https://bugs.documentfoundation.org/show_bug.cgi?id=149964
Bug ID: 149964
Summary: nginx used on www.libreoffice.org is vulnerable for
CVE-2021-23017
Product: LibreOffice
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: medium
Component: Base
Assignee: libreoffice-bugs@lists.freedesktop.org
Reporter: r.me...@siemens.com
Description:
Our corporate security tooling classifies www.libreoffice.org as a risk because
the used nginx/1.10.3 is vulnerable for CVE-2021-23017. In worst case we will
no longer be able to download LibreOffice and access
https://www.libreoffice.org
Steps to Reproduce:
1. curl --head https://www.libreoffice.org
2. check nginx version
3. check https://nvd.nist.gov/vuln/detail/CVE-2021-23017
some more insights and potential fixes can be found via:
$ testssl https://www.libreoffice.org
Actual Results:
$ curl --head https://www.libreoffice.org
HTTP/2 200
server: nginx/1.10.3
date: Tue, 12 Jul 2022 15:03:47 GMT
content-type: text/html; charset=utf-8
vary: X-Forwarded-Protocol
last-modified: Tue, 12 Jul 2022 07:21:40 GMT
cache-control: no-cache, no-store, must-revalidate
x-frame-options: SAMEORIGIN
content-security-policy: frame-ancestors 'self'
Expected Results:
nginx not vulnerable for CVE-2021-23017 , nginx > 1.20.1
see https://nvd.nist.gov/vuln/detail/CVE-2021-23017
Reproducible: Always
User Profile Reset: No
Additional Info:
There was no infra component to file the bug, so please route this to the
correct team.
--
You are receiving this mail because:
You are the assignee for the bug.
