Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

nginx: CVE-2019-20372

Related Vulnerabilities: CVE-2019-20372  

Source

Debian Bug report logs - #948579
nginx: CVE-2019-20372

version graph

Package: src:nginx; Maintainer for src:nginx is Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 10 Jan 2020 13:09:04 UTC

Severity: important

Tags: security, upstream

Found in versions nginx/1.6.2, nginx/1.16.1-2, nginx/1.14.2-2+deb10u1, nginx/1.10.3-1+deb9u3

Fixed in version nginx/1.16.1-3

Done: Christos Trochalakis <ctrochalakis@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>:
Bug#948579; Package src:nginx. (Fri, 10 Jan 2020 13:09:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>. (Fri, 10 Jan 2020 13:09:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: nginx: CVE-2019-20372
Date: Fri, 10 Jan 2020 14:06:58 +0100
Source: nginx
Version: 1.16.1-2
Severity: important
Tags: security upstream
Control: found -1 1.14.2-2+deb10u1

Hi,

The following vulnerability was published for nginx.

CVE-2019-20372[0]:
| NGINX before 1.17.7, with certain error_page configurations, allows
| HTTP request smuggling, as demonstrated by the ability of an attacker
| to read unauthorized web pages in environments where NGINX is being
| fronted by a load balancer.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-20372
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372
[1] https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf
[2] https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Marked as found in versions nginx/1.14.2-2+deb10u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 10 Jan 2020 13:09:06 GMT) (full text, mbox, link).

Marked as found in versions nginx/1.6.2. Request was from Christos Trochalakis <ctrochalakis@debian.org> to control@bugs.debian.org. (Sat, 11 Jan 2020 07:54:03 GMT) (full text, mbox, link).

Marked as found in versions nginx/1.10.3-1+deb9u3. Request was from Christos Trochalakis <ctrochalakis@debian.org> to control@bugs.debian.org. (Sat, 11 Jan 2020 08:24:02 GMT) (full text, mbox, link).

Reply sent to Christos Trochalakis <ctrochalakis@debian.org>:
You have taken responsibility. (Sat, 11 Jan 2020 08:42:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 11 Jan 2020 08:42:03 GMT) (full text, mbox, link).

Message #16 received at 948579-close@bugs.debian.org (full text, mbox, reply):

From: Christos Trochalakis <ctrochalakis@debian.org>
To: 948579-close@bugs.debian.org
Subject: Bug#948579: fixed in nginx 1.16.1-3
Date: Sat, 11 Jan 2020 08:39:40 +0000
Source: nginx
Source-Version: 1.16.1-3

We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 948579@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christos Trochalakis <ctrochalakis@debian.org> (supplier of updated nginx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 11 Jan 2020 09:36:00 +0200
Source: nginx
Architecture: source
Version: 1.16.1-3
Distribution: unstable
Urgency: high
Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>
Changed-By: Christos Trochalakis <ctrochalakis@debian.org>
Closes: 948579
Changes:
 nginx (1.16.1-3) unstable; urgency=high
 .
   * Handle CVE-2019-20372, error page request smuggling
     (Closes: #948579)
Checksums-Sha1:
 191fef19c95d530d6eddcd4107c5e3d7ffa21984 4149 nginx_1.16.1-3.dsc
 137bc3508a1ea9a2e843e5bab0899260580f81a3 929460 nginx_1.16.1-3.debian.tar.xz
 b8f89be7e8adf4e3b6c400a0fe244f3b2140cfbe 22285 nginx_1.16.1-3_amd64.buildinfo
Checksums-Sha256:
 fa7cd69188dd66617520ce5ea3b3efffcbc4bbb9497306bd2cf60a5204d7713a 4149 nginx_1.16.1-3.dsc
 c0ebac2eb26514948004d56db188b8f1b871732319a2a4c8c697eab814a7feeb 929460 nginx_1.16.1-3.debian.tar.xz
 d8c22b76c1070806012c336f5f4a72efaf55cd7575f7d3e03a4ecf5769c1d123 22285 nginx_1.16.1-3_amd64.buildinfo
Files:
 607295960d54496c2f26f07302ff45e0 4149 httpd optional nginx_1.16.1-3.dsc
 f72ed3c7bc3b86ba6cd925720a34b887 929460 httpd optional nginx_1.16.1-3.debian.tar.xz
 dd458438ed7ffa51dfd0190a65a8917d 22285 httpd optional nginx_1.16.1-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEf2SPbCEjyY+zKcgrETYmAKdH7NkFAl4Zg5EACgkQETYmAKdH
7Nlymw//d/J1+vi66NPgP/RtapH3F/S2aEXa2I3SD5dsWH8vRvnwY9mY7qzXrGRi
uwN4CVspYsoX1tIZ4D7N/Lh4A+eZwDbI/py6oNkWUXTJ0+nhx3OdUCWLchoD2UEY
8P9Wz5wYoR+wKdwBI5mMnNEMzZuCitBfkez/WpJwz4j/iEZ/fMm5106wTwscl40s
jOa261pQjMwGNCWMPfNKvX+4gZoSOn7GtYIP/ijXdrR6YdQ3YzdnF5rHRrhpUGba
kkkZmAX20gV9h+mj68h4wOtJGBSqAhCQfi/+41qb5dcMKd421KL7ZKDPug9p3Szu
PDS1PrtC8ox4Yt4i1QnRALgwIDch+8SWpZcMrLNawnQer8822mCb4Fz6WV76oUha
J/hpqwgLXzqoIa2HQV7e6MG1Nfy14iwXtV7vfNMIAPrGtV2PxsLSPZvxSUrS+EkV
33IRqW4mmj4BhFX85714LHs5W9y6Vk87zIUv+NXAVfC33JEstE55NhrcVtXA2OEQ
wIjrcepxxc6kRbpFb1ByAKWM4/hLLwf4Lt5U3P4incxB16J9GGErp+xhto00yaNZ
qcp1OVuOrnBjgx8ASdL/wHy2LMzZ5Cc0VhWTNYTTz3b5HUtpqJ+Co6JqN9uKFHhK
8uEwsDQN2WzEzdUzTvBk7SMbou0UP8EEgaJaIB9+sMXSgIzuNkI=
=YbU0
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jan 11 09:25:23 2020; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started