Import Debian changes 1.14.2-2+deb10u5

nginx (1.14.2-2+deb10u5) buster-security; urgency=high
.
  * Non-maintainer upload by the LTS team.
  * Fix CVE-2021-3618:
    ALPACA is an application layer protocol content confusion attack,
    exploiting TLS servers implementing different protocols but using
    compatible certificates, such as multi-domain or wildcard certificates. A
    MiTM attacker having access to victim's traffic at the TCP/IP layer can
    redirect traffic from one subdomain to another, resulting in a valid TLS
    session. This breaks the authentication of TLS and cross-protocol attacks
    may be possible where the behavior of one protocol service may compromise
    the other at the application layer.
  * Fix CVE-2022-41741 and CVE-2022-41742:
    It was discovered that parsing errors in the mp4 module of Nginx, a
    high-performance web and reverse proxy server, could result in denial of
    service, memory disclosure or potentially the execution of arbitrary code
    when processing a malformed mp4 file.
.
nginx (1.14.2-2+deb10u4) buster-security; urgency=medium
.
  * CVE-2021-23017 (Closes: #989095)
.
nginx (1.14.2-2+deb10u3) buster-security; urgency=high
.
  * Non-maintainer upload by the Security Team.
  * bugfix: prevented request smuggling in the ngx.location.capture API
    (CVE-2020-11724) (Closes: #964950)
.
nginx (1.14.2-2+deb10u2) buster; urgency=medium
.
  * Handle CVE-2019-20372, error page request smuggling
    (Closes: #948579)

debian/changelog

@@ -1,3 +1,53 @@
+nginx (1.14.2-2+deb10u5) buster-security; urgency=high
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2021-3618:
+    ALPACA is an application layer protocol content confusion attack,
+    exploiting TLS servers implementing different protocols but using
+    compatible certificates, such as multi-domain or wildcard certificates. A
+    MiTM attacker having access to victim's traffic at the TCP/IP layer can
+    redirect traffic from one subdomain to another, resulting in a valid TLS
+    session. This breaks the authentication of TLS and cross-protocol attacks
+    may be possible where the behavior of one protocol service may compromise
+    the other at the application layer.
+  * Fix CVE-2022-41741 and CVE-2022-41742:
+    It was discovered that parsing errors in the mp4 module of Nginx, a
+    high-performance web and reverse proxy server, could result in denial of
+    service, memory disclosure or potentially the execution of arbitrary code
+    when processing a malformed mp4 file.
+
+ -- Markus Koschany <apo@debian.org>  Tue, 22 Nov 2022 23:03:15 +0100
+
+nginx (1.14.2-2+deb10u4) buster-security; urgency=medium
+
+  * CVE-2021-23017 (Closes: #989095)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Fri, 28 May 2021 10:43:00 +0200
+
+nginx (1.14.2-2+deb10u3) buster-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * bugfix: prevented request smuggling in the ngx.location.capture API
+    (CVE-2020-11724) (Closes: #964950)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 24 Aug 2020 12:18:43 +0200
+
+nginx (1.14.2-2+deb10u2) buster; urgency=medium
+
+  * Handle CVE-2019-20372, error page request smuggling
+    (Closes: #948579)
+
+ -- Christos Trochalakis <ctrochalakis@debian.org>  Sat, 11 Jan 2020 09:28:05 +0200
+
+nginx (1.14.2-2+deb10u1) buster-security; urgency=high
+
+  * Backport upstream fixes for 3 CVEs (Closes: #935037)
+    Those fixes affect Nginx HTTP/2 implementation, which might cause
+    excessive memory consumption and CPU usage.
+    (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).
+
+ -- Christos Trochalakis <ctrochalakis@debian.org>  Tue, 13 Aug 2019 21:10:28 +0300
+
 nginx (1.14.2-2) unstable; urgency=medium
 
   [ Kartik Mistry ]
@@ -7,6 +57,8 @@ nginx (1.14.2-2) unstable; urgency=medium
 
   [ Christos Trochalakis ]
   * http-dav-ext: Upgrade to 3.0.0 (Closes: #851651)
+  * Use a minimal export of the upstream signing key
+  * Bump Standards-Version, no changes needed
 
  -- Christos Trochalakis <ctrochalakis@debian.org>  Thu, 27 Dec 2018 12:49:34 +0200
 

debian/gbp.conf

@@ -2,3 +2,5 @@
 pristine-tar = True
 upstream-branch = upstream
 upstream-tag = upstream/%(version)s
+dist=buster
+debian-branch=buster

debian/modules/http-lua/t/.gitignore

@@ -1,2 +0,0 @@
-servroot
-

debian/modules/nchan/src/.gitignore

@@ -1,2 +0,0 @@
-nginx
-nginx-source

debian/modules/nchan/src/store/redis/scripts/.gitignore

@@ -1 +0,0 @@
-Gemfile.lock

debian/modules/patches/http-lua/bugfix-prevented-request-smuggling-in-the-ngx.locati.patch

