Comment by panzi

20 hours ago

Does Debian 12 have this patched? But I guess I'm not affected if I don't use `rewrite` or `set` anywhere?

6 comments

panzi

Reply
wiredfool  19 hours ago

Ubuntu has patched as of this morning. Debian doesn't look like they've patched trixie yet.

  • rslashuser  18 hours ago

    Just as a PSA, I found that "nginx -v" was not detailed about the version sufficient to check, but "apt list nginx" gave the full version number that was checkable, and indeed the 24.04 version of this morning (1.24.0-2ubuntu7.8) is patched.

iririririr  20 hours ago

I find it very unlikely that anyone using nginx does NOT use `set` at least.

Most nginx use cases are to end tls and then pass the request to node/php/go/etc. So, I bet you have at least one set with attacker controller data on a line like 'proxy_set_header X-Host $host;'

edit: nvm. aparently named captures are not affect. Unless you have a $1 somewhere, it should be fine.

  • babuskov  18 hours ago

    The default NGINX PHP integration uses this:

        # regex to split $uri to $fastcgi_script_name and $fastcgi_path
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    set $path_info $fastcgi_path_info;