Bug#1112589: bookworm-pu: package libnginx-mod-http-lua/1:0.10.23-1+deb12u1 (fix CVE-2024-33452)

To: Jan Mojzis <janmojzis@debian.org>, 1112589@bugs.debian.org
Subject: Bug#1112589: bookworm-pu: package libnginx-mod-http-lua/1:0.10.23-1+deb12u1 (fix CVE-2024-33452)
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 06 Dec 2025 15:20:26 +0000
Message-id: <[🔎] 7a1f609abf4476dd810b044256b5f35ee956b965.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1112589@bugs.debian.org
In-reply-to: <175662640919.37182.2832409671040947151.reportbug@dev.h.mojzis.com>
References: <175662640919.37182.2832409671040947151.reportbug@dev.h.mojzis.com> <175662640919.37182.2832409671040947151.reportbug@dev.h.mojzis.com>

Control: tags -1 + confirmed

On Sun, 2025-08-31 at 09:46 +0200, Jan Mojzis wrote:
> An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a
> remote attacker to conduct HTTP request smuggling via a crafted HEAD
> request.
> CVE-2024-33452.
> 
> [ Reason ]
> When processing HTTP/1.1 requests, lua-nginx-module incorrectly
> parses HEAD requests with a body and treats the body as the new
> separate request.

Please go ahead; sorry for the delay.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#1112589: bookworm-pu: package libnginx-mod-http-lua/1:0.10.23-1+deb12u1 (fix CVE-2024-33452)
  - From: Jan Mojzis <jan.mojzis@gmail.com>

Prev by Date: Processed: Re: Bug#1112093: bookworm-pu: package modsecurity-apache/2.9.7-1+deb12u2
Next by Date: Bug#1112093: bookworm-pu: package modsecurity-apache/2.9.7-1+deb12u2
Previous by thread: Processed: Re: Bug#1109993: bookworm-pu: package rsync/3.2.7-1+deb12u3
Next by thread: Processed: Re: Bug#1112589: bookworm-pu: package libnginx-mod-http-lua/1:0.10.23-1+deb12u1 (fix CVE-2024-33452)
Index(es):
- Date
- Thread