Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
November 24, 2020 10:38AM
Hello!

On Thu, Nov 19, 2020 at 02:06:46PM -0800, Frank Liu wrote:

> CVE-2019-20372 mentioned a security vulnerability, but I don't see it in
> http://nginx.org/en/security_advisories.html
> Does that mean CVE-2019-20372 is not considered a security vulnerability by
> nginx? Or is it because nginx standard config won't be vulnerable, and
> users have to enable error_log in order to be vulnerable?

The CVE-2019-20372 corresponds to the following bugfix in nginx
1.17.7:

*) Bugfix: requests with bodies were handled incorrectly when returning
redirections with the "error_page" directive; the bug had appeared in
0.7.12.

It only affects rarely used configurations with error_page
returning redirects by itself, that is, configurations with
"error_page ... http://...". Further, it can only have any
security impact if nginx is used behind another HTTP proxy, and
the configuration relies on security checks on this proxy.

Given the above, it is not considered to be a security issue, but
rather treated as a bug. This bug is already fixed in all
supported nginx versions.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

nginx vulnerability

Frank Liu November 19, 2020 05:08PM

Re: nginx vulnerability

Maxim Dounin November 24, 2020 10:38AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 300
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready