CVE-2017-7529

NameCVE-2017-7529
DescriptionNginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1024-1, DSA-3908-1
Debian Bugs868109

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nginx (PTS)buster1.14.2-2+deb10u4fixed
buster (security)1.14.2-2+deb10u5fixed
bullseye (security), bullseye1.18.0-6.1+deb11u3fixed
bookworm1.22.1-7fixed
sid1.22.1-9fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nginxsourcewheezy1.2.1-2.2+wheezy4+deb7u1DLA-1024-1
nginxsourcejessie1.6.2-5+deb8u5DSA-3908-1
nginxsourcestretch1.10.3-1+deb9u1DSA-3908-1
nginxsource(unstable)1.13.3-1868109

Notes

http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html
Fixed in 1.13.3, 1.12.1.
Search for package or bug name: Reporting problems