NGINX before 1.13.6 has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module.
RHEL 8 versions and RHSCL-3 versions of NGINX markes as notaffected based on reported affected version and manual review of the code. The patch is already applied in those versions.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):