Bug 1187685

Summary: VUL-0: nginx: mitigate the ALPACA attack limiting the number of errors after which the connection is closed
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Felix Schnizlein <fschnizlein>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: andreas.taschner, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/302859
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1187678    

Description Gianluca Gabrielli 2021-06-24 12:20:46 UTC 
max_errors directive.

Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
in Exim, specifies the number of errors after which the connection is closed.
Comment 1 Gianluca Gabrielli 2021-06-24 12:28:17 UTC 
Affected packages:
 - SUSE:SLE-15-SP1:Update/nginx    1.16.1
 - SUSE:SLE-15-SP2:Update/nginx    1.16.1
 - SUSE:SLE-15-SP3:Update/nginx    1.19.8
 - SUSE:SLE-15:Update/nginx        1.16.1

Already fixed package:
 - openSUSE:Factory/nginx  1.21.0

Upstream patch [0].

[0] https://hg.nginx.org/nginx/rev/ec1071830799
Comment 2 Gianluca Gabrielli 2022-01-18 09:18:52 UTC 
Hi Felix, can you please submit the missing patches?
Comment 3 Gianluca Gabrielli 2022-08-01 07:18:45 UTC 
Hi Felix the we need you to submit the patch to the packages mentioned in comment1.

The following package adds to the already fixed list:
 - SUSE:SLE-15-SP4:Update/nginx   1.21.5
Comment 5 Swamp Workflow Management 2022-11-23 14:22:24 UTC 
SUSE-SU-2022:4192-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1187685
CVE References: CVE-2021-3618
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    nginx-1.16.1-150000.3.18.1
SUSE Linux Enterprise Server 15-LTSS (src):    nginx-1.16.1-150000.3.18.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    nginx-1.16.1-150000.3.18.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    nginx-1.16.1-150000.3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2022-11-23 20:24:23 UTC 
SUSE-SU-2022:4201-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1187685
CVE References: CVE-2021-3618
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nginx-1.19.8-150300.3.9.1
openSUSE Leap 15.3 (src):    nginx-1.19.8-150300.3.9.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    nginx-1.19.8-150300.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-11-29 14:21:22 UTC 
SUSE-SU-2022:4266-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1187685
CVE References: CVE-2021-3618
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    nginx-1.16.1-150100.6.16.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    nginx-1.16.1-150100.6.16.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    nginx-1.16.1-150100.6.16.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    nginx-1.16.1-150100.6.16.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    nginx-1.16.1-150100.6.16.1
SUSE Enterprise Storage 6 (src):    nginx-1.16.1-150100.6.16.1
SUSE CaaS Platform 4.0 (src):    nginx-1.16.1-150100.6.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-11-29 14:23:18 UTC 
SUSE-SU-2022:4265-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1187685
CVE References: CVE-2021-3618
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    nginx-1.16.1-150200.3.9.1
SUSE Manager Retail Branch Server 4.1 (src):    nginx-1.16.1-150200.3.9.1
SUSE Manager Proxy 4.1 (src):    nginx-1.16.1-150200.3.9.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nginx-1.16.1-150200.3.9.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nginx-1.16.1-150200.3.9.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nginx-1.16.1-150200.3.9.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nginx-1.16.1-150200.3.9.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nginx-1.16.1-150200.3.9.1
SUSE Enterprise Storage 7 (src):    nginx-1.16.1-150200.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Felix Schnizlein 2022-12-08 08:39:16 UTC 
Update with patches for this CVE has been released. I close this now.