ in Exim, specifies the number of errors after which the connection is closed.
+Origin: upstream, http://hg.nginx.org/nginx/rev/ec1071830799
+Bug-Debian: https://bugs.debian.org/991328
+
+--- a/src/mail/ngx_mail.h
 b/src/mail/ngx_mail.h
+@@ -115,6 +115,8 @@
+ ngx_msec_t  timeout;
+ ngx_msec_t  resolver_timeout;
+
++ngx_uint_t  max_errors;
++
+ ngx_str_t   server_name;
+
+ u_char *file_name;
+@@ -231,6 +233,7 @@
+ ngx_uint_t  command;
+ ngx_array_t args;
+
++ngx_uint_t  errors;
+ ngx_uint_t  login_attempt;
+
+ /* used to parse POP3/IMAP/SMTP command */
+--- a/src/mail/ngx_mail_core_module.c
 b/src/mail/ngx_mail_core_module.c
+@@ -85,6 +85,13 @@
+   offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
+   NULL },
+
++{ ngx_string("max_errors"),
++  NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
++  ngx_conf_set_num_slot,
++  NGX_MAIL_SRV_CONF_OFFSET,
++  offsetof(ngx_mail_core_srv_conf_t, max_errors),
++  NULL },
++
+   ngx_null_command
+ };
+
+@@ -163,6 +170,8 @@
+ cscf->timeout = NGX_CONF_UNSET_MSEC;
+ cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+
++cscf->max_errors = NGX_CONF_UNSET_UINT;
++
+ cscf->resolver =