Commit d47526fa authored by Leonardo Arena's avatar Leonardo Arena
Browse files

main/nginx: security fix (CVE-2019-20372)

fixes #11134
parent 29678cb9
......@@ -4,6 +4,8 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
# 1.14.2-r2:
# - CVE-2019-20372
# 1.14.1-r1:
# - CVE-2019-9511
# - CVE-2019-9513
......@@ -19,7 +21,7 @@ pkgname=nginx
# NOTE: Upgrade only to even-numbered versions (e.g. 1.14.z, 1.16.z)!
# Odd-numbered versions are mainline (development) versions.
pkgver=1.14.2
pkgrel=1
pkgrel=2
# Revision of nginx-tests to use for check().
_tests_hgrev=d6daf03478ad
_njs_ver=0.2.0
......@@ -47,6 +49,7 @@ source="http://nginx.org/download/$pkgname-$pkgver.tar.gz
CVE-2019-9511.patch
CVE-2019-9513.patch
CVE-2019-9516.patch
CVE-2019-20372.patch
nginx.conf
default.conf
......@@ -299,6 +302,7 @@ cd6983c164383100e0239be85dfeddc7879ab9c29589aecdd9bb4b6772d1f0a5d4cd70bf728d0fb5
8418b905011d429a7183843af7fbbc7ec37d01f33c9f9742a2b2de08a0e036af97577988425254ce6a541db34f05d47c05edfe613d417f3e402a044a3f455d3a CVE-2019-9511.patch
8575dfa2484ef6979b83d6cc51b2492498c4a4b5fbda677c0986db1de32fc80c9bf0bb93f75582d51bee7d226a138a423aa41dd7b3320588bb019e4474e5c558 CVE-2019-9513.patch
949f1fe5c83148f99919384b7117d330bf361a2b7c76807d41017f14349b853ec8f6fdab33d290ca455fbe18150047412bb220838c867708cb56c4e5ec6746fd CVE-2019-9516.patch
3d70fecd28a3c7b126aa06404ebb3a0fa71659abb710ecf441208b6735bda80493265410bebb4cecbb2fffa589fede75897b7f7d2da9def2482c75ac85b02b30 CVE-2019-20372.patch
ac7e3153ab698b4cde077f0d5d7ac0a58897927eb36cf3b58cb01268ca0296f1d589c0a5b4f889b96b5b4a57bef05b17c59be59a9d7c4d7a3d3be58f101f7f41 nginx.conf
0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3 default.conf
09b110693e3f4377349ccea3c43cb8199c8579ee351eae34283299be99fdf764b0c1bddd552e13e4d671b194501618b29c822e1ad53b34101a73a63954363dbb nginx.logrotate
......
From c1be55f97211d38b69ac0c2027e6812ab8b1b94e Mon Sep 17 00:00:00 2001
From: Ruslan Ermilov <ru@nginx.com>
Date: Mon, 23 Dec 2019 15:45:46 +0300
Subject: [PATCH] Discard request body when redirecting to a URL via
error_page.
Reported by Bert JW Regeer and Francisco Oca Gonzalez.
---
src/http/ngx_http_special_response.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c
index 4ffb2cc8ad..76e6705889 100644
--- a/src/http/ngx_http_special_response.c
+++ b/src/http/ngx_http_special_response.c
@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page)
return ngx_http_named_location(r, &uri);
}
+ r->expect_tested = 1;
+
+ if (ngx_http_discard_request_body(r) != NGX_OK) {
+ r->keepalive = 0;
+ }
+
location = ngx_list_push(&r->headers_out.headers);
if (location == NULL) {
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment