From owner-svn-ports-all@freebsd.org Sun Feb 9 11:16:41 2020 Return-Path: Delivered-To: svn-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B9BE42351D2; Sun, 9 Feb 2020 11:16:41 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48Fmh94W56z410T; Sun, 9 Feb 2020 11:16:41 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 95E7455B5; Sun, 9 Feb 2020 11:16:41 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 019BGf5e071994; Sun, 9 Feb 2020 11:16:41 GMT (envelope-from joneum@FreeBSD.org) Received: (from joneum@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 019BGfSK071989; Sun, 9 Feb 2020 11:16:41 GMT (envelope-from joneum@FreeBSD.org) Message-Id: <202002091116.019BGfSK071989@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: joneum set sender to joneum@FreeBSD.org using -f From: Jochen Neumeister Date: Sun, 9 Feb 2020 11:16:41 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r525647 - in head/www/nginx: . files X-SVN-Group: ports-head X-SVN-Commit-Author: joneum X-SVN-Commit-Paths: in head/www/nginx: . files X-SVN-Commit-Revision: 525647 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Feb 2020 11:16:41 -0000 Author: joneum Date: Sun Feb 9 11:16:40 2020 New Revision: 525647 URL: https://svnweb.freebsd.org/changeset/ports/525647 Log: Add patch for CVE-2019-20372 NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372 PR: 243952 Reported by: koobs and many more MFH: 2020Q1 Security: c1202de8-4b29-11ea-9673-4c72b94353b5 Sponsored by: Netzkommune GmbH Added: head/www/nginx/files/patch-CVE-2019-20372 (contents, props changed) Modified: head/www/nginx/Makefile Modified: head/www/nginx/Makefile ============================================================================== --- head/www/nginx/Makefile Sun Feb 9 11:10:36 2020 (r525646) +++ head/www/nginx/Makefile Sun Feb 9 11:16:40 2020 (r525647) @@ -3,7 +3,7 @@ PORTNAME= nginx PORTVERSION= 1.16.1 -PORTREVISION?= 10 +PORTREVISION?= 11 PORTEPOCH= 2 CATEGORIES= www MASTER_SITES= https://nginx.org/download/ \ Added: head/www/nginx/files/patch-CVE-2019-20372 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/www/nginx/files/patch-CVE-2019-20372 Sun Feb 9 11:16:40 2020 (r525647) @@ -0,0 +1,28 @@ +From 8bffc01d084b4881e3eed2052c115b8f04268cb9 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Mon, 23 Dec 2019 15:45:46 +0300 +Subject: [PATCH] Discard request body when redirecting to a URL via + error_page. + +Reported by Bert JW Regeer and Francisco Oca Gonzalez. +--- + src/http/ngx_http_special_response.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c +index 2c1ff174..e2a5e9dc 100644 +--- src/http/ngx_http_special_response.c ++++ src/http/ngx_http_special_response.c +@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page) + return ngx_http_named_location(r, &uri); + } + ++ r->expect_tested = 1; ++ ++ if (ngx_http_discard_request_body(r) != NGX_OK) { ++ r->keepalive = 0; ++ } ++ + location = ngx_list_push(&r->headers_out.headers); + + if (location == NULL) {