Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 9 Feb 2020 11:16:41 +0000 (UTC)
From:      Jochen Neumeister <joneum@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r525647 - in head/www/nginx: . files
Message-ID:  <202002091116.019BGfSK071989@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: joneum
Date: Sun Feb  9 11:16:40 2020
New Revision: 525647
URL: https://svnweb.freebsd.org/changeset/ports/525647

Log:
  Add patch for CVE-2019-20372
  
  NGINX before 1.17.7, with certain error_page configurations,
  allows HTTP request smuggling, as demonstrated by the ability
  of an attacker to read unauthorized web pages in environments
  where NGINX is being fronted by a load balancer.
  
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372
  
  PR:		243952
  Reported by:	koobs and many more
  MFH:		2020Q1
  Security:	c1202de8-4b29-11ea-9673-4c72b94353b5
  Sponsored by:	Netzkommune GmbH

Added:
  head/www/nginx/files/patch-CVE-2019-20372   (contents, props changed)
Modified:
  head/www/nginx/Makefile

Modified: head/www/nginx/Makefile
==============================================================================
--- head/www/nginx/Makefile	Sun Feb  9 11:10:36 2020	(r525646)
+++ head/www/nginx/Makefile	Sun Feb  9 11:16:40 2020	(r525647)
@@ -3,7 +3,7 @@
 
 PORTNAME=	nginx
 PORTVERSION=	1.16.1
-PORTREVISION?=	10
+PORTREVISION?=	11
 PORTEPOCH=	2
 CATEGORIES=	www
 MASTER_SITES=	https://nginx.org/download/ \

Added: head/www/nginx/files/patch-CVE-2019-20372
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/www/nginx/files/patch-CVE-2019-20372	Sun Feb  9 11:16:40 2020	(r525647)
@@ -0,0 +1,28 @@
+From 8bffc01d084b4881e3eed2052c115b8f04268cb9 Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru@nginx.com>
+Date: Mon, 23 Dec 2019 15:45:46 +0300
+Subject: [PATCH] Discard request body when redirecting to a URL via
+ error_page.
+
+Reported by Bert JW Regeer and Francisco Oca Gonzalez.
+---
+ src/http/ngx_http_special_response.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c
+index 2c1ff174..e2a5e9dc 100644
+--- src/http/ngx_http_special_response.c
++++ src/http/ngx_http_special_response.c
+@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page)
+         return ngx_http_named_location(r, &uri);
+     }
+ 
++    r->expect_tested = 1;
++
++    if (ngx_http_discard_request_body(r) != NGX_OK) {
++        r->keepalive = 0;
++    }
++
+     location = ngx_list_push(&r->headers_out.headers);
+ 
+     if (location == NULL) {



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202002091116.019BGfSK071989>