NGINX before 1.13.6 has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module. External reference: https://trac.nginx.org/nginx/ticket/1368
Upstream patches: http://hg.nginx.org/nginx/rev/cdbcb73239ee http://hg.nginx.org/nginx/rev/644d0457782a
RHEL 8 versions and RHSCL-3 versions of NGINX markes as notaffected based on reported affected version and manual review of the code. The patch is already applied in those versions.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-20005