svn commit: r525648 - in branches/2020Q1/www/nginx: . files

Jochen Neumeister joneum at FreeBSD.org
Sun Feb 9 11:19:02 UTC 2020 

Author: joneum
Date: Sun Feb  9 11:19:01 2020
New Revision: 525648
URL: https://svnweb.freebsd.org/changeset/ports/525648

Log:
  MFH: r525647
  
  Add patch for CVE-2019-20372
  
  NGINX before 1.17.7, with certain error_page configurations,
  allows HTTP request smuggling, as demonstrated by the ability
  of an attacker to read unauthorized web pages in environments
  where NGINX is being fronted by a load balancer.
  
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372
  
  PR:		243952
  Reported by:	koobs and many more
  Security:	c1202de8-4b29-11ea-9673-4c72b94353b5
  Sponsored by:	Netzkommune GmbH
  
  Approved by:	ports-secteam (with hat)

Added:
  branches/2020Q1/www/nginx/files/patch-CVE-2019-20372
     - copied unchanged from r525647, head/www/nginx/files/patch-CVE-2019-20372
Modified:
  branches/2020Q1/www/nginx/Makefile
Directory Properties:
  branches/2020Q1/   (props changed)

Modified: branches/2020Q1/www/nginx/Makefile
==============================================================================
--- branches/2020Q1/www/nginx/Makefile	Sun Feb  9 11:16:40 2020	(r525647)
+++ branches/2020Q1/www/nginx/Makefile	Sun Feb  9 11:19:01 2020	(r525648)
@@ -3,7 +3,7 @@
 
 PORTNAME=	nginx
 PORTVERSION=	1.16.1
-PORTREVISION?=	8
+PORTREVISION?=	11
 PORTEPOCH=	2
 CATEGORIES=	www
 MASTER_SITES=	https://nginx.org/download/ \

Copied: branches/2020Q1/www/nginx/files/patch-CVE-2019-20372 (from r525647, head/www/nginx/files/patch-CVE-2019-20372)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2020Q1/www/nginx/files/patch-CVE-2019-20372	Sun Feb  9 11:19:01 2020	(r525648, copy of r525647, head/www/nginx/files/patch-CVE-2019-20372)
@@ -0,0 +1,28 @@
+From 8bffc01d084b4881e3eed2052c115b8f04268cb9 Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru at nginx.com>
+Date: Mon, 23 Dec 2019 15:45:46 +0300
+Subject: [PATCH] Discard request body when redirecting to a URL via
+ error_page.
+
+Reported by Bert JW Regeer and Francisco Oca Gonzalez.
+---
+ src/http/ngx_http_special_response.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c
+index 2c1ff174..e2a5e9dc 100644
+--- src/http/ngx_http_special_response.c
++++ src/http/ngx_http_special_response.c
+@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page)
+         return ngx_http_named_location(r, &uri);
+     }
+ 
++    r->expect_tested = 1;
++
++    if (ngx_http_discard_request_body(r) != NGX_OK) {
++        r->keepalive = 0;
++    }
++
+     location = ngx_list_push(&r->headers_out.headers);
+ 
+     if (location == NULL) {

More information about the svn-ports-all mailing list