@@ -0,0 +1,852 @@
+From: Thibault Charbonnier <thibaultcha@me.com>
+Date: Mon, 23 Mar 2020 19:40:47 -0700
+Subject: bugfix: prevented request smuggling in the ngx.location.capture API.
+Origin: https://github.com/openresty/lua-nginx-module/commit/9ab38e8ee35fc08a57636b1b6190dca70b0076fa
+Bug-Debian: https://bugs.debian.org/964950
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-11724
+
+Signed-off-by: Yichun Zhang (agentzh) <yichun@openresty.com>
+---
+ src/ngx_http_lua_subrequest.c | 196 +++++--------
+ t/020-subrequest.t            | 520 +++++++++++++++++++++++++++++++++-
+ 2 files changed, 585 insertions(+), 131 deletions(-)
+
+--- a/src/ngx_http_lua_subrequest.c
++++ b/src/ngx_http_lua_subrequest.c
+@@ -56,8 +56,6 @@ static ngx_str_t  ngx_http_lua_content_l
+     ngx_string("Content-Length");
+ 
+ 
+-static ngx_int_t ngx_http_lua_set_content_length_header(ngx_http_request_t *r,
+-    off_t len);
+ static ngx_int_t ngx_http_lua_adjust_subrequest(ngx_http_request_t *sr,
+     ngx_uint_t method, int forward_body,
+     ngx_http_request_body_t *body, unsigned vars_action,
+@@ -78,7 +76,7 @@ static void ngx_http_lua_cancel_subreq(n
+ static ngx_int_t ngx_http_post_request_to_head(ngx_http_request_t *r);
+ static ngx_int_t ngx_http_lua_copy_in_file_request_body(ngx_http_request_t *r);
+ static ngx_int_t ngx_http_lua_copy_request_headers(ngx_http_request_t *sr,
+-    ngx_http_request_t *r);
++    ngx_http_request_t *pr, int pr_not_chunked);
+ 
+ 
+ /* ngx.location.capture is just a thin wrapper around
+@@ -628,8 +626,8 @@ ngx_http_lua_adjust_subrequest(ngx_http_
+     unsigned vars_action, ngx_array_t *extra_vars)
+ {
+     ngx_http_request_t          *r;
+-    ngx_int_t                    rc;
+     ngx_http_core_main_conf_t   *cmcf;
++    int                          pr_not_chunked = 0;
+     size_t                       size;
+ 
+     r = sr->parent;
+@@ -639,46 +637,32 @@ ngx_http_lua_adjust_subrequest(ngx_http_
+     if (body) {
+         sr->request_body = body;
+ 
+-        rc = ngx_http_lua_set_content_length_header(sr,
+-                                                    body->buf
+-                                                    ? ngx_buf_size(body->buf)
+-                                                    : 0);
+-
+-        if (rc != NGX_OK) {
+-            return NGX_ERROR;
+-        }
+-
+     } else if (!always_forward_body
+                && method != NGX_HTTP_PUT
+                && method != NGX_HTTP_POST
+                && r->headers_in.content_length_n > 0)
+     {
+-        rc = ngx_http_lua_set_content_length_header(sr, 0);
+-        if (rc != NGX_OK) {
+-            return NGX_ERROR;
+-        }
+-
+-#if 1
+         sr->request_body = NULL;
+-#endif
+ 
+     } else {
+-        if (ngx_http_lua_copy_request_headers(sr, r) != NGX_OK) {
+-            return NGX_ERROR;
++        if (!r->headers_in.chunked) {
++            pr_not_chunked = 1;
+         }
+ 
+-        if (sr->request_body) {
++        if (sr->request_body && sr->request_body->temp_file) {
+ 
+             /* deep-copy the request body */
+ 
+-            if (sr->request_body->temp_file) {
+-                if (ngx_http_lua_copy_in_file_request_body(sr) != NGX_OK) {
+-                    return NGX_ERROR;
+-                }
++            if (ngx_http_lua_copy_in_file_request_body(sr) != NGX_OK) {
++                return NGX_ERROR;
+             }
+         }
+     }
+ 
++    if (ngx_http_lua_copy_request_headers(sr, r, pr_not_chunked) != NGX_OK) {
++        return NGX_ERROR;
++    }
++
+     sr->method = method;
+ 
+     switch (method) {
+@@ -1124,100 +1108,6 @@ ngx_http_lua_post_subrequest(ngx_http_re
+ }
+ 
+ 
+-static ngx_int_t
+-ngx_http_lua_set_content_length_header(ngx_http_request_t *r, off_t len)
+-{
+-    ngx_table_elt_t                 *h, *header;
+-    u_char                          *p;
+-    ngx_list_part_t                 *part;
+-    ngx_http_request_t              *pr;
+-    ngx_uint_t                       i;
+-
+-    r->headers_in.content_length_n = len;
+-
+-    if (ngx_list_init(&r->headers_in.headers, r->pool, 20,
+-                      sizeof(ngx_table_elt_t)) != NGX_OK)
+-    {
+-        return NGX_ERROR;
+-    }
+-
+-    h = ngx_list_push(&r->headers_in.headers);
+-    if (h == NULL) {
+-        return NGX_ERROR;
+-    }
+-
+-    h->key = ngx_http_lua_content_length_header_key;
+-    h->lowcase_key = ngx_pnalloc(r->pool, h->key.len);
+-    if (h->lowcase_key == NULL) {
+-        return NGX_ERROR;
+-    }
+-
+-    ngx_strlow(h->lowcase_key, h->key.data, h->key.len);
+-
+-    r->headers_in.content_length = h;
+-
+-    p = ngx_palloc(r->pool, NGX_OFF_T_LEN);
+-    if (p == NULL) {
+-        return NGX_ERROR;
+-    }
+-
+-    h->value.data = p;
+-
+-    h->value.len = ngx_sprintf(h->value.data, "%O", len) - h->value.data;
+-
+-    h->hash = ngx_http_lua_content_length_hash;
+-
+-#if 0
+-    dd("content length hash: %lu == %lu", (unsigned long) h->hash,
+-       ngx_hash_key_lc((u_char *) "Content-Length",
+-                       sizeof("Content-Length") - 1));
+-#endif
+-
+-    dd("r content length: %.*s",
+-       (int) r->headers_in.content_length->value.len,
+-       r->headers_in.content_length->value.data);
+-
+-    pr = r->parent;
+-
+-    if (pr == NULL) {
+-        return NGX_OK;
+-    }
+-
+-    /* forward the parent request's all other request headers */
+-
+-    part = &pr->headers_in.headers.part;
+-    header = part->elts;
+-
+-    for (i = 0; /* void */; i++) {
+-
+-        if (i >= part->nelts) {
+-            if (part->next == NULL) {
+-                break;
+-            }
+-
+-            part = part->next;
+-            header = part->elts;
+-            i = 0;
+-        }
+-
+-        if (header[i].key.len == sizeof("Content-Length") - 1
+-            && ngx_strncasecmp(header[i].key.data, (u_char *) "Content-Length",
+-                               sizeof("Content-Length") - 1) == 0)
+-        {
+-            continue;
+-        }
+-
+-        if (ngx_http_lua_set_input_header(r, header[i].key,
+-                                          header[i].value, 0) == NGX_ERROR)
+-        {
+-            return NGX_ERROR;
+-        }
+-    }
+-
+-    return NGX_OK;
+-}
+-
+-
+ static void
+ ngx_http_lua_handle_subreq_responses(ngx_http_request_t *r,
+     ngx_http_lua_ctx_t *ctx)
+@@ -1732,11 +1622,17 @@ ngx_http_lua_copy_in_file_request_body(n
+ 
+ 
+ static ngx_int_t
+-ngx_http_lua_copy_request_headers(ngx_http_request_t *sr, ngx_http_request_t *r)
++ngx_http_lua_copy_request_headers(ngx_http_request_t *sr,
++    ngx_http_request_t *pr, int pr_not_chunked)
+ {
+-    ngx_table_elt_t                 *header;
++    ngx_table_elt_t                 *clh, *header;
+     ngx_list_part_t                 *part;
+     ngx_uint_t                       i;
++    u_char                          *p;
++    off_t                            len;
++
++    dd("before: parent req headers count: %d",
++       (int) pr->headers_in.headers.part.nelts);
+ 
+     if (ngx_list_init(&sr->headers_in.headers, sr->pool, 20,
+                       sizeof(ngx_table_elt_t)) != NGX_OK)
+@@ -1744,10 +1640,46 @@ ngx_http_lua_copy_request_headers(ngx_ht
+         return NGX_ERROR;
+     }
+ 
+-    dd("before: parent req headers count: %d",
+-       (int) r->headers_in.headers.part.nelts);
++    if (sr->request_body && !pr_not_chunked) {
++
++        /* craft our own Content-Length */
++
++        len = sr->request_body->buf ? ngx_buf_size(sr->request_body->buf) : 0;
++
++        clh = ngx_list_push(&sr->headers_in.headers);
++        if (clh == NULL) {
++            return NGX_ERROR;
++        }
+ 
+-    part = &r->headers_in.headers.part;
++        clh->hash = ngx_http_lua_content_length_hash;
++        clh->key = ngx_http_lua_content_length_header_key;
++        clh->lowcase_key = ngx_pnalloc(sr->pool, clh->key.len);
++        if (clh->lowcase_key == NULL) {
++            return NGX_ERROR;
++        }
++
++        ngx_strlow(clh->lowcase_key, clh->key.data, clh->key.len);
++
++        p = ngx_palloc(sr->pool, NGX_OFF_T_LEN);
++        if (p == NULL) {
++            return NGX_ERROR;
++        }
++
++        clh->value.data = p;
++        clh->value.len = ngx_sprintf(clh->value.data, "%O", len)
++                         - clh->value.data;
++
++        sr->headers_in.content_length = clh;
++        sr->headers_in.content_length_n = len;
++
++        dd("sr crafted content-length: %.*s",
++           (int) sr->headers_in.content_length->value.len,
++           sr->headers_in.content_length->value.data);
++    }
++
++    /* copy the parent request's headers */
++
++    part = &pr->headers_in.headers.part;
+     header = part->elts;
+ 
+     for (i = 0; /* void */; i++) {
+@@ -1762,7 +1694,14 @@ ngx_http_lua_copy_request_headers(ngx_ht
+             i = 0;
+         }
+ 
+-        dd("setting request header %.*s: %.*s", (int) header[i].key.len,
++        if (!pr_not_chunked && header[i].key.len == sizeof("Content-Length") - 1
++            && ngx_strncasecmp(header[i].key.data, (u_char *) "Content-Length",
++                               sizeof("Content-Length") - 1) == 0)
++        {
++            continue;
++        }
++
++        dd("sr copied req header %.*s: %.*s", (int) header[i].key.len,
+            header[i].key.data, (int) header[i].value.len,
+            header[i].value.data);
+ 
+@@ -1774,9 +1713,10 @@ ngx_http_lua_copy_request_headers(ngx_ht
+     }
+ 
+     dd("after: parent req headers count: %d",
+-       (int) r->headers_in.headers.part.nelts);
++       (int) pr->headers_in.headers.part.nelts);
+ 
+     return NGX_OK;
+ }
+ 
++
+ /* vi:set ft=c ts=4 sw=4 et fdm=marker: */
+--- a/t/020-subrequest.t
++++ b/t/020-subrequest.t
+@@ -14,6 +14,7 @@ repeat_each(2);
+ plan tests => repeat_each() * (blocks() * 3 + 23);
+ 
+ $ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
++$ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
+ 
+ #no_diff();
+ no_long_string();
+@@ -210,7 +211,7 @@ GET
+ 
+ 
+ 
+-=== TEST 8: PUT (nobody, proxy method)
++=== TEST 8: PUT (with body, proxy method)
+ --- config
+     location /other {
+         default_type 'foo/bar';
+@@ -242,7 +243,7 @@ hello
+ 
+ 
+ 
+-=== TEST 9: PUT (nobody, no proxy method)
++=== TEST 9: PUT (with body, no proxy method)
+ --- config
+     location /other {
+         default_type 'foo/bar';
+@@ -271,7 +272,7 @@ hello
+ 
+ 
+ 
+-=== TEST 10: PUT (nobody, no proxy method)
++=== TEST 10: PUT (no body, no proxy method)
+ --- config
+     location /other {
+         default_type 'foo/bar';
+@@ -2877,3 +2878,516 @@ DELETE /file.txt, response status: 204
+ --- no_error_log
+ [error]
+ --- error_code: 200
++
++
++
++=== TEST 77: avoid request smuggling 1/4 (default capture + smuggle in header)
++--- http_config
++    upstream backend {
++        server unix:$TEST_NGINX_HTML_DIR/nginx.sock;
++        keepalive 32;
++    }
++
++    server {
++        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock;
++
++        location / {
++            content_by_lua_block {
++                ngx.say("method: ", ngx.var.request_method,
++                        ", uri: ", ngx.var.uri,
++                        ", X: ", ngx.var.http_x)
