USN-4235-1: nginx vulnerability

Reference Links

• https://ubuntu.com/security/CVE-2019-20372
• https://ubuntu.com/security/notices/USN-4235-2
• https://launchpad.net/ubuntu/+source/nginx/1.16.1-0ubuntu2.1
• https://launchpad.net/ubuntu/+source/nginx/1.15.9-0ubuntu1.2
• https://launchpad.net/ubuntu/+source/nginx/1.14.0-0ubuntu1.7
• https://launchpad.net/ubuntu/+source/nginx/1.10.3-0ubuntu0.16.04.5
• https://ubuntu.com/security/notices/USN-4235-1 (Advisory)

Child vulnerabilities

(Contains the following vulnerabilities)

• CVE-2019-20372

Frequently Asked Questions

• What is the vulnerability ID for this nginx vulnerability?

  The vulnerability ID for this nginx vulnerability is CVE-2019-20372.

• What is the severity of CVE-2019-20372?

  The severity of CVE-2019-20372 is moderate.

• Which software versions are affected by CVE-2019-20372?

  The affected software versions are: nginx-common 1.16.1-0ubuntu2.1, nginx-core 1.16.1-0ubuntu2.1, nginx-extras 1.16.1-0ubuntu2.1, nginx-full 1.16.1-0ubuntu2.1, nginx-light 1.16.1-0ubuntu2.1, nginx-common 1.15.9-0ubuntu1.2, nginx-core 1.15.9-0ubuntu1.2, nginx-extras 1.15.9-0ubuntu1.2, nginx-full 1.15.9-0ubuntu1.2, nginx-light 1.15.9-0ubuntu1.2, nginx-common 1.14.0-0ubuntu1.7, nginx-core 1.14.0-0ubuntu1.7, nginx-extras 1.14.0-0ubuntu1.7, nginx-full 1.14.0-0ubuntu1.7, nginx-light 1.14.0-0ubuntu1.7, nginx-common 1.10.3-0ubuntu0.16.04.5, nginx-core 1.10.3-0ubuntu0.16.04.5, nginx-extras 1.10.3-0ubuntu0.16.04.5, nginx-full 1.10.3-0ubuntu0.16.04.5, nginx-light 1.10.3-0ubuntu0.16.04.5.

• How can a remote attacker exploit CVE-2019-20372?

  A remote attacker could possibly exploit this vulnerability to perform HTTP request smuggling attacks and access resources contrary to expectations.

• How can I fix CVE-2019-20372?

  To fix CVE-2019-20372, upgrade to the following versions: nginx-common 1.16.1-0ubuntu2.1, nginx-core 1.16.1-0ubuntu2.1, nginx-extras 1.16.1-0ubuntu2.1, nginx-full 1.16.1-0ubuntu2.1, nginx-light 1.16.1-0ubuntu2.1.