Description: Our corporate security tooling classifies www.libreoffice.org as a risk because the used nginx/1.10.3 is vulnerable for CVE-2021-23017. In worst case we will no longer be able to download LibreOffice and access https://www.libreoffice.org Steps to Reproduce: 1. curl --head https://www.libreoffice.org 2. check nginx version 3. check https://nvd.nist.gov/vuln/detail/CVE-2021-23017 some more insights and potential fixes can be found via: $ testssl https://www.libreoffice.org Actual Results: $ curl --head https://www.libreoffice.org HTTP/2 200 server: nginx/1.10.3 date: Tue, 12 Jul 2022 15:03:47 GMT content-type: text/html; charset=utf-8 vary: X-Forwarded-Protocol last-modified: Tue, 12 Jul 2022 07:21:40 GMT cache-control: no-cache, no-store, must-revalidate x-frame-options: SAMEORIGIN content-security-policy: frame-ancestors 'self' Expected Results: nginx not vulnerable for CVE-2021-23017 , nginx > 1.20.1 see https://nvd.nist.gov/vuln/detail/CVE-2021-23017 Reproducible: Always User Profile Reset: No Additional Info: There was no infra component to file the bug, so please route this to the correct team.
Infra and website issues go to https://redmine.documentfoundation.org/ (new accounts require a manual approval) I mentioned this report on IRC #tdf-infra at Libera Chat. No comment so far from admins, but I noticed the disclosure says "The issue only affects nginx if the "resolver" directive is used in the configuration file." https://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html Going over the configs in https://git.libreoffice.org/infra/salt/+/refs/heads/master/nginx I was unable to find such a directive.