++            }
++        }
++    }
++--- config
++    location /proxy {
++        proxy_http_version 1.1;
++        proxy_set_header   Connection "";
++        proxy_pass         http://backend/foo;
++    }
++
++    location /capture {
++        server_tokens off;
++        more_clear_headers Date;
++
++        content_by_lua_block {
++            local res = ngx.location.capture("/proxy")
++            ngx.print(res.body)
++        }
++    }
++
++    location /t {
++        content_by_lua_block {
++            local req = [[
++GET /capture HTTP/1.1
++Host: test.com
++Content-Length: 37
++Transfer-Encoding: chunked
++
++0
++
++GET /capture HTTP/1.1
++Host: test.com
++X: GET /bar HTTP/1.0
++
++]]
++
++            local sock = ngx.socket.tcp()
++            sock:settimeout(1000)
++
++            local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_SERVER_PORT)
++            if not ok then
++                ngx.say("failed to connect: ", err)
++                return
++            end
++
++            local bytes, err = sock:send(req)
++            if not bytes then
++                ngx.say("failed to send req: ", err)
++                return
++            end
++
++            ngx.say("req bytes: ", bytes)
++
++            local n_resp = 0
++
++            local reader = sock:receiveuntil("\r\n")
++            while true do
++                local line, err = reader()
++                if line then
++                    ngx.say(line)
++                    if line == "0" then
++                        n_resp = n_resp + 1
++                    end
++
++                    if n_resp >= 2 then
++                        break
++                    end
++
++                else
++                    ngx.say("err: ", err)
++                    break
++                end
++            end
++
++            sock:close()
++        }
++    }
++--- request
++GET /t
++--- response_body
++req bytes: 146
++HTTP/1.1 200 OK
++Server: nginx
++Content-Type: text/plain
++Transfer-Encoding: chunked
++Connection: keep-alive
++
++1f
++method: GET, uri: /foo, X: nil
++
++0
++
++HTTP/1.1 200 OK
++Server: nginx
++Content-Type: text/plain
++Transfer-Encoding: chunked
++Connection: keep-alive
++
++2d
++method: GET, uri: /foo, X: GET /bar HTTP/1.0
++
++0
++--- no_error_log
++[error]
++
++
++
++=== TEST 78: avoid request smuggling 2/4 (POST capture + smuggle in body)
++--- http_config
++    upstream backend {
++        server unix:$TEST_NGINX_HTML_DIR/nginx.sock;
++        keepalive 32;
++    }
++
++    server {
++        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock;
++
++        location / {
++            content_by_lua_block {
++                ngx.say("method: ", ngx.var.request_method,
++                        ", uri: ", ngx.var.uri)
++            }
++        }
++    }
++--- config
++    location /proxy {
++        proxy_http_version 1.1;
++        proxy_set_header   Connection "";
++        proxy_pass         http://backend/foo;
++    }
++
++    location /capture {
++        server_tokens off;
++        more_clear_headers Date;
++
++        content_by_lua_block {
++            ngx.req.read_body()
++            local res = ngx.location.capture("/proxy", { method = ngx.HTTP_POST })
++            ngx.print(res.body)
++        }
++    }
++
++    location /t {
++        content_by_lua_block {
++            local req = [[
++GET /capture HTTP/1.1
++Host: test.com
++Content-Length: 57
++Transfer-Encoding: chunked
++
++0
++
++POST /capture HTTP/1.1
++Host: test.com
++Content-Length: 60
++
++POST /bar HTTP/1.1
++Host: test.com
++Content-Length: 5
++
++hello
++
++]]
++
++            local sock = ngx.socket.tcp()
++            sock:settimeout(1000)
++
++            local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_SERVER_PORT)
++            if not ok then
++                ngx.say("failed to connect: ", err)
++                return
++            end
++
++            local bytes, err = sock:send(req)
++            if not bytes then
++                ngx.say("failed to send req: ", err)
++                return
++            end
++
++            ngx.say("req bytes: ", bytes)
++
++            local n_resp = 0
++
++            local reader = sock:receiveuntil("\r\n")
++            while true do
++                local line, err = reader()
++                if line then
++                    ngx.say(line)
++                    if line == "0" then
++                        n_resp = n_resp + 1
++                    end
++
++                    if n_resp >= 2 then
++                        break
++                    end
++
++                else
++                    ngx.say("err: ", err)
++                    break
++                end
++            end
++
++            sock:close()
++        }
++    }
++--- request
++GET /t
++--- response_body
++req bytes: 205
++HTTP/1.1 200 OK
++Server: nginx
++Content-Type: text/plain
++Transfer-Encoding: chunked
++Connection: keep-alive
++
++18
++method: POST, uri: /foo
++
++0
++
++HTTP/1.1 200 OK
++Server: nginx
++Content-Type: text/plain
++Transfer-Encoding: chunked
++Connection: keep-alive
++
++18
++method: POST, uri: /foo
++
++0
++--- no_error_log
++[error]
++
++
++
++=== TEST 79: avoid request smuggling 3/4 (POST capture w/ always_forward_body + smuggle in body)
++--- http_config
++    upstream backend {
++        server unix:$TEST_NGINX_HTML_DIR/nginx.sock;
++        keepalive 32;
++    }
++
++    server {
++        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock;
++
++        location / {
++            content_by_lua_block {
