Version in base suite: 1.18.0-6.1 Version in overlay suite: 1.18.0-6.1+deb11u1 Base version: nginx_1.18.0-6.1+deb11u1 Target version: nginx_1.18.0-6.1+deb11u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nginx/nginx_1.18.0-6.1+deb11u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nginx/nginx_1.18.0-6.1+deb11u2.dsc changelog | 8 ++++ patches/CVE-2021-3618.patch | 84 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 93 insertions(+) diff -Nru nginx-1.18.0/debian/changelog nginx-1.18.0/debian/changelog --- nginx-1.18.0/debian/changelog 2022-03-15 20:36:18.000000000 +0000 +++ nginx-1.18.0/debian/changelog 2022-05-14 06:27:08.000000000 +0000 @@ -1,3 +1,11 @@ +nginx (1.18.0-6.1+deb11u2) bullseye; urgency=medium + + * d/patches/CVE-2021-3618.patch: Include upstream changeset from NGINX + that adds mitigations into the Mail module for CVE-2021-3618.patch. + (Closes: #991328) + + -- Jan Mojžíš Sat, 14 May 2022 08:27:08 +0200 + nginx (1.18.0-6.1+deb11u1) bullseye; urgency=medium * Backport upstream bugfix for segfault in nginx core >= 1.15.0 when diff -Nru nginx-1.18.0/debian/patches/CVE-2021-3618.patch nginx-1.18.0/debian/patches/CVE-2021-3618.patch --- nginx-1.18.0/debian/patches/CVE-2021-3618.patch 1970-01-01 00:00:00.000000000 +0000 +++ nginx-1.18.0/debian/patches/CVE-2021-3618.patch 2022-05-14 06:23:49.000000000 +0000 @@ -0,0 +1,84 @@ +Subject: Patch mitigation for CVE-2021-3618 + Mail: max_errors directive. + . + Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands + in Exim, specifies the number of errors after which the connection is closed. +Origin: upstream, http://hg.nginx.org/nginx/rev/ec1071830799 +Bug-Debian: https://bugs.debian.org/991328 + +--- a/src/mail/ngx_mail.h ++++ b/src/mail/ngx_mail.h +@@ -115,6 +115,8 @@ + ngx_msec_t timeout; + ngx_msec_t resolver_timeout; + ++ ngx_uint_t max_errors; ++ + ngx_str_t server_name; + + u_char *file_name; +@@ -231,6 +233,7 @@ + ngx_uint_t command; + ngx_array_t args; + ++ ngx_uint_t errors; + ngx_uint_t login_attempt; + + /* used to parse POP3/IMAP/SMTP command */ +--- a/src/mail/ngx_mail_core_module.c ++++ b/src/mail/ngx_mail_core_module.c +@@ -85,6 +85,13 @@ + offsetof(ngx_mail_core_srv_conf_t, resolver_timeout), + NULL }, + ++ { ngx_string("max_errors"), ++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_num_slot, ++ NGX_MAIL_SRV_CONF_OFFSET, ++ offsetof(ngx_mail_core_srv_conf_t, max_errors), ++ NULL }, ++ + ngx_null_command + }; + +@@ -163,6 +170,8 @@ + cscf->timeout = NGX_CONF_UNSET_MSEC; + cscf->resolver_timeout = NGX_CONF_UNSET_MSEC; + ++ cscf->max_errors = NGX_CONF_UNSET_UINT; ++ + cscf->resolver = NGX_CONF_UNSET_PTR; + + cscf->file_name = cf->conf_file->file.name.data; +@@ -182,6 +191,7 @@ + ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout, + 30000); + ++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5); + + ngx_conf_merge_str_value(conf->server_name, prev->server_name, ""); + +--- a/src/mail/ngx_mail_handler.c ++++ b/src/mail/ngx_mail_handler.c +@@ -871,7 +871,20 @@ + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ ++ s->errors++; ++ ++ if (s->errors >= cscf->max_errors) { ++ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ "client sent too many invalid commands"); ++ s->quit = 1; ++ } ++ ++ return rc; ++ } ++ ++ if (rc == NGX_IMAP_NEXT) { + return rc; + } + diff -Nru nginx-1.18.0/debian/patches/series nginx-1.18.0/debian/patches/series --- nginx-1.18.0/debian/patches/series 2021-05-29 14:21:37.000000000 +0000 +++ nginx-1.18.0/debian/patches/series 2022-05-14 06:24:09.000000000 +0000 @@ -2,3 +2,4 @@ 0003-define_gnu_source-on-other-glibc-based-platforms.patch CVE-2019-20372.patch Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch +CVE-2021-3618.patch