Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1
On Fri, Jul 10, 2020 at 11:01:13AM +0100, Adam D. Barratt wrote: > On Wed, 2020-07-08 at 16:07 +0300, Adrian Bunk wrote: > > Control: retitle -1 buster-pu: package nginx/1.14.2-2+deb10u2 > > > > The version was correct in the debdiff but not in the bug title. > > > > On Mon, Jan 20, 2020 at 10:43:58PM +, Adam D. Barratt wrote: > > > Control: tags -1 + confirmed > > > > > > On Sat, 2020-01-11 at 12:24 +0200, Christos Trochalakis wrote: > > > > I'd like to upload nginx 1.14.2-2+deb10u2, addressing the non- > > > > critical > > > > CVE-2019-20372. > > > > > > > > > > Please go ahead. > > > > I have uploaded the package to DELAYED/2. > > Feel free to cancel if anyone disagrees. > > Out of interest, have you tested the patch directly, or just built and > uploaded Christos's debdiff? The debdiff was already approved by the release team, and the patch matches the one linked from the security tracker. My testing was just basic build and install testing. > Regards, > > Adam cu Adrian
Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1
On Wed, 2020-07-08 at 16:07 +0300, Adrian Bunk wrote: > Control: retitle -1 buster-pu: package nginx/1.14.2-2+deb10u2 > > The version was correct in the debdiff but not in the bug title. > > On Mon, Jan 20, 2020 at 10:43:58PM +, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Sat, 2020-01-11 at 12:24 +0200, Christos Trochalakis wrote: > > > I'd like to upload nginx 1.14.2-2+deb10u2, addressing the non- > > > critical > > > CVE-2019-20372. > > > > > > > Please go ahead. > > I have uploaded the package to DELAYED/2. > Feel free to cancel if anyone disagrees. Out of interest, have you tested the patch directly, or just built and uploaded Christos's debdiff? Regards, Adam
Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1
Control: retitle -1 buster-pu: package nginx/1.14.2-2+deb10u2 The version was correct in the debdiff but not in the bug title. On Mon, Jan 20, 2020 at 10:43:58PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2020-01-11 at 12:24 +0200, Christos Trochalakis wrote: > > I'd like to upload nginx 1.14.2-2+deb10u2, addressing the non- > > critical > > CVE-2019-20372. > > > > Please go ahead. I have uploaded the package to DELAYED/2. Feel free to cancel if anyone disagrees. > Regards, > > Adam cu Adrian
Processed: Re: Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1
Processing control commands: > retitle -1 buster-pu: package nginx/1.14.2-2+deb10u2 Bug #948652 [release.debian.org] buster-pu: package nginx/1.14.2-2+deb10u1 Changed Bug title to 'buster-pu: package nginx/1.14.2-2+deb10u2' from 'buster-pu: package nginx/1.14.2-2+deb10u1'. -- 948652: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948652 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1
Processing control commands: > tags -1 + confirmed Bug #948652 [release.debian.org] buster-pu: package nginx/1.14.2-2+deb10u1 Added tag(s) confirmed. -- 948652: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948652 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1
Control: tags -1 + confirmed On Sat, 2020-01-11 at 12:24 +0200, Christos Trochalakis wrote: > I'd like to upload nginx 1.14.2-2+deb10u2, addressing the non- > critical > CVE-2019-20372. > Please go ahead. Regards, Adam
Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hello, I'd like to upload nginx 1.14.2-2+deb10u2, addressing the non-critical CVE-2019-20372. Attaching a debdiff. [0] https://security-tracker.debian.org/tracker/CVE-2019-20372 [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948579 -- System Information: Debian Release: 10.2 APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable'), (4, 'unstable'), (2, 'testing'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) diff -Nru nginx-1.14.2/debian/changelog nginx-1.14.2/debian/changelog --- nginx-1.14.2/debian/changelog 2019-08-13 21:10:28.0 +0300 +++ nginx-1.14.2/debian/changelog 2020-01-11 09:28:05.0 +0200 @@ -1,3 +1,10 @@ +nginx (1.14.2-2+deb10u2) buster; urgency=medium + + * Handle CVE-2019-20372, error page request smuggling +(Closes: #948579) + + -- Christos Trochalakis Sat, 11 Jan 2020 09:28:05 +0200 + nginx (1.14.2-2+deb10u1) buster-security; urgency=high * Backport upstream fixes for 3 CVEs (Closes: #935037) diff -Nru nginx-1.14.2/debian/patches/CVE-2019-20372.patch nginx-1.14.2/debian/patches/CVE-2019-20372.patch --- nginx-1.14.2/debian/patches/CVE-2019-20372.patch1970-01-01 02:00:00.0 +0200 +++ nginx-1.14.2/debian/patches/CVE-2019-20372.patch2020-01-11 09:28:05.0 +0200 @@ -0,0 +1,31 @@ +From 8bffc01d084b4881e3eed2052c115b8f04268cb9 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Mon, 23 Dec 2019 15:45:46 +0300 +Subject: [PATCH] Discard request body when redirecting to a URL via + error_page. + +Reported by Bert JW Regeer and Francisco Oca Gonzalez. +--- + src/http/ngx_http_special_response.c | 6 ++ + 1 file changed, 6 insertions(+) + +diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c +index 2c1ff174..e2a5e9dc 100644 +--- a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c +@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page) + return ngx_http_named_location(r, ); + } + ++r->expect_tested = 1; ++ ++if (ngx_http_discard_request_body(r) != NGX_OK) { ++r->keepalive = 0; ++} ++ + location = ngx_list_push(>headers_out.headers); + + if (location == NULL) { +-- +2.23.0 + diff -Nru nginx-1.14.2/debian/patches/series nginx-1.14.2/debian/patches/series --- nginx-1.14.2/debian/patches/series 2019-08-13 21:10:28.0 +0300 +++ nginx-1.14.2/debian/patches/series 2020-01-11 09:28:05.0 +0200 @@ -3,3 +3,4 @@ CVE-2019-9516.patch CVE-2019-9511.patch CVE-2019-9513.patch +CVE-2019-20372.patch signature.asc Description: PGP signature