You are correct - bage@ saying this was fixed and should've been included in changelogs in the RFS threw me off. The fix requires new commands and essentially 'functionality' added which is probably why it wasn't added in upstream. I could've sworn I included this patch pre-upload but that might've been my fault that it didn't get included, which is also my fault.
I can either backport this, or we can wait for the next nginx stable release 1.22 which should be coming "sometime soon" unless F5 has changed the development/release schedule. In which case unmarking this as fixed and keeping it open is going to be necessary. I believe we only track nginx stable (the even number releases) not mainline, which may have led to this. I'll prep a backported patch, if it imports cleanly. If it doesn't, we'll have to wait for 1.22 release of NGINX OSS. Thomas -----Original Message----- From: Salvatore Bonaccorso <salvatore.bonacco...@gmail.com> On Behalf Of Salvatore Bonaccorso Sent: Wednesday, May 4, 2022 15:16 To: 991...@bugs.debian.org; Thomas Ward <tew...@thomas-ward.net> Cc: Moritz Mühlenhoff <j...@inutil.org> Subject: Re: Bug#991328 closed by Thomas Ward <tew...@thomas-ward.net> () Control: reopen -1 Hi Thomas, On Wed, May 04, 2022 at 04:45:03PM +0000, Debian Bug Tracking System wrote: > Control: fixed -1 1.20.2-1 > > This is fixed in the 1.20.2 upload. I forgot to add it to the > changelog before uploading to ftp-master though, whoops. It's in the > process of building now in Unstable. Are you sure about that? The commit http://hg.nginx.org/nginx/rev/ec1071830799 does not seem to have landed in upstream 1.20.2 but only in 1.21.0 is implementing the mitigations? Regards, Salvatore
