Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1

[Adrian Bunk]

On Fri, Jul 10, 2020 at 11:01:13AM +0100, Adam D. Barratt wrote:
> On Wed, 2020-07-08 at 16:07 +0300, Adrian Bunk wrote:
> > Control: retitle -1 buster-pu: package nginx/1.14.2-2+deb10u2
> > 
> > The version was correct in the debdiff but not in the bug title.
> > 
> > On Mon, Jan 20, 2020 at 10:43:58PM +, Adam D. Barratt wrote:
> > > Control: tags -1 + confirmed
> > > 
> > > On Sat, 2020-01-11 at 12:24 +0200, Christos Trochalakis wrote:
> > > > I'd like to upload nginx 1.14.2-2+deb10u2, addressing the non-
> > > > critical
> > > > CVE-2019-20372.
> > > > 
> > > 
> > > Please go ahead.
> > 
> > I have uploaded the package to DELAYED/2.
> > Feel free to cancel if anyone disagrees.
> 
> Out of interest, have you tested the patch directly, or just built and
> uploaded Christos's debdiff?

The debdiff was already approved by the release team,
and the patch matches the one linked from the security tracker.

My testing was just basic build and install testing.

> Regards,
> 
> Adam

cu
Adrian

Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1

[Adam D. Barratt]

On Wed, 2020-07-08 at 16:07 +0300, Adrian Bunk wrote:
> Control: retitle -1 buster-pu: package nginx/1.14.2-2+deb10u2
> 
> The version was correct in the debdiff but not in the bug title.
> 
> On Mon, Jan 20, 2020 at 10:43:58PM +, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Sat, 2020-01-11 at 12:24 +0200, Christos Trochalakis wrote:
> > > I'd like to upload nginx 1.14.2-2+deb10u2, addressing the non-
> > > critical
> > > CVE-2019-20372.
> > > 
> > 
> > Please go ahead.
> 
> I have uploaded the package to DELAYED/2.
> Feel free to cancel if anyone disagrees.

Out of interest, have you tested the patch directly, or just built and
uploaded Christos's debdiff?

Regards,

Adam

Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1

[Adrian Bunk]

Control: retitle -1 buster-pu: package nginx/1.14.2-2+deb10u2

The version was correct in the debdiff but not in the bug title.

On Mon, Jan 20, 2020 at 10:43:58PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sat, 2020-01-11 at 12:24 +0200, Christos Trochalakis wrote:
> > I'd like to upload nginx 1.14.2-2+deb10u2, addressing the non-
> > critical
> > CVE-2019-20372.
> > 
> 
> Please go ahead.

I have uploaded the package to DELAYED/2.
Feel free to cancel if anyone disagrees.

> Regards,
> 
> Adam

cu
Adrian

Processed: Re: Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> retitle -1 buster-pu: package nginx/1.14.2-2+deb10u2
Bug #948652 [release.debian.org] buster-pu: package nginx/1.14.2-2+deb10u1
Changed Bug title to 'buster-pu: package nginx/1.14.2-2+deb10u2' from 
'buster-pu: package nginx/1.14.2-2+deb10u1'.

-- 
948652: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948652
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #948652 [release.debian.org] buster-pu: package nginx/1.14.2-2+deb10u1
Added tag(s) confirmed.

-- 
948652: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948652
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2020-01-11 at 12:24 +0200, Christos Trochalakis wrote:
> I'd like to upload nginx 1.14.2-2+deb10u2, addressing the non-
> critical
> CVE-2019-20372.
> 

Please go ahead.

Regards,

Adam

Bug#948652: buster-pu: package nginx/1.14.2-2+deb10u1

[Christos Trochalakis]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hello,

I'd like to upload nginx 1.14.2-2+deb10u2, addressing the non-critical
CVE-2019-20372.

Attaching a debdiff.

[0] https://security-tracker.debian.org/tracker/CVE-2019-20372
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948579

-- System Information:
Debian Release: 10.2
 APT prefers unstable-debug
 APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable'), 
(4, 'unstable'), (2, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru nginx-1.14.2/debian/changelog nginx-1.14.2/debian/changelog
--- nginx-1.14.2/debian/changelog   2019-08-13 21:10:28.0 +0300
+++ nginx-1.14.2/debian/changelog   2020-01-11 09:28:05.0 +0200
@@ -1,3 +1,10 @@
+nginx (1.14.2-2+deb10u2) buster; urgency=medium
+
+  * Handle CVE-2019-20372, error page request smuggling
+(Closes: #948579)
+
+ -- Christos Trochalakis   Sat, 11 Jan 2020 09:28:05 
+0200
+
 nginx (1.14.2-2+deb10u1) buster-security; urgency=high
 
   * Backport upstream fixes for 3 CVEs (Closes: #935037)
diff -Nru nginx-1.14.2/debian/patches/CVE-2019-20372.patch 
nginx-1.14.2/debian/patches/CVE-2019-20372.patch
--- nginx-1.14.2/debian/patches/CVE-2019-20372.patch1970-01-01 
02:00:00.0 +0200
+++ nginx-1.14.2/debian/patches/CVE-2019-20372.patch2020-01-11 
09:28:05.0 +0200
@@ -0,0 +1,31 @@
+From 8bffc01d084b4881e3eed2052c115b8f04268cb9 Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov 
+Date: Mon, 23 Dec 2019 15:45:46 +0300
+Subject: [PATCH] Discard request body when redirecting to a URL via
+ error_page.
+
+Reported by Bert JW Regeer and Francisco Oca Gonzalez.
+---
+ src/http/ngx_http_special_response.c | 6 ++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/http/ngx_http_special_response.c 
b/src/http/ngx_http_special_response.c
+index 2c1ff174..e2a5e9dc 100644
+--- a/src/http/ngx_http_special_response.c
 b/src/http/ngx_http_special_response.c
+@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, 
ngx_http_err_page_t *err_page)
+ return ngx_http_named_location(r, );
+ }
+ 
++r->expect_tested = 1;
++
++if (ngx_http_discard_request_body(r) != NGX_OK) {
++r->keepalive = 0;
++}
++
+ location = ngx_list_push(>headers_out.headers);
+ 
+ if (location == NULL) {
+-- 
+2.23.0
+
diff -Nru nginx-1.14.2/debian/patches/series nginx-1.14.2/debian/patches/series
--- nginx-1.14.2/debian/patches/series  2019-08-13 21:10:28.0 +0300
+++ nginx-1.14.2/debian/patches/series  2020-01-11 09:28:05.0 +0200
@@ -3,3 +3,4 @@
 CVE-2019-9516.patch
 CVE-2019-9511.patch
 CVE-2019-9513.patch
+CVE-2019-20372.patch


signature.asc
Description: PGP signature