++                ngx.say("method: ", ngx.var.request_method,
++                        ", uri: ", ngx.var.uri)
++            }
++        }
++    }
++--- config
++    location /proxy {
++        proxy_http_version 1.1;
++        proxy_set_header   Connection "";
++        proxy_pass         http://backend/foo;
++    }
++
++    location /capture {
++        server_tokens off;
++        more_clear_headers Date;
++
++        content_by_lua_block {
++            ngx.req.read_body()
++            local res = ngx.location.capture("/proxy", {
++                method = ngx.HTTP_POST,
++                always_forward_body = true
++            })
++            ngx.print(res.body)
++        }
++    }
++
++    location /t {
++        content_by_lua_block {
++            local req = [[
++GET /capture HTTP/1.1
++Host: test.com
++Content-Length: 57
++Transfer-Encoding: chunked
++
++0
++
++POST /capture HTTP/1.1
++Host: test.com
++Content-Length: 60
++
++POST /bar HTTP/1.1
++Host: test.com
++Content-Length: 5
++
++hello
++
++]]
++
++            local sock = ngx.socket.tcp()
++            sock:settimeout(1000)
++
++            local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_SERVER_PORT)
++            if not ok then
++                ngx.say("failed to connect: ", err)
++                return
++            end
++
++            local bytes, err = sock:send(req)
++            if not bytes then
++                ngx.say("failed to send req: ", err)
++                return
++            end
++
++            ngx.say("req bytes: ", bytes)
++
++            local n_resp = 0
++
++            local reader = sock:receiveuntil("\r\n")
++            while true do
++                local line, err = reader()
++                if line then
++                    ngx.say(line)
++                    if line == "0" then
++                        n_resp = n_resp + 1
++                    end
++
++                    if n_resp >= 2 then
++                        break
++                    end
++
++                else
++                    ngx.say("err: ", err)
++                    break
++                end
++            end
++
++            sock:close()
++        }
++    }
++--- request
++GET /t
++--- response_body
++req bytes: 205
++HTTP/1.1 200 OK
++Server: nginx
++Content-Type: text/plain
++Transfer-Encoding: chunked
++Connection: keep-alive
++
++18
++method: POST, uri: /foo
++
++0
++
++HTTP/1.1 200 OK
++Server: nginx
++Content-Type: text/plain
++Transfer-Encoding: chunked
++Connection: keep-alive
++
++18
++method: POST, uri: /foo
++
++0
++--- no_error_log
++[error]
++
++
++
++=== TEST 80: avoid request smuggling 4/4 (POST capture w/ body + smuggle in body)
++--- http_config
++    upstream backend {
++        server unix:$TEST_NGINX_HTML_DIR/nginx.sock;
++        keepalive 32;
++    }
++
++    server {
++        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock;
++
++        location / {
++            content_by_lua_block {
++                ngx.say("method: ", ngx.var.request_method,
++                        ", uri: ", ngx.var.uri)
++            }
++        }
++    }
++--- config
++    location /proxy {
++        proxy_http_version 1.1;
++        proxy_set_header   Connection "";
++        proxy_pass         http://backend/foo;
++    }
++
++    location /capture {
++        server_tokens off;
++        more_clear_headers Date;
++
++        content_by_lua_block {
++            ngx.req.read_body()
++            local res = ngx.location.capture("/proxy", {
++                method = ngx.HTTP_POST,
++                always_forward_body = true,
++                body = ngx.req.get_body_data()
++            })
++            ngx.print(res.body)
++        }
++    }
++
++    location /t {
++        content_by_lua_block {
++            local req = [[
++GET /capture HTTP/1.1
++Host: test.com
++Content-Length: 57
++Transfer-Encoding: chunked
++
++0
++
++POST /capture HTTP/1.1
++Host: test.com
++Content-Length: 60
++
++POST /bar HTTP/1.1
++Host: test.com
++Content-Length: 5
++
++hello
++
++]]
++
++            local sock = ngx.socket.tcp()
++            sock:settimeout(1000)
++
++            local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_SERVER_PORT)
++            if not ok then
++                ngx.say("failed to connect: ", err)
++                return
++            end
++
++            local bytes, err = sock:send(req)
++            if not bytes then
++                ngx.say("failed to send req: ", err)
++                return
++            end
++
++            ngx.say("req bytes: ", bytes)
++
++            local n_resp = 0
++
++            local reader = sock:receiveuntil("\r\n")
++            while true do
++                local line, err = reader()
++                if line then
++                    ngx.say(line)
++                    if line == "0" then
++                        n_resp = n_resp + 1
++                    end
++
++                    if n_resp >= 2 then
++                        break
++                    end
++
++                else
++                    ngx.say("err: ", err)
++                    break
++                end
++            end
++
++            sock:close()
++        }
++    }
++--- request
++GET /t
++--- response_body
++req bytes: 205
++HTTP/1.1 200 OK
++Server: nginx
++Content-Type: text/plain
++Transfer-Encoding: chunked
++Connection: keep-alive
++
++18
++method: POST, uri: /foo
++
++0
++
++HTTP/1.1 200 OK
++Server: nginx
++Content-Type: text/plain
++Transfer-Encoding: chunked
++Connection: keep-alive
++
++18
++method: POST, uri: /foo
++
++0
++--- no_error_log
++[error]

debian/modules/patches/http-lua/series

@@ -1 +1,2 @@
 discover-luajit-2.1.patch
+bugfix-prevented-request-smuggling-in-the-ngx.locati.patch

debian/patches/CVE-2019-20372.patch

@@ -0,0 +1,31 @@
+From 8bffc01d084b4881e3eed2052c115b8f04268cb9 Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru@nginx.com>
+Date: Mon, 23 Dec 2019 15:45:46 +0300
+Subject: [PATCH] Discard request body when redirecting to a URL via
+ error_page.
+
+Reported by Bert JW Regeer and Francisco Oca Gonzalez.
+---
+ src/http/ngx_http_special_response.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c
+index 2c1ff174..e2a5e9dc 100644
+--- a/src/http/ngx_http_special_response.c
++++ b/src/http/ngx_http_special_response.c
+@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page)
+         return ngx_http_named_location(r, &uri);
+     }
+ 
++    r->expect_tested = 1;
++
++    if (ngx_http_discard_request_body(r) != NGX_OK) {
++        r->keepalive = 0;
++    }
++
+     location = ngx_list_push(&r->headers_out.headers);
+ 
+     if (location == NULL) {
+-- 
+2.23.0
+

debian/patches/CVE-2019-9511.patch

@@ -0,0 +1,87 @@
+From 3f64486e0c15414dc6368139453dcaca338ddf3e Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru@nginx.com>
+Date: Tue, 13 Aug 2019 15:43:36 +0300
+Subject: [PATCH 2/3] HTTP/2: limited number of DATA frames.
+
+Fixed excessive memory growth and CPU usage if stream windows are
+manipulated in a way that results in generating many small DATA frames.
+Fix is to limit the number of simultaneously allocated DATA frames.
+---
+ src/http/v2/ngx_http_v2.c               |  2 ++
+ src/http/v2/ngx_http_v2.h               |  2 ++
+ src/http/v2/ngx_http_v2_filter_module.c | 22 +++++++++++++++++-----
+ 3 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
+index be2ef82b..1b01f271 100644
+--- a/src/http/v2/ngx_http_v2.c
++++ b/src/http/v2/ngx_http_v2.c
+@@ -4339,6 +4339,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc)
+      */
+     pool = stream->pool;
+ 
++    h2c->frames -= stream->frames;
++
+     ngx_http_free_request(stream->request, rc);
+ 
+     if (pool != h2c->state.pool) {
+diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
+index bec22160..715b7d30 100644
+--- a/src/http/v2/ngx_http_v2.h
++++ b/src/http/v2/ngx_http_v2.h
+@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s {
+ 
+     ngx_buf_t                       *preread;
+ 
++    ngx_uint_t                       frames;
++
+     ngx_http_v2_out_frame_t         *free_frames;
+     ngx_chain_t                     *free_frame_headers;
+     ngx_chain_t                     *free_bufs;
+diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
+index 029e8ece..c7ee5536 100644
+--- a/src/http/v2/ngx_http_v2_filter_module.c
++++ b/src/http/v2/ngx_http_v2_filter_module.c
+@@ -1661,22 +1661,34 @@ static ngx_http_v2_out_frame_t *
+ ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream,
+     size_t len, ngx_chain_t *first, ngx_chain_t *last)
+ {
+-    u_char                    flags;
+-    ngx_buf_t                *buf;
+-    ngx_chain_t              *cl;
+-    ngx_http_v2_out_frame_t  *frame;
++    u_char                     flags;
++    ngx_buf_t                 *buf;
++    ngx_chain_t               *cl;
++    ngx_http_v2_out_frame_t   *frame;
++    ngx_http_v2_connection_t  *h2c;
+ 
+     frame = stream->free_frames;
++    h2c = stream->connection;
+ 
+     if (frame) {
+         stream->free_frames = frame->next;
+ 
+-    } else {
++    } else if (h2c->frames < 10000) {
+         frame = ngx_palloc(stream->request->pool,
+                            sizeof(ngx_http_v2_out_frame_t));
+         if (frame == NULL) {
+             return NULL;
+         }
++
++        stream->frames++;
++        h2c->frames++;
++
++    } else {
++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                      "http2 flood detected");
++
++        h2c->connection->error = 1;
++        return NULL;
+     }
+ 
+     flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0;
+-- 
+2.20.1
+

debian/patches/CVE-2019-9513.patch

@@ -0,0 +1,62 @@
+From bbdc81631b6d322785d8e92788fd400e25a931e6 Mon Sep 17 00:00:00 2001
+From: Ruslan Ermilov <ru@nginx.com>
+Date: Tue, 13 Aug 2019 15:43:40 +0300
+Subject: [PATCH 3/3] HTTP/2: limited number of PRIORITY frames.
+
+Fixed excessive CPU usage caused by a peer that continuously shuffles
+priority of streams.  Fix is to limit the number of PRIORITY frames.
+---
+ src/http/v2/ngx_http_v2.c | 10 ++++++++++
+ src/http/v2/ngx_http_v2.h |  1 +
+ 2 files changed, 11 insertions(+)
+
+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
+index 1b01f271..fd6ecb05 100644
+--- a/src/http/v2/ngx_http_v2.c
++++ b/src/http/v2/ngx_http_v2.c
+@@ -275,6 +275,7 @@ ngx_http_v2_init(ngx_event_t *rev)
+     h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module);
+ 
+     h2c->concurrent_pushes = h2scf->concurrent_pushes;
++    h2c->priority_limit = h2scf->concurrent_streams;
+ 
+     h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);
+     if (h2c->pool == NULL) {
+@@ -1806,6 +1807,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos,
+         return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR);
+     }
+ 
++    if (--h2c->priority_limit == 0) {
++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                      "client sent too many PRIORITY frames");
++
++        return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM);
++    }
++
+     if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) {
+         return ngx_http_v2_state_save(h2c, pos, end,
+                                       ngx_http_v2_state_priority);
+@@ -3120,6 +3128,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c, ngx_uint_t push)
+         h2c->processing++;
+     }
+ 
++    h2c->priority_limit += h2scf->concurrent_streams;
++
+     return stream;
+ }
+ 
+diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
+index 715b7d30..69d55d1c 100644
+--- a/src/http/v2/ngx_http_v2.h
++++ b/src/http/v2/ngx_http_v2.h
+@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s {
+     ngx_uint_t                       processing;
+     ngx_uint_t                       frames;
+     ngx_uint_t                       idle;
++    ngx_uint_t                       priority_limit;
+ 
+     ngx_uint_t                       pushing;
+     ngx_uint_t                       concurrent_pushes;
+-- 
+2.20.1
+

debian/patches/CVE-2019-9516.patch

@@ -0,0 +1,45 @@
+From 840d8a3e2f126384eb4ee3e5dd7ffe875a5634c5 Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Tue, 13 Aug 2019 15:43:32 +0300
+Subject: [PATCH 1/3] HTTP/2: reject zero length headers with PROTOCOL_ERROR.
+
+Fixed uncontrolled memory growth if peer sends a stream of
+headers with a 0-length header name and 0-length header value.
+Fix is to reject headers with zero name length.
+---
+ src/http/v2/ngx_http_v2.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
+index 12214e15..be2ef82b 100644
+--- a/src/http/v2/ngx_http_v2.c
++++ b/src/http/v2/ngx_http_v2.c
+@@ -1548,6 +1548,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
+         header->name.len = h2c->state.field_end - h2c->state.field_start;
+         header->name.data = h2c->state.field_start;
+ 
++        if (header->name.len == 0) {
++            ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                          "client sent zero header name length");
++
++            return ngx_http_v2_connection_error(h2c,
++                                                NGX_HTTP_V2_PROTOCOL_ERROR);
++        }
++
+         return ngx_http_v2_state_field_len(h2c, pos, end);
+     }
+ 
+@@ -3249,10 +3257,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
+     ngx_uint_t                 i;
+     ngx_http_core_srv_conf_t  *cscf;
+ 
+-    if (header->name.len == 0) {
+-        return NGX_ERROR;
+-    }
+-
+     r->invalid_header = 0;
+ 
+     cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
+-- 
+2.20.1
+

