Debian Bug report logs -
#964950
nginx: CVE-2020-11724
Reported by: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 13 Jul 2020 09:15:02 UTC
Severity: grave
Tags: security, upstream
Found in versions nginx/1.10.3-1+deb9u3, nginx/1.10.3-1, nginx/1.14.2-2+deb10u1, nginx/1.18.0-4
Fixed in version nginx/1.18.0-5
Done: =?utf-8?b?T25kxZllaiBOb3bDvQ==?= <onovy@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>:
Bug#964950; Package nginx.
(Mon, 13 Jul 2020 09:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sylvain Beucler <beuc@beuc.net>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>.
(Mon, 13 Jul 2020 09:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: nginx
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for ngx_lua.
CVE-2020-11724[0]:
| ngx_http_lua_subrequest.c allows HTTP request smuggling, as
| demonstrated by the ngx.location.capture API.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-11724
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11724
Cheers!
Sylvain Beucler
Debian LTS Team
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>:
Bug#964950; Package nginx.
(Mon, 13 Jul 2020 15:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Sylvain Beucler <beuc@beuc.net>:
Extra info received and forwarded to list. Copy sent to Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>.
(Mon, 13 Jul 2020 15:09:05 GMT) (full text, mbox, link).
Message #10 received at 964950@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
In case this helps, here's some documentation to test the issue with the
new upstream test cases:
https://wiki.debian.org/LTS/TestSuites/nginx
and my planned stretch package:
https://www.beuc.net/tmp/debian-lts/nginx/
Cheers!
Sylvain Beucler
Debian LTS Team
[debdiff.txt (text/plain, attachment)]
Marked as found in versions nginx/1.18.0-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 13 Jul 2020 19:24:08 GMT) (full text, mbox, link).
Marked as found in versions nginx/1.14.2-2+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 13 Jul 2020 19:27:14 GMT) (full text, mbox, link).
Marked as found in versions nginx/1.10.3-1+deb9u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 13 Jul 2020 19:27:14 GMT) (full text, mbox, link).
Marked as found in versions nginx/1.10.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 13 Jul 2020 19:27:15 GMT) (full text, mbox, link).
Reply sent
to Ondřej Nový <noreply@salsa.debian.org>:
You have taken responsibility.
(Tue, 14 Jul 2020 08:18:03 GMT) (full text, mbox, link).
Notification sent
to Sylvain Beucler <beuc@beuc.net>:
Bug acknowledged by developer.
(Tue, 14 Jul 2020 08:18:03 GMT) (full text, mbox, link).
Message #23 received at 964950-done@bugs.debian.org (full text, mbox, reply):
Hello,
Bug #964950 in nginx reported by you has been fixed in the Git repository.
You can see the commit message below and you can check the diff of the fix at:
https://salsa.debian.org/nginx-team/nginx/-/commit/aa1f93ee247cd7d21473f35bcba4a95cdfb388ad
------------------------------------------------------------------------
Prevented request smuggling in LUA CVE-2020-11724 Closes: #964950
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/964950
Reply sent
to Ondřej Nový <onovy@debian.org>:
You have taken responsibility.
(Tue, 14 Jul 2020 08:39:05 GMT) (full text, mbox, link).
Notification sent
to Sylvain Beucler <beuc@beuc.net>:
Bug acknowledged by developer.
(Tue, 14 Jul 2020 08:39:05 GMT) (full text, mbox, link).
Message #28 received at 964950-close@bugs.debian.org (full text, mbox, reply):
Source: nginx
Source-Version: 1.18.0-5
Done: =?utf-8?b?T25kxZllaiBOb3bDvQ==?= <onovy@debian.org>
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 964950@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Nový <onovy@debian.org> (supplier of updated nginx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 14 Jul 2020 10:08:15 +0200
Source: nginx
Architecture: source
Version: 1.18.0-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>
Changed-By: Ondřej Nový <onovy@debian.org>
Closes: 964950
Changes:
nginx (1.18.0-5) unstable; urgency=medium
.
* Prevented request smuggling in LUA
CVE-2020-11724
Closes: #964950
Checksums-Sha1:
6839c8e7a7e04731bf44f0afa02cb01b898ba101 4750 nginx_1.18.0-5.dsc
a24f0355029ae09b67861677b9ceca223f4ff00e 1038760 nginx_1.18.0-5.debian.tar.xz
4476fd788723f13faa0eb48df603bb80344b7945 25156 nginx_1.18.0-5_amd64.buildinfo
Checksums-Sha256:
3aacd8d456e58aedc2730440e01cd7e4fa6135825b4ad9cfaeba3a46a806a5f7 4750 nginx_1.18.0-5.dsc
8d50608bcf8295d901eeda021af6684d43ac13ff2fb51c77f8a2d64f464c9b29 1038760 nginx_1.18.0-5.debian.tar.xz
1e1e324acb5d2f31ea39318659413c820edffd58adf398ba80f9ab1eb524076c 25156 nginx_1.18.0-5_amd64.buildinfo
Files:
a9b134d5bdd14b11240d93accbec37ec 4750 httpd optional nginx_1.18.0-5.dsc
29c0cb790d95fd0b641cd2217152385f 1038760 httpd optional nginx_1.18.0-5.debian.tar.xz
9e61b8b1f39fd8c1db71d483d7380ed5 25156 httpd optional nginx_1.18.0-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEPZg8UuuFmAxGpWCQNXMSVZ0eBksFAl8NaY4ACgkQNXMSVZ0e
BkvRQA/9HJDawjgGYAZ1q/HtunVSloxoeXGwwJaSAz3lv88uNzPctqQw9KEGixBL
LtIEFl/S0rPPp0X4/jdqa9akKQfjvx6GGKqFPrSidjs+oHzDflyRR1SdeLm024cE
zrzK+7Bw7NlmC2ZzZMRxMmCvBWdMZvHpeVGGRC4XJozvEsaXkXdgj/iAM5+fUmX5
mBkeclfHXhrs3HGH3nRFGHO8oGdz12s1q9pCKwgdpAmgz2RmmF7WfGYNEe5P+8iC
1sKKMcuD0gHvRSjh83EIkNxQci/qQL3FVykgose5yQhH0ibsZIT0RRcg57dahrDk
wtkRHrL9vDH6AtfTRhnCWt5oO9HxdKViyaJeC5GvY2Obinf2OP3A6tEUeiYxje1z
F2CGtje5n6l7SfhqY3Tfm72tf4am6RX14yZF8mgWoche/burtf2M0/SKpz76oQai
eVMJf0fIo5CBdrR2uicNmbqTyfBypM1mb40RRa3CWh9z+28xZ5njBwGnQqPISIt0
CV2EN0pVdDqs5Cg/yLxGTmgVC8q9gNrbQzQl/jpVstPfJZq1eAh4uDHsPUKCWtWE
yY55qyPZbvQ+aHoXIWgEiBm+NBTggzNS49ckh4hRLOC28KBZujeSlUFYkcumtjBV
TTnmOxagizyvvgJnR57EU+UI9J3WQsBUGrwHWd13wYYwUzqYfVg=
=WEwf
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jul 14 09:12:44 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon