CVE-2017-7529

NameCVE-2017-7529
DescriptionNginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1024-1, DSA-3908-1
NVD severitymedium
Debian Bugs868109

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nginx (PTS)stretch1.10.3-1+deb9u4fixed
stretch (security)1.10.3-1+deb9u5fixed
buster, buster (security)1.14.2-2+deb10u3fixed
bullseye, sid1.18.0-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nginxsourcewheezy1.2.1-2.2+wheezy4+deb7u1DLA-1024-1
nginxsourcejessie1.6.2-5+deb8u5DSA-3908-1
nginxsourcestretch1.10.3-1+deb9u1DSA-3908-1
nginxsource(unstable)1.13.3-1868109

Notes

http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html
Fixed in 1.13.3, 1.12.1.

Search for package or bug name: Reporting problems