https://bugs.documentfoundation.org/show_bug.cgi?id=149964
Bug ID: 149964 Summary: nginx used on www.libreoffice.org is vulnerable for CVE-2021-23017 Product: LibreOffice Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: medium Component: Base Assignee: libreoffice-bugs@lists.freedesktop.org Reporter: r.me...@siemens.com Description: Our corporate security tooling classifies www.libreoffice.org as a risk because the used nginx/1.10.3 is vulnerable for CVE-2021-23017. In worst case we will no longer be able to download LibreOffice and access https://www.libreoffice.org Steps to Reproduce: 1. curl --head https://www.libreoffice.org 2. check nginx version 3. check https://nvd.nist.gov/vuln/detail/CVE-2021-23017 some more insights and potential fixes can be found via: $ testssl https://www.libreoffice.org Actual Results: $ curl --head https://www.libreoffice.org HTTP/2 200 server: nginx/1.10.3 date: Tue, 12 Jul 2022 15:03:47 GMT content-type: text/html; charset=utf-8 vary: X-Forwarded-Protocol last-modified: Tue, 12 Jul 2022 07:21:40 GMT cache-control: no-cache, no-store, must-revalidate x-frame-options: SAMEORIGIN content-security-policy: frame-ancestors 'self' Expected Results: nginx not vulnerable for CVE-2021-23017 , nginx > 1.20.1 see https://nvd.nist.gov/vuln/detail/CVE-2021-23017 Reproducible: Always User Profile Reset: No Additional Info: There was no infra component to file the bug, so please route this to the correct team. -- You are receiving this mail because: You are the assignee for the bug.