[Bug 243952] www/nginx: Versions < 1.17.7, with certain error_page configurations, allows HTTP request smuggling (CVE-2019-20372)

Fri Feb 7 04:38:51 UTC 2020

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=243952

            Bug ID: 243952
           Summary: www/nginx: Versions < 1.17.7, with certain error_page
                    configurations, allows HTTP request smuggling
                    (CVE-2019-20372)
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
               URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-201
                    9-20372
                OS: Any
            Status: New
          Keywords: needs-patch, needs-qa, security
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: joneum at FreeBSD.org
          Reporter: koobs at FreeBSD.org
                CC: ports-secteam at FreeBSD.org
             Flags: maintainer-feedback?(joneum at FreeBSD.org)
          Assignee: joneum at FreeBSD.org
             Flags: merge-quarterly?

NGINX before 1.17.7, with certain error_page configurations, allows HTTP
request smuggling, as demonstrated by the ability of an attacker to read
unauthorized web pages in environments where NGINX is being fronted by a load
balancer.

https://nginx.org/en/CHANGES doesn't reference the CVE, only stating:

    *) Bugfix: requests with bodies were handled incorrectly when returning
       redirections with the "error_page" directive; the bug had appeared in
       0.7.12.

Further upstream and other references exist in the Mitre CVE entry. The
upstream commit reference is:

https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e

The 1.16.x stable branch may or may not have received a backport of the
patch(es) to fix the issue. This should be investigated/verified. A manual
backport may be necessary.

-- 
You are receiving this mail because:
You are the assignee for the bug.