Published: 12 April 2020
An issue was discovered in OpenResty before 18.104.22.168. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.
CVSS 3 base score: 7.5
Launchpad, Ubuntu, Debian
|Ubuntu 20.10 (Groovy Gorilla)||
|Ubuntu 20.04 LTS (Focal Fossa)||
|Ubuntu 18.04 LTS (Bionic Beaver)||
|Ubuntu 16.04 LTS (Xenial Xerus)||
|Ubuntu 14.04 ESM (Trusty Tahr)||
|Binaries built from this source package are in Universe and so are supported by the community.|
The lua module is included in the debian directory as it is not part of the upstream nginx release. It is included in the nginx-extras binary package in universe.