==========================================================================
Ubuntu Security Notice USN-4235-1
January 13, 2020
nginx vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 19.10
– Ubuntu 19.04
– Ubuntu 18.04 LTS
– Ubuntu 16.04 LTS
Summary:
nginx could be made to expose sensitive information over the network.
Software Description:
– nginx: small, powerful, scalable web/proxy server
Details:
Bert JW Regeer and Francisco Oca Gonzalez discovered that nginx incorrectly
handled certain error_page configurations. A remote attacker could possibly
use this issue to perform HTTP request smuggling attacks and access
resources contrary to expectations.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.10:
nginx-common 1.16.1-0ubuntu2.1
nginx-core 1.16.1-0ubuntu2.1
nginx-extras 1.16.1-0ubuntu2.1
nginx-full 1.16.1-0ubuntu2.1
nginx-light 1.16.1-0ubuntu2.1
Ubuntu 19.04:
nginx-common 1.15.9-0ubuntu1.2
nginx-core 1.15.9-0ubuntu1.2
nginx-extras 1.15.9-0ubuntu1.2
nginx-full 1.15.9-0ubuntu1.2
nginx-light 1.15.9-0ubuntu1.2
Ubuntu 18.04 LTS:
nginx-common 1.14.0-0ubuntu1.7
nginx-core 1.14.0-0ubuntu1.7
nginx-extras 1.14.0-0ubuntu1.7
nginx-full 1.14.0-0ubuntu1.7
nginx-light 1.14.0-0ubuntu1.7
Ubuntu 16.04 LTS:
nginx-common 1.10.3-0ubuntu0.16.04.5
nginx-core 1.10.3-0ubuntu0.16.04.5
nginx-extras 1.10.3-0ubuntu0.16.04.5
nginx-full 1.10.3-0ubuntu0.16.04.5
nginx-light 1.10.3-0ubuntu0.16.04.5
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4235-1
CVE-2019-20372
Package Information:
https://launchpad.net/ubuntu/+source/nginx/1.16.1-0ubuntu2.1
https://launchpad.net/ubuntu/+source/nginx/1.15.9-0ubuntu1.2
https://launchpad.net/ubuntu/+source/nginx/1.14.0-0ubuntu1.7
https://launchpad.net/ubuntu/+source/nginx/1.10.3-0ubuntu0.16.04.5
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl4cow8ACgkQZWnYVadE
vpOz8xAAr6BS6Trj7m0Ayhalv9WBsvcGutVP1gRKUhJj0a34LI3UX2j2ymR7EcH9
3EGfjxE+SxYhkvfAsj2LM+rZCN64qjWECK+nb3idl3IoOhy0c8lxcRIVwjgC2EKQ
mQHcqt8r6c4bvbfsRVMpnISlvFuSwwFk/9vq/vLHSXMxfKz9lu+5aLhIyW4ktexk
eNr0oiCNWzkfpBdTOOWy6BL6lMsYM6ttYf+vjs0QBgAnDoP85C4/i2XrBUv12BbW
rXRIEcogOIUA9zXyNHiSWktG8n7CCuvJoVoZq32HEkeXS250EoNtdMKytX45wq28
N6qD8nu8hIAhcCtelm9PFC9BhrfInYLak1HsE+Bwlf4afEL52ShDEGjrKjqmj35r
THIULw3ry9zAEP8Ne6ROdeN/nSGnLROnBeth2ahaDvruG8UbIju6IzZSPFqGvmwE
XSvVLOvhJTnWn84xm9u9ElSsGdTu+u5XO+xbG/5UfRUUL39PFTpGJUpvRYOHEh0C
bjefQX1lbdIXyqBxTlxarrXofq6MrJp9F6IOLrBP87mQrB50pSIZZeqmcR97+CJ7
qhF+49tlptXOHgGUcIrNWxX6EHV90FOounVoIF/WKUK0AYOfntSEw+QACp+T2H2M
T+a4acdhuvm22Bj0szUGXiiuFCDrwUUbxFtJmxKhBDgUqSlk1ps=
=0waO
—–END PGP SIGNATURE—–
—