Ubuntu has issued an advisory on January 13: https://usn.ubuntu.com/4235-1/ The issue is fixed upstream in 1.17.7.
Status comment: (none) => Patch available from Ubuntu
SUSE has issued an advisory for this on February 6: http://lists.suse.com/pipermail/sle-security-updates/2020-February/006462.html
https://paste.debian.net/1148448/
CC: (none) => CheeseEBoi
Here is a proposed diff, ignore the previous one without the patch... I accidentally hit <enter>. https://paste.debian.net/1148450/
Better proposed patch https://paste.debian.net/1148455/
Advisory: ======================== Nginx was updated due to the following vulnerabilities: ngx_http_special_response.c: With a certain error_page configuration, HTTP request smuggling is possible. Thus, an attacker may be able to read unauthorized web pages at times when NGINX is being fronted by a load balancer. (CVE-2019-20372). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20372 https://usn.ubuntu.com/4235-1/ ======================== Updated the package in core/updates_testing: nginx-1.16.1-1.2.mga7 from nginx-1.16.1-1.2.mga7.src.rpm
Assignee: smelror => qa-bugsStatus comment: Patch available from Ubuntu => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues Followed procedure as per bug 13044: # systemctl stop httpd # nginx then point browser at http://localhost/ and get in the page: "Welcome to nginx 1.6.1 on Mageia!" OK for me.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 5.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => mageiaKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0231.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED