From e3f6ed2d6547bf910fe5e6a21ea660ea83b0e7b7 Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Thu, 27 Dec 2018 14:44:09 +0200 Subject: [PATCH 1/6] Add missing changelog entries Those were forgotten during the upload, but let's add them for completeness. Gbp-Dch: Ignore --- debian/changelog | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/changelog b/debian/changelog index be5df64..93a36f2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,8 @@ nginx (1.14.2-2) unstable; urgency=medium [ Christos Trochalakis ] * http-dav-ext: Upgrade to 3.0.0 (Closes: #851651) + * Use a minimal export of the upstream signing key + * Bump Standards-Version, no changes needed -- Christos Trochalakis Thu, 27 Dec 2018 12:49:34 +0200 From ccedd1185b2471d7b50d5617b5383fb021001888 Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Tue, 13 Aug 2019 21:04:39 +0300 Subject: [PATCH 2/6] gbp: setup for buster Gbp-Dch: Ignore --- debian/gbp.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/gbp.conf b/debian/gbp.conf index a14a699..b5fb2c9 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -2,3 +2,5 @@ pristine-tar = True upstream-branch = upstream upstream-tag = upstream/%(version)s +dist=buster +debian-branch=buster From fce697b5bc7fca3b89cfc8ebd941f8dfc5b13388 Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Mon, 19 Aug 2019 11:33:14 +0300 Subject: [PATCH 3/6] Handle CVE-2019-9511 CVE-2019-9513 CVE-2019-9516 Several security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the "http2" option of the "listen" directive is used in a configuration file. The issues affect nginx 1.9.5 - 1.17.2. The issues are fixed in nginx 1.17.3, 1.16.1. Thanks to Jonathan Looney from Netflix for discovering these issues. --- debian/patches/CVE-2019-9511.patch | 87 ++++++++++++++++++++++++++++++ debian/patches/CVE-2019-9513.patch | 62 +++++++++++++++++++++ debian/patches/CVE-2019-9516.patch | 45 ++++++++++++++++ debian/patches/series | 3 ++ 4 files changed, 197 insertions(+) create mode 100644 debian/patches/CVE-2019-9511.patch create mode 100644 debian/patches/CVE-2019-9513.patch create mode 100644 debian/patches/CVE-2019-9516.patch diff --git a/debian/patches/CVE-2019-9511.patch b/debian/patches/CVE-2019-9511.patch new file mode 100644 index 0000000..3b48e0c --- /dev/null +++ b/debian/patches/CVE-2019-9511.patch @@ -0,0 +1,87 @@ +From 3f64486e0c15414dc6368139453dcaca338ddf3e Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Tue, 13 Aug 2019 15:43:36 +0300 +Subject: [PATCH 2/3] HTTP/2: limited number of DATA frames. + +Fixed excessive memory growth and CPU usage if stream windows are +manipulated in a way that results in generating many small DATA frames. +Fix is to limit the number of simultaneously allocated DATA frames. +--- + src/http/v2/ngx_http_v2.c | 2 ++ + src/http/v2/ngx_http_v2.h | 2 ++ + src/http/v2/ngx_http_v2_filter_module.c | 22 +++++++++++++++++----- + 3 files changed, 21 insertions(+), 5 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index be2ef82b..1b01f271 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -4339,6 +4339,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc) + */ + pool = stream->pool; + ++ h2c->frames -= stream->frames; ++ + ngx_http_free_request(stream->request, rc); + + if (pool != h2c->state.pool) { +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index bec22160..715b7d30 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s { + + ngx_buf_t *preread; + ++ ngx_uint_t frames; ++ + ngx_http_v2_out_frame_t *free_frames; + ngx_chain_t *free_frame_headers; + ngx_chain_t *free_bufs; +diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c +index 029e8ece..c7ee5536 100644 +--- a/src/http/v2/ngx_http_v2_filter_module.c ++++ b/src/http/v2/ngx_http_v2_filter_module.c +@@ -1661,22 +1661,34 @@ static ngx_http_v2_out_frame_t * + ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, + size_t len, ngx_chain_t *first, ngx_chain_t *last) + { +- u_char flags; +- ngx_buf_t *buf; +- ngx_chain_t *cl; +- ngx_http_v2_out_frame_t *frame; ++ u_char flags; ++ ngx_buf_t *buf; ++ ngx_chain_t *cl; ++ ngx_http_v2_out_frame_t *frame; ++ ngx_http_v2_connection_t *h2c; + + frame = stream->free_frames; ++ h2c = stream->connection; + + if (frame) { + stream->free_frames = frame->next; + +- } else { ++ } else if (h2c->frames < 10000) { + frame = ngx_palloc(stream->request->pool, + sizeof(ngx_http_v2_out_frame_t)); + if (frame == NULL) { + return NULL; + } ++ ++ stream->frames++; ++ h2c->frames++; ++ ++ } else { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ++ h2c->connection->error = 1; ++ return NULL; + } + + flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; +-- +2.20.1 + diff --git a/debian/patches/CVE-2019-9513.patch b/debian/patches/CVE-2019-9513.patch new file mode 100644 index 0000000..edc1c2b --- /dev/null +++ b/debian/patches/CVE-2019-9513.patch @@ -0,0 +1,62 @@ +From bbdc81631b6d322785d8e92788fd400e25a931e6 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Tue, 13 Aug 2019 15:43:40 +0300 +Subject: [PATCH 3/3] HTTP/2: limited number of PRIORITY frames. + +Fixed excessive CPU usage caused by a peer that continuously shuffles +priority of streams. Fix is to limit the number of PRIORITY frames. +--- + src/http/v2/ngx_http_v2.c | 10 ++++++++++ + src/http/v2/ngx_http_v2.h | 1 + + 2 files changed, 11 insertions(+) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 1b01f271..fd6ecb05 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -275,6 +275,7 @@ ngx_http_v2_init(ngx_event_t *rev) + h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); + + h2c->concurrent_pushes = h2scf->concurrent_pushes; ++ h2c->priority_limit = h2scf->concurrent_streams; + + h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); + if (h2c->pool == NULL) { +@@ -1806,6 +1807,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos, + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); + } + ++ if (--h2c->priority_limit == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many PRIORITY frames"); ++ ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM); ++ } ++ + if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) { + return ngx_http_v2_state_save(h2c, pos, end, + ngx_http_v2_state_priority); +@@ -3120,6 +3128,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c, ngx_uint_t push) + h2c->processing++; + } + ++ h2c->priority_limit += h2scf->concurrent_streams; ++ + return stream; + } + +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 715b7d30..69d55d1c 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s { + ngx_uint_t processing; + ngx_uint_t frames; + ngx_uint_t idle; ++ ngx_uint_t priority_limit; + + ngx_uint_t pushing; + ngx_uint_t concurrent_pushes; +-- +2.20.1 + diff --git a/debian/patches/CVE-2019-9516.patch b/debian/patches/CVE-2019-9516.patch new file mode 100644 index 0000000..0d5ec77 --- /dev/null +++ b/debian/patches/CVE-2019-9516.patch @@ -0,0 +1,45 @@ +From 840d8a3e2f126384eb4ee3e5dd7ffe875a5634c5 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Tue, 13 Aug 2019 15:43:32 +0300 +Subject: [PATCH 1/3] HTTP/2: reject zero length headers with PROTOCOL_ERROR. + +Fixed uncontrolled memory growth if peer sends a stream of +headers with a 0-length header name and 0-length header value. +Fix is to reject headers with zero name length. +--- + src/http/v2/ngx_http_v2.