diff options
| author | bsiegert <bsiegert@pkgsrc.org> | 2020-01-27 09:35:13 +0000 |
|---|---|---|
| committer | bsiegert <bsiegert@pkgsrc.org> | 2020-01-27 09:35:13 +0000 |
| commit | b251aeae6fed04d3a85cf706b563a6f0b2c6b35d (patch) | |
| tree | 2fdb71c6ada6a183df941f4383a6a3805af46e2a | |
| parent | 0c198171c1403879eba0f3d58967df0c33aab1eb (diff) | |
| download | pkgsrc-b251aeae6fed04d3a85cf706b563a6f0b2c6b35d.tar.gz | |
Pullup ticket #6120 - requested by kim
www/nginx: security fix
Revisions pulled up:
- www/nginx/Makefile 1.87
- www/nginx/distinfo 1.71-1.72
- www/nginx/patches/patch-src_http_ngx__http__special__response.c 1.1-1.2
---
Module Name: pkgsrc
Committed By: kim
Date: Sun Jan 19 07:28:36 UTC 2020
Modified Files:
pkgsrc/www/nginx: Makefile distinfo
Added Files:
pkgsrc/www/nginx/patches: patch-src_http_ngx__http__special__response.c
Log Message:
Add patch from upstream to address CVE-2019-20372. Bump revision.
---
Module Name: pkgsrc
Committed By: kim
Date: Sun Jan 19 07:42:42 UTC 2020
Modified Files:
pkgsrc/www/nginx: distinfo
pkgsrc/www/nginx/patches: patch-src_http_ngx__http__special__response.c
Log Message:
Mention CVE-2019-20372 in the patch file as well.
| -rw-r--r-- | www/nginx/distinfo | 3 | ||||
| -rw-r--r-- | www/nginx/patches/patch-src_http_ngx__http__special__response.c | 23 |
2 files changed, 25 insertions, 1 deletions
diff --git a/www/nginx/distinfo b/www/nginx/distinfo index c81acd97888..0615cd4c004 100644 --- a/www/nginx/distinfo +++ b/www/nginx/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.70 2019/08/15 08:06:29 adam Exp $ +$NetBSD: distinfo,v 1.70.6.1 2020/01/27 09:35:13 bsiegert Exp $ SHA1 (array-var-nginx-module-0.05.tar.gz) = c69fac77814947009ab783a471783b3c95a63a26 RMD160 (array-var-nginx-module-0.05.tar.gz) = 89bd4efc04864e3e90781588a337338951ec8733 @@ -53,3 +53,4 @@ SHA1 (patch-ab) = 7d126a4372aa8575ef01a4bfd9aec9898861c763 SHA1 (patch-auto_cc_conf) = 5e6a479ba419cd16dedeb3b4c47dc685d126ef6a SHA1 (patch-auto_lib_pcre_conf) = 8cf03fe38e7f75ef6892cc8b93be5cb18c381e97 SHA1 (patch-src_event_modules_ngx__eventport__module.c) = c8e919f48d68bd5bffc4ad11d9c79dc6da3a0de2 +SHA1 (patch-src_http_ngx__http__special__response.c) = 7ac84762cc42932c43dc5191888fbe33c2125c3b diff --git a/www/nginx/patches/patch-src_http_ngx__http__special__response.c b/www/nginx/patches/patch-src_http_ngx__http__special__response.c new file mode 100644 index 00000000000..3902c4a6f66 --- /dev/null +++ b/www/nginx/patches/patch-src_http_ngx__http__special__response.c @@ -0,0 +1,23 @@ +$NetBSD$ + +Discard request body when redirecting to a URL via error_page. + +Fixes CVE-2019-20372. + +https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e.patch + +--- src/http/ngx_http_special_response.c ++++ src/http/ngx_http_special_response.c +@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page) + return ngx_http_named_location(r, &uri); + } + ++ r->expect_tested = 1; ++ ++ if (ngx_http_discard_request_body(r) != NGX_OK) { ++ r->keepalive = 0; ++ } ++ + location = ngx_list_push(&r->headers_out.headers); + + if (location == NULL) { |