debian/patches/CVE-2021-23017.patch

@@ -0,0 +1,24 @@
+https://github.com/nginx/nginx/commit/7199ebc203f74fd9e44595474de6bdc41740c5cf
+
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -3975,15 +3975,15 @@ done:
+             n = *src++;
+ 
+         } else {
++            if (dst != name->data) {
++                *dst++ = '.';
++            }
++
+             ngx_strlow(dst, src, n);
+             dst += n;
+             src += n;
+ 
+             n = *src++;
+-
+-            if (n != 0) {
+-                *dst++ = '.';
+-            }
+         }
+ 
+         if (n == 0) {

debian/patches/CVE-2021-3618.patch

@@ -0,0 +1,94 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 21 Nov 2022 12:43:20 +0100
+Subject: CVE-2021-3618
+
+Bug-Debian: https://bugs.debian.org/991328
+Origin: http://hg.nginx.org/nginx/rev/ec1071830799
+---
+ src/mail/ngx_mail.h             |  3 +++
+ src/mail/ngx_mail_core_module.c | 10 ++++++++++
+ src/mail/ngx_mail_handler.c     | 15 ++++++++++++++-
+ 3 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
+index 6ecfefc..6961967 100644
+--- a/src/mail/ngx_mail.h
++++ b/src/mail/ngx_mail.h
+@@ -112,6 +112,8 @@ typedef struct {
+     ngx_msec_t              timeout;
+     ngx_msec_t              resolver_timeout;
+ 
++    ngx_uint_t              max_errors;
++
+     ngx_str_t               server_name;
+ 
+     u_char                 *file_name;
+@@ -224,6 +226,7 @@ typedef struct {
+     ngx_uint_t              command;
+     ngx_array_t             args;
+ 
++    ngx_uint_t              errors;
+     ngx_uint_t              login_attempt;
+ 
+     /* used to parse POP3/IMAP/SMTP command */
+diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c
+index 276b8ee..690f7ab 100644
+--- a/src/mail/ngx_mail_core_module.c
++++ b/src/mail/ngx_mail_core_module.c
+@@ -85,6 +85,13 @@ static ngx_command_t  ngx_mail_core_commands[] = {
+       offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
+       NULL },
+ 
++    { ngx_string("max_errors"),
++      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
++      ngx_conf_set_num_slot,
++      NGX_MAIL_SRV_CONF_OFFSET,
++      offsetof(ngx_mail_core_srv_conf_t, max_errors),
++      NULL },
++
+       ngx_null_command
+ };
+ 
+@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t *cf)
+     cscf->timeout = NGX_CONF_UNSET_MSEC;
+     cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+ 
++    cscf->max_errors = NGX_CONF_UNSET_UINT;
++
+     cscf->resolver = NGX_CONF_UNSET_PTR;
+ 
+     cscf->file_name = cf->conf_file->file.name.data;
+@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+     ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
+                               30000);
+ 
++    ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+ 
+     ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
+ 
+diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
+index bc3e6b9..41574f5 100644
+--- a/src/mail/ngx_mail_handler.c
++++ b/src/mail/ngx_mail_handler.c
+@@ -769,7 +769,20 @@ ngx_mail_read_command(ngx_mail_session_t *s, ngx_connection_t *c)
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+-    if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++    if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++
++        s->errors++;
++
++        if (s->errors >= cscf->max_errors) {
++            ngx_log_error(NGX_LOG_INFO, c->log, 0,
++                          "client sent too many invalid commands");
++            s->quit = 1;
++        }
++
++        return rc;
++    }
++
++    if (rc == NGX_IMAP_NEXT) {
+         return rc;
+     }
+ 

