svn commit: r525648 - in branches/2020Q1/www/nginx: . files
Jochen Neumeister
joneum at FreeBSD.org
Sun Feb 9 11:19:02 UTC 2020
Author: joneum
Date: Sun Feb 9 11:19:01 2020
New Revision: 525648
URL: https://svnweb.freebsd.org/changeset/ports/525648
Log:
MFH: r525647
Add patch for CVE-2019-20372
NGINX before 1.17.7, with certain error_page configurations,
allows HTTP request smuggling, as demonstrated by the ability
of an attacker to read unauthorized web pages in environments
where NGINX is being fronted by a load balancer.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372
PR: 243952
Reported by: koobs and many more
Security: c1202de8-4b29-11ea-9673-4c72b94353b5
Sponsored by: Netzkommune GmbH
Approved by: ports-secteam (with hat)
Added:
branches/2020Q1/www/nginx/files/patch-CVE-2019-20372
- copied unchanged from r525647, head/www/nginx/files/patch-CVE-2019-20372
Modified:
branches/2020Q1/www/nginx/Makefile
Directory Properties:
branches/2020Q1/ (props changed)
Modified: branches/2020Q1/www/nginx/Makefile
==============================================================================
--- branches/2020Q1/www/nginx/Makefile Sun Feb 9 11:16:40 2020 (r525647)
+++ branches/2020Q1/www/nginx/Makefile Sun Feb 9 11:19:01 2020 (r525648)
@@ -3,7 +3,7 @@
PORTNAME= nginx
PORTVERSION= 1.16.1
-PORTREVISION?= 8
+PORTREVISION?= 11
PORTEPOCH= 2
CATEGORIES= www
MASTER_SITES= https://nginx.org/download/ \
Copied: branches/2020Q1/www/nginx/files/patch-CVE-2019-20372 (from r525647, head/www/nginx/files/patch-CVE-2019-20372)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2020Q1/www/nginx/files/patch-CVE-2019-20372 Sun Feb 9 11:19:01 2020 (r525648, copy of r525647, head/www/nginx/files/patch-CVE-2019-20372)
@@ -0,0 +1,28 @@
+From 8bffc01d084b4881e3eed2052c115b8f04268cb9 Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru at nginx.com>
+Date: Mon, 23 Dec 2019 15:45:46 +0300
+Subject: [PATCH] Discard request body when redirecting to a URL via
+ error_page.
+
+Reported by Bert JW Regeer and Francisco Oca Gonzalez.
+---
+ src/http/ngx_http_special_response.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c
+index 2c1ff174..e2a5e9dc 100644
+--- src/http/ngx_http_special_response.c
++++ src/http/ngx_http_special_response.c
+@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page)
+ return ngx_http_named_location(r, &uri);
+ }
+
++ r->expect_tested = 1;
++
++ if (ngx_http_discard_request_body(r) != NGX_OK) {
++ r->keepalive = 0;
++ }
++
+ location = ngx_list_push(&r->headers_out.headers);
+
+ if (location == NULL) {
More information about the svn-ports-all
mailing list