Date: Fri, 07 Feb 2020 04:38:48 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 243952] www/nginx: Versions < 1.17.7, with certain error_page configurations, allows HTTP request smuggling (CVE-2019-20372) Message-ID: <bug-243952-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D243952 Bug ID: 243952 Summary: www/nginx: Versions < 1.17.7, with certain error_page configurations, allows HTTP request smuggling (CVE-2019-20372) Product: Ports & Packages Version: Latest Hardware: Any URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-201 9-20372 OS: Any Status: New Keywords: needs-patch, needs-qa, security Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: joneum@FreeBSD.org Reporter: koobs@FreeBSD.org CC: ports-secteam@FreeBSD.org Flags: maintainer-feedback?(joneum@FreeBSD.org) Assignee: joneum@FreeBSD.org Flags: merge-quarterly? NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a lo= ad balancer. https://nginx.org/en/CHANGES doesn't reference the CVE, only stating: *) Bugfix: requests with bodies were handled incorrectly when returning redirections with the "error_page" directive; the bug had appeared in 0.7.12. Further upstream and other references exist in the Mitre CVE entry. The upstream commit reference is: https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b= 94e The 1.16.x stable branch may or may not have received a backport of the patch(es) to fix the issue. This should be investigated/verified. A manual backport may be necessary. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-243952-7788>