Your message dated Sat, 11 Jan 2020 08:39:40 +0000
with message-id <[email protected]>
and subject line Bug#948579: fixed in nginx 1.16.1-3
has caused the Debian Bug report #948579,
regarding nginx: CVE-2019-20372
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
948579: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948579
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: nginx
Version: 1.16.1-2
Severity: important
Tags: security upstream
Control: found -1 1.14.2-2+deb10u1
Hi,
The following vulnerability was published for nginx.
CVE-2019-20372[0]:
| NGINX before 1.17.7, with certain error_page configurations, allows
| HTTP request smuggling, as demonstrated by the ability of an attacker
| to read unauthorized web pages in environments where NGINX is being
| fronted by a load balancer.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-20372
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372
[1]
https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf
[2]
https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: nginx
Source-Version: 1.16.1-3
We believe that the bug you reported is fixed in the latest version of
nginx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christos Trochalakis <[email protected]> (supplier of updated nginx
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 11 Jan 2020 09:36:00 +0200
Source: nginx
Architecture: source
Version: 1.16.1-3
Distribution: unstable
Urgency: high
Maintainer: Debian Nginx Maintainers
<[email protected]>
Changed-By: Christos Trochalakis <[email protected]>
Closes: 948579
Changes:
nginx (1.16.1-3) unstable; urgency=high
.
* Handle CVE-2019-20372, error page request smuggling
(Closes: #948579)
Checksums-Sha1:
191fef19c95d530d6eddcd4107c5e3d7ffa21984 4149 nginx_1.16.1-3.dsc
137bc3508a1ea9a2e843e5bab0899260580f81a3 929460 nginx_1.16.1-3.debian.tar.xz
b8f89be7e8adf4e3b6c400a0fe244f3b2140cfbe 22285 nginx_1.16.1-3_amd64.buildinfo
Checksums-Sha256:
fa7cd69188dd66617520ce5ea3b3efffcbc4bbb9497306bd2cf60a5204d7713a 4149
nginx_1.16.1-3.dsc
c0ebac2eb26514948004d56db188b8f1b871732319a2a4c8c697eab814a7feeb 929460
nginx_1.16.1-3.debian.tar.xz
d8c22b76c1070806012c336f5f4a72efaf55cd7575f7d3e03a4ecf5769c1d123 22285
nginx_1.16.1-3_amd64.buildinfo
Files:
607295960d54496c2f26f07302ff45e0 4149 httpd optional nginx_1.16.1-3.dsc
f72ed3c7bc3b86ba6cd925720a34b887 929460 httpd optional
nginx_1.16.1-3.debian.tar.xz
dd458438ed7ffa51dfd0190a65a8917d 22285 httpd optional
nginx_1.16.1-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEf2SPbCEjyY+zKcgrETYmAKdH7NkFAl4Zg5EACgkQETYmAKdH
7Nlymw//d/J1+vi66NPgP/RtapH3F/S2aEXa2I3SD5dsWH8vRvnwY9mY7qzXrGRi
uwN4CVspYsoX1tIZ4D7N/Lh4A+eZwDbI/py6oNkWUXTJ0+nhx3OdUCWLchoD2UEY
8P9Wz5wYoR+wKdwBI5mMnNEMzZuCitBfkez/WpJwz4j/iEZ/fMm5106wTwscl40s
jOa261pQjMwGNCWMPfNKvX+4gZoSOn7GtYIP/ijXdrR6YdQ3YzdnF5rHRrhpUGba
kkkZmAX20gV9h+mj68h3wOtJGBSqAhCQfi/+41qb5dcMKd421KL7ZKDPug9p3Szu
PDS1PrtC8ox4Yt4i1QnRALgwIDch+8SWpZcMrLNawnQer8822mCb4Fz6WV76oUha
J/hpqwgLXzqoIa2HQV7e6MG1Nfy14iwXtV7vfNMIAPrGtV2PxsLSPZvxSUrS+EkV
33IRqW4mmj4BhFX85714LHs5W9y6Vk87zIUv+NXAVfC33JEstE55NhrcVtXA2OEQ
wIjrcepxxc6kRbpFb1ByAKWM4/hLLwf4Lt5U3P4incxB16J9GGErp+xhto00yaNZ
qcp1OVuOrnBjgx8ASdL/wHy2LMzZ5Cc0VhWTNYTTz3b5HUtpqJ+Co6JqN9uKFHhK
8uEwsDQN2WzEzdUzTvBk7SMbou0UP8EEgaJaIB9+sMXSgIzuNkI=
=YbU0
-----END PGP SIGNATURE-----
--- End Message ---