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 12214e15..be2ef82b 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -1548,6 +1548,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos, + header->name.len = h2c->state.field_end - h2c->state.field_start; + header->name.data = h2c->state.field_start; + ++ if (header->name.len == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent zero header name length"); ++ ++ return ngx_http_v2_connection_error(h2c, ++ NGX_HTTP_V2_PROTOCOL_ERROR); ++ } ++ + return ngx_http_v2_state_field_len(h2c, pos, end); + } + +@@ -3249,10 +3257,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header) + ngx_uint_t i; + ngx_http_core_srv_conf_t *cscf; + +- if (header->name.len == 0) { +- return NGX_ERROR; +- } +- + r->invalid_header = 0; + + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index 5b6b799..dfc20c1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,5 @@ 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch 0003-define_gnu_source-on-other-glibc-based-platforms.patch +CVE-2019-9516.patch +CVE-2019-9511.patch +CVE-2019-9513.patch From 117fc2156ffdf628d28bb469b920f7d4cbf19d2c Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Mon, 19 Aug 2019 13:03:31 +0300 Subject: [PATCH 4/6] Release 1.14.2-2+deb10u1 --- debian/changelog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/debian/changelog b/debian/changelog index 93a36f2..b2c8dc3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +nginx (1.14.2-2+deb10u1) buster-security; urgency=high + + * Backport upstream fixes for 3 CVEs (Closes: #935037) + Those fixes affect Nginx HTTP/2 implementation, which might cause + excessive memory consumption and CPU usage. + (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). + + -- Christos Trochalakis Tue, 13 Aug 2019 21:10:28 +0300 + nginx (1.14.2-2) unstable; urgency=medium [ Kartik Mistry ] From 0a0410dba7521b83fc9304ec1aadf5fb9f95a1a7 Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Sat, 11 Jan 2020 09:21:48 +0200 Subject: [PATCH 5/6] Handle CVE-2019-20372, error page request smuggling Nginx before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. --- debian/patches/CVE-2019-20372.patch | 31 +++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 32 insertions(+) create mode 100644 debian/patches/CVE-2019-20372.patch diff --git a/debian/patches/CVE-2019-20372.patch b/debian/patches/CVE-2019-20372.patch new file mode 100644 index 0000000..7793fa4 --- /dev/null +++ b/debian/patches/CVE-2019-20372.patch @@ -0,0 +1,31 @@ +From 8bffc01d084b4881e3eed2052c115b8f04268cb9 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov +Date: Mon, 23 Dec 2019 15:45:46 +0300 +Subject: [PATCH] Discard request body when redirecting to a URL via + error_page. + +Reported by Bert JW Regeer and Francisco Oca Gonzalez. +--- + src/http/ngx_http_special_response.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c +index 2c1ff174..e2a5e9dc 100644 +--- a/src/http/ngx_http_special_response.c ++++ b/src/http/ngx_http_special_response.c +@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page) + return ngx_http_named_location(r, &uri); + } + ++ r->expect_tested = 1; ++ ++ if (ngx_http_discard_request_body(r) != NGX_OK) { ++ r->keepalive = 0; ++ } ++ + location = ngx_list_push(&r->headers_out.headers); + + if (location == NULL) { +-- +2.23.0 + diff --git a/debian/patches/series b/debian/patches/series index dfc20c1..000a9f1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ CVE-2019-9516.patch CVE-2019-9511.patch CVE-2019-9513.patch +CVE-2019-20372.patch From 1b93db3264fab0654a0112b55d3f2cc79cc7ebd7 Mon Sep 17 00:00:00 2001 From: Christos Trochalakis Date: Sat, 11 Jan 2020 09:29:48 +0200 Subject: [PATCH 6/6] Release 1.14.2-2+deb10u2 --- debian/changelog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/changelog b/debian/changelog index b2c8dc3..2ae0be6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +nginx (1.14.2-2+deb10u2) buster-security; urgency=high + + * Handle CVE-2019-20372, error page request smuggling + (Closes: #948579) + + -- Christos Trochalakis Sat, 11 Jan 2020 09:28:05 +0200 + nginx (1.14.2-2+deb10u1) buster-security; urgency=high * Backport upstream fixes for 3 CVEs (Closes: #935037)