CVE-2017-20005

NameCVE-2017-20005
DescriptionNGINX before 1.13.6 has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2680-1
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nginx (PTS)stretch1.10.3-1+deb9u4vulnerable
stretch (security)1.10.3-1+deb9u7fixed
buster, buster (security)1.14.2-2+deb10u4fixed
bookworm, sid, bullseye1.18.0-6.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nginxsourcestretch1.10.3-1+deb9u7DLA-2680-1
nginxsource(unstable)1.13.6-1

Notes

https://github.com/nginx/nginx/commit/0206ebe76f748bb39d9de4dd4b3fce777fdfdccf
https://github.com/nginx/nginx/commit/b900cc28fcbb4cf5a32ab62f80b59292e1c85b4b
https://trac.nginx.org/nginx/ticket/1368

Search for package or bug name: Reporting problems