[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1010963: marked as done (bullseye-pu: package nginx/1.18.0-6.1)

Your message dated Sat, 09 Jul 2022 11:47:43 +0100
with message-id <2280fe8c78e64b02a6c1d04c6dde5a32e342ba81.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 11.4
has caused the Debian Bug report #1010963,
regarding bullseye-pu: package nginx/1.18.0-6.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1010963: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010963
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

CVE-2021-3618 fix

[ Reason ]
fixes ALPACA attack CVE-2021-3618:
ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates.  A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.

[ Impact ]

Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
in Exim, specifies the number of errors after which the connection is closed.

[ Tests ]
Patch sets default '5' error-cmd-tries.
It means, the server must close connection after 5 'bad commands'.

config:
~~~
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
}

mail {
        auth_http   localhost/cgi-bin/nginxauth.cgi;
        server {
                listen     localhost:25;
                protocol   smtp;
                proxy      on;
                smtp_auth login plain cram-md5;
        }
}
~~~

~~~
# telnet 0 25
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
220 localtest ESMTP ready
badcommand1
500 5.5.1 Invalid command
badcommand2
500 5.5.1 Invalid command
badcommand3
500 5.5.1 Invalid command
badcommand4
500 5.5.1 Invalid command
badcommand5
500 5.5.1 Invalid command
Connection closed by foreign host.
root@dev:~/nginx/nginx-1.18.0#
~~~


[ Risks ]
A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication   of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]

Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
in Exim, specifies the number of errors after which the connection is closed.

diff -Nru nginx-1.18.0/debian/changelog nginx-1.18.0/debian/changelog
--- nginx-1.18.0/debian/changelog       2022-03-15 21:36:18.000000000 +0100
+++ nginx-1.18.0/debian/changelog       2022-05-14 08:27:08.000000000 +0200
@@ -1,3 +1,11 @@
+nginx (1.18.0-6.1+deb11u2) bullseye; urgency=medium
+
+  * d/patches/CVE-2021-3618.patch: Include upstream changeset from NGINX
+    that adds mitigations into the Mail module for CVE-2021-3618.patch.
+    (Closes: #991328)
+
+ -- Jan Mojžíš <jan.mojzis@gmail.com>  Sat, 14 May 2022 08:27:08 +0200
+
 nginx (1.18.0-6.1+deb11u1) bullseye; urgency=medium

   * Backport upstream bugfix for segfault in nginx core >= 1.15.0 when
diff -Nru nginx-1.18.0/debian/patches/CVE-2021-3618.patch nginx-1.18.0/debian/patches/CVE-2021-3618.patch
--- nginx-1.18.0/debian/patches/CVE-2021-3618.patch     1970-01-01 01:00:00.000000000 +0100
+++ nginx-1.18.0/debian/patches/CVE-2021-3618.patch     2022-05-14 08:23:49.000000000 +0200
@@ -0,0 +1,84 @@
+Subject: Patch mitigation for CVE-2021-3618
+ Mail: max_errors directive.
+ .
+ Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
+ in Exim, specifies the number of errors after which the connection is closed.
+Origin: upstream, http://hg.nginx.org/nginx/rev/ec1071830799
+Bug-Debian: https://bugs.debian.org/991328
+
+--- a/src/mail/ngx_mail.h
++++ b/src/mail/ngx_mail.h
+@@ -115,6 +115,8 @@
+     ngx_msec_t              timeout;
+     ngx_msec_t              resolver_timeout;
+
++    ngx_uint_t              max_errors;
++
+     ngx_str_t               server_name;
+
+     u_char                 *file_name;
+@@ -231,6 +233,7 @@
+     ngx_uint_t              command;
+     ngx_array_t             args;
+
++    ngx_uint_t              errors;
+     ngx_uint_t              login_attempt;
+
+     /* used to parse POP3/IMAP/SMTP command */
+--- a/src/mail/ngx_mail_core_module.c
++++ b/src/mail/ngx_mail_core_module.c
+@@ -85,6 +85,13 @@
+       offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
+       NULL },
+
++    { ngx_string("max_errors"),
++      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
++      ngx_conf_set_num_slot,
++      NGX_MAIL_SRV_CONF_OFFSET,
++      offsetof(ngx_mail_core_srv_conf_t, max_errors),
++      NULL },
++
+       ngx_null_command
+ };
+
+@@ -163,6 +170,8 @@
+     cscf->timeout = NGX_CONF_UNSET_MSEC;
+     cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+
++    cscf->max_errors = NGX_CONF_UNSET_UINT;
++
+     cscf->resolver = NGX_CONF_UNSET_PTR;
+
+     cscf->file_name = cf->conf_file->file.name.data;
+@@ -182,6 +191,7 @@
+     ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
+                               30000);
+
++    ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+
+     ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
+
+--- a/src/mail/ngx_mail_handler.c
++++ b/src/mail/ngx_mail_handler.c
+@@ -871,7 +871,20 @@
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+
+-    if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++    if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
++
++        s->errors++;
++
++        if (s->errors >= cscf->max_errors) {
++            ngx_log_error(NGX_LOG_INFO, c->log, 0,
++                          "client sent too many invalid commands");
++            s->quit = 1;
++        }
++
++        return rc;
++    }
++
++    if (rc == NGX_IMAP_NEXT) {
+         return rc;
+     }
+
diff -Nru nginx-1.18.0/debian/patches/series nginx-1.18.0/debian/patches/series
--- nginx-1.18.0/debian/patches/series  2021-05-29 16:21:37.000000000 +0200
+++ nginx-1.18.0/debian/patches/series  2022-05-14 08:24:09.000000000 +0200
@@ -2,3 +2,4 @@
 0003-define_gnu_source-on-other-glibc-based-platforms.patch
 CVE-2019-20372.patch
 Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
+CVE-2021-3618.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.4

(re-sending with fixed bug numbers)

Hi,

The updates discussed in these bugs were included in today's bullseye
point release.

Regards,

Adam

--- End Message ---
Reply to: