CVE-2017-7529

NameCVE-2017-7529
DescriptionNginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1024-1, DSA-3908-1
NVD severitymedium (attack range: remote)
Debian Bugs868109

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nginx (PTS)wheezy1.2.1-2.2+wheezy4vulnerable
wheezy (security)1.2.1-2.2+wheezy4+deb7u1fixed
jessie1.6.2-5+deb8u4vulnerable
jessie (security)1.6.2-5+deb8u5fixed
stretch (security), stretch1.10.3-1+deb9u1fixed
buster, sid1.13.6-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nginxsource(unstable)1.13.3-1medium868109
nginxsourcejessie1.6.2-5+deb8u5mediumDSA-3908-1
nginxsourcestretch1.10.3-1+deb9u1mediumDSA-3908-1
nginxsourcewheezy1.2.1-2.2+wheezy4+deb7u1mediumDLA-1024-1

Notes

http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html
Fixed in 1.13.3, 1.12.1.

Search for package or bug name: Reporting problems