CVE-2017-7529

NameCVE-2017-7529
DescriptionNginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1024-1, DSA-3908-1
Debian Bugs868109

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nginx (PTS)jessie, jessie (lts)1.6.2-5+deb8u10fixed
stretch (security)1.10.3-1+deb9u7fixed
stretch (lts), stretch1.10.3-1+deb9u8fixed
buster (security), buster, buster (lts)1.14.2-2+deb10u5fixed
bullseye (security), bullseye1.18.0-6.1+deb11u3fixed
bookworm1.22.1-9fixed
sid, trixie1.26.0-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nginxsourcewheezy1.2.1-2.2+wheezy4+deb7u1DLA-1024-1
nginxsourcejessie1.6.2-5+deb8u5DSA-3908-1
nginxsourcestretch1.10.3-1+deb9u1DSA-3908-1
nginxsource(unstable)1.13.3-1868109

Notes

http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html
Fixed in 1.13.3, 1.12.1.
Search for package or bug name: Reporting problems