[Pkg-nginx-maintainers] debdiff patch for CVE-2021-23017
Anton Luka Šijanec
anton at sijanec.eu
Wed May 26 21:14:02 BST 2021
Hello!
> If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
I made a debdiff for myself according to upstream instructions from the patch [0]. It is attached to this e-mail.
Link to the upstream patch was found here:
https://security-tracker.debian.org/tracker/CVE-2021-23017
Note that the upstream patch by nginx is for fresh nginx versions, whereas my debdiff targets the 1.14.2-2+deb10u3 release in Debian 10 (buster), so there's a small possibility that the mentioned patch might not be enough to fix the vulnerability. But I tested the patch on the PoC python script that the research team provided and valgrind did not report invalid reads like it did in the current version in Debian repos.
Applying my patch and building package:
apt-get source nginx
cd nginx-1.14.2
curl https://of.sijanec.eu/krneki/ngx-debdiff.txt | debdiff-apply
# edit debian/changelog to set the target version (by default debdiff adds .1 to previous version), probably 1.14.2-2+deb10u4
debuild -uc -us
Regards!
[0] http://nginx.org/download/patch.2021.resolver.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ngx-debdiff.txt
URL: <http://alioth-lists.debian.net/pipermail/pkg-nginx-maintainers/attachments/20210526/c80fe039/attachment-0001.txt>
More information about the Pkg-nginx-maintainers
mailing list