Version in base suite: 0.10.23-1

Base version: libnginx-mod-http-lua_0.10.23-1
Target version: libnginx-mod-http-lua_0.10.23-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libn/libnginx-mod-http-lua/libnginx-mod-http-lua_0.10.23-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libn/libnginx-mod-http-lua/libnginx-mod-http-lua_0.10.23-1+deb12u1.dsc

 changelog                    |    7 ++
 patches/CVE-2024-33452.patch |  120 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 128 insertions(+)

gpgv: Signature made Fri Feb 24 07:20:58 2023 UTC
gpgv:                using RSA key D008B0C23D8479E46B9FCB9045DA517496939FF9
gpgv:                issuer "jan.mojzis@gmail.com"
gpgv: Note: signatures using the SHA1 algorithm are rejected
gpgv: Can't check signature: Bad public key
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4y570mlb/libnginx-mod-http-lua_0.10.23-1.dsc: no acceptable signature found
gpgv: Signature made Sun Dec  7 16:31:06 2025 UTC
gpgv:                using RSA key 374D8CE4DB96E9CBD4C0972A606D084E4683C079
gpgv: Can't check signature: No public key
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp4y570mlb/libnginx-mod-http-lua_0.10.23-1+deb12u1.dsc: no acceptable signature found
diff -Nru libnginx-mod-http-lua-0.10.23/debian/changelog libnginx-mod-http-lua-0.10.23/debian/changelog
--- libnginx-mod-http-lua-0.10.23/debian/changelog	2023-02-24 06:28:38.000000000 +0000
+++ libnginx-mod-http-lua-0.10.23/debian/changelog	2025-08-31 07:35:09.000000000 +0000
@@ -1,3 +1,10 @@
+libnginx-mod-http-lua (1:0.10.23-1+deb12u1) bookworm; urgency=medium
+
+  * d/p/CVE-2024-33452.patch add, fix HTTP HEAD request smuggling issue
+    (CVE-2024-33452).
+
+ -- Jan Mojžíš <janmojzis@debian.org>  Sun, 31 Aug 2025 09:35:09 +0200
+
 libnginx-mod-http-lua (1:0.10.23-1) unstable; urgency=medium
 
   * New upstream version 0.10.23
diff -Nru libnginx-mod-http-lua-0.10.23/debian/patches/CVE-2024-33452.patch libnginx-mod-http-lua-0.10.23/debian/patches/CVE-2024-33452.patch
--- libnginx-mod-http-lua-0.10.23/debian/patches/CVE-2024-33452.patch	1970-01-01 00:00:00.000000000 +0000
+++ libnginx-mod-http-lua-0.10.23/debian/patches/CVE-2024-33452.patch	2025-08-31 07:35:09.000000000 +0000
@@ -0,0 +1,120 @@
+Origin: https://github.com/openresty/lua-nginx-module/commit/e5248aa8203d3e0075822a577c1cdd19f5f1f831
+
+From e5248aa8203d3e0075822a577c1cdd19f5f1f831 Mon Sep 17 00:00:00 2001
+From: lijunlong <lijunlong@openresty.com>
+Date: Sat, 9 Mar 2024 12:30:14 +0800
+Subject: [PATCH] bugfix: fixed HTTP HEAD request smuggling issue.
+
+---
+ src/ngx_http_lua_util.c |  6 ++++
+ t/020-subrequest.t      | 80 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 86 insertions(+)
+
+diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c
+index 8fd26561..727ca3da 100644
+--- a/src/ngx_http_lua_util.c
++++ b/src/ngx_http_lua_util.c
+@@ -599,6 +599,12 @@ ngx_http_lua_send_chain_link(ngx_http_request_t *r, ngx_http_lua_ctx_t *ctx,
+     if (r->header_only) {
+         ctx->eof = 1;
+ 
++        if (!r->request_body && r == r->main) {
++            if (ngx_http_discard_request_body(r) != NGX_OK) {
++                return NGX_ERROR;
++            }
++        }
++
+         if (ctx->buffering) {
+             return ngx_http_lua_send_http10_headers(r, ctx);
+         }
+diff --git a/t/020-subrequest.t b/t/020-subrequest.t
+index c731f1e6..59b9f61a 100644
+--- a/t/020-subrequest.t
++++ b/t/020-subrequest.t
+@@ -3527,3 +3527,83 @@ HTTP/1.1 400 Bad Request
+ [error]
+ --- skip_nginx
+ 3: < 1.21.1
++
++
++
++=== TEST 83: avoid request smuggling of HEAD req
++--- config
++    location /capture {
++        server_tokens off;
++        more_clear_headers Date;
++
++        content_by_lua_block {
++            ngx.say("Hello")
++        }
++    }
++
++    location /t {
++        content_by_lua_block {
++            local req = [[
++HEAD /capture HTTP/1.1
++Host: test.com
++Content-Length: 63
++
++GET /capture HTTP/1.1
++Host: test.com
++X: GET /bar HTTP/1.0
++
++]]
++
++            local sock = ngx.socket.tcp()
++            sock:settimeout(1000)
++
++            local ok, err = sock:connect("127.0.0.1", $TEST_NGINX_SERVER_PORT)
++            if not ok then
++                ngx.say("failed to connect: ", err)
++                return
++            end
++
++            local bytes, err = sock:send(req)
++            if not bytes then
++                ngx.say("failed to send req: ", err)
++                return
++            end
++
++            ngx.say("req bytes: ", bytes)
++
++            local n_resp = 0
++
++            local reader = sock:receiveuntil("\r\n")
++            while true do
++                local line, err = reader()
++                if line then
++                    ngx.say(line)
++                    if line == "0" then
++                        n_resp = n_resp + 1
++                    end
++
++                    if n_resp >= 2 then
++                        break
++                    end
++
++                else
++                    ngx.say("err: ", err)
++                    break
++                end
++            end
++
++            sock:close()
++        }
++    }
++--- request
++GET /t
++--- response_body
++req bytes: 117
++HTTP/1.1 200 OK
++Server: nginx
++Content-Type: text/plain
++Connection: keep-alive
++
++err: timeout
++--- error_log
++lua tcp socket read timed out
+-- 
+2.47.2
+
diff -Nru libnginx-mod-http-lua-0.10.23/debian/patches/series libnginx-mod-http-lua-0.10.23/debian/patches/series
--- libnginx-mod-http-lua-0.10.23/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ libnginx-mod-http-lua-0.10.23/debian/patches/series	2025-08-31 07:35:09.000000000 +0000
@@ -0,0 +1 @@
+CVE-2024-33452.patch