debian/patches/CVE-2022-41741.patch

@@ -0,0 +1,307 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 21 Nov 2022 11:57:23 +0100
+Subject: CVE-2022-41741
+
+Origin: https://github.com/nginx/nginx/commit/6b022a5556af22b6e18532e547a6ae46b0d8c6ea
+---
+ src/http/modules/ngx_http_mp4_module.c | 147 +++++++++++++++++++++++++++++++++
+ 1 file changed, 147 insertions(+)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index 618bf78..7b7184d 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -1076,6 +1076,12 @@ ngx_http_mp4_read_ftyp_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+         return NGX_ERROR;
+     }
+ 
++    if (mp4->ftyp_atom.buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 ftyp atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
+ 
+     ftyp_atom = ngx_palloc(mp4->request->pool, atom_size);
+@@ -1134,6 +1140,12 @@ ngx_http_mp4_read_moov_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+         return NGX_DECLINED;
+     }
+ 
++    if (mp4->moov_atom.buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 moov atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     conf = ngx_http_get_module_loc_conf(mp4->request, ngx_http_mp4_module);
+ 
+     if (atom_data_size > mp4->buffer_size) {
+@@ -1201,6 +1213,12 @@ ngx_http_mp4_read_mdat_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mdat atom");
+ 
++    if (mp4->mdat_atom.buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 mdat atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     data = &mp4->mdat_data_buf;
+     data->file = &mp4->file;
+     data->in_file = 1;
+@@ -1327,6 +1345,12 @@ ngx_http_mp4_read_mvhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mvhd atom");
+ 
++    if (mp4->mvhd_atom.buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 mvhd atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     atom_header = ngx_mp4_atom_header(mp4);
+     mvhd_atom = (ngx_mp4_mvhd_atom_t *) atom_header;
+     mvhd64_atom = (ngx_mp4_mvhd64_atom_t *) atom_header;
+@@ -1592,6 +1616,13 @@ ngx_http_mp4_read_tkhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
+ 
+     trak = ngx_mp4_last_trak(mp4);
++
++    if (trak->out[NGX_HTTP_MP4_TKHD_ATOM].buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 tkhd atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     trak->tkhd_size = atom_size;
+ 
+     ngx_mp4_set_32value(tkhd_atom->size, atom_size);
+@@ -1630,6 +1661,12 @@ ngx_http_mp4_read_mdia_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
++    if (trak->out[NGX_HTTP_MP4_MDIA_ATOM].buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 mdia atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     atom = &trak->mdia_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -1753,6 +1790,13 @@ ngx_http_mp4_read_mdhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
+ 
+     trak = ngx_mp4_last_trak(mp4);
++
++    if (trak->out[NGX_HTTP_MP4_MDHD_ATOM].buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 mdhd atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     trak->mdhd_size = atom_size;
+     trak->timescale = timescale;
+ 
+@@ -1795,6 +1839,12 @@ ngx_http_mp4_read_hdlr_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
++    if (trak->out[NGX_HTTP_MP4_HDLR_ATOM].buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 hdlr atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     atom = &trak->hdlr_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -1823,6 +1873,12 @@ ngx_http_mp4_read_minf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
++    if (trak->out[NGX_HTTP_MP4_MINF_ATOM].buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 minf atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     atom = &trak->minf_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -1866,6 +1922,15 @@ ngx_http_mp4_read_vmhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
++    if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf
++        || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf)
++    {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 vmhd/smhd atom in \"%s\"",
++                      mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     atom = &trak->vmhd_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -1897,6 +1962,15 @@ ngx_http_mp4_read_smhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
++    if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf
++        || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf)
++    {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 vmhd/smhd atom in \"%s\"",
++                      mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     atom = &trak->smhd_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -1928,6 +2002,12 @@ ngx_http_mp4_read_dinf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
++    if (trak->out[NGX_HTTP_MP4_DINF_ATOM].buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 dinf atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     atom = &trak->dinf_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -1956,6 +2036,12 @@ ngx_http_mp4_read_stbl_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
++    if (trak->out[NGX_HTTP_MP4_STBL_ATOM].buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 stbl atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     atom = &trak->stbl_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -2024,6 +2110,12 @@ ngx_http_mp4_read_stsd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+ 
+     trak = ngx_mp4_last_trak(mp4);
+ 
++    if (trak->out[NGX_HTTP_MP4_STSD_ATOM].buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 stsd atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     atom = &trak->stsd_atom_buf;
+     atom->temporary = 1;
+     atom->pos = atom_header;
+@@ -2092,6 +2184,13 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     atom_end = atom_table + entries * sizeof(ngx_mp4_stts_entry_t);
+ 
+     trak = ngx_mp4_last_trak(mp4);
++
++    if (trak->out[NGX_HTTP_MP4_STTS_ATOM].buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 stts atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     trak->time_to_sample_entries = entries;
+ 
+     atom = &trak->stts_atom_buf;
+@@ -2297,6 +2396,13 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+                    "sync sample entries:%uD", entries);
+ 
+     trak = ngx_mp4_last_trak(mp4);
++
++    if (trak->out[NGX_HTTP_MP4_STSS_ATOM].buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 stss atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     trak->sync_samples_entries = entries;
+ 
+     atom_table = atom_header + sizeof(ngx_http_mp4_stss_atom_t);
+@@ -2495,6 +2601,13 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+                    "composition offset entries:%uD", entries);
+ 
+     trak = ngx_mp4_last_trak(mp4);
++
++    if (trak->out[NGX_HTTP_MP4_CTTS_ATOM].buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 ctts atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     trak->composition_offset_entries = entries;
+ 
+     atom_table = atom_header + sizeof(ngx_mp4_ctts_atom_t);
+@@ -2698,6 +2811,13 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     atom_end = atom_table + entries * sizeof(ngx_mp4_stsc_entry_t);
+ 
+     trak = ngx_mp4_last_trak(mp4);
++
++    if (trak->out[NGX_HTTP_MP4_STSC_ATOM].buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 stsc atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     trak->sample_to_chunk_entries = entries;
+ 
+     atom = &trak->stsc_atom_buf;
+@@ -3030,6 +3150,13 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+                    "sample uniform size:%uD, entries:%uD", size, entries);
+ 
+     trak = ngx_mp4_last_trak(mp4);
++
++    if (trak->out[NGX_HTTP_MP4_STSZ_ATOM].buf) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 stsz atom in \"%s\"", mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     trak->sample_sizes_entries = entries;
+ 
+     atom_table = atom_header + sizeof(ngx_mp4_stsz_atom_t);
+@@ -3199,6 +3326,16 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     atom_end = atom_table + entries * sizeof(uint32_t);
+ 
+     trak = ngx_mp4_last_trak(mp4);
++
++    if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf
++        || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf)
++    {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 stco/co64 atom in \"%s\"",
++                      mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     trak->chunks = entries;
+ 
+     atom = &trak->stco_atom_buf;
+@@ -3383,6 +3520,16 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
+     atom_end = atom_table + entries * sizeof(uint64_t);
+ 
+     trak = ngx_mp4_last_trak(mp4);
++
++    if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf
++        || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf)
++    {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "duplicate mp4 stco/co64 atom in \"%s\"",
++                      mp4->file.name.data);
++        return NGX_ERROR;
++    }
++
+     trak->chunks = entries;
+ 
+     atom = &trak->co64_atom_buf;

debian/patches/series

@@ -1,2 +1,9 @@
 0002-Make-sure-signature-stays-the-same-in-all-nginx-buil.patch
 0003-define_gnu_source-on-other-glibc-based-platforms.patch
+CVE-2019-9516.patch
+CVE-2019-9511.patch
+CVE-2019-9513.patch
+CVE-2019-20372.patch
+CVE-2021-23017.patch
+CVE-2022-41741.patch
+CVE-2021-3618.patch