Ubuntu 26.04, nginx 1.28.3-2ubuntu1.3 + libnginx-mod-http-headers-more-
filter 1:0.39-2build3 with more_clear_headers active: instead of
crashing, it silently corrupts HTTP/1.1 response status lines - NUL
bytes where the status code/reason go (HTTP/1.1 \0\0\0\0\0\0 instead of
HTTP/1.1 200 OK). HTTP/2 is unaffected (separate path), thus browsers
never see it, however HTTP/1.1 clients get an unparseable response. In
my case Telegram's webhook was unable to parse it, marked every delivery
failed, and re-delivered the same update in a backoff loop - while nginx
and the backend both logged clean 200s.
Repro (cat -A renders the NULs as ^@):
printf 'GET / HTTP/1.1\r\nHost: H\r\nConnection: close\r\n\r\n' \
| openssl s_client -quiet -connect H:443 -servername H | head -1 | cat -A
Flagging because silent wrong responses (no crash, no error log) are
easy to miss and argue for the non-ABI-breaking fix over leaving the CVE
patch disabled.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2155992
Title:
headers-more dynamic module crash | Signal 11 and 6 Crashes due to
ABI breakage on 1.24.0-2ubuntu7.10 and 1.28.3-2ubuntu1.3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/2155992/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
