packages/nginx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:d55097bbf46cbe58a4f6744a2a7dbbb113c4b7ab
Branches Tags
packages:main
...
compare: packages:c3101a05f31779f6cefd1e5673d8344396b268e3
Branches Tags
packages:main

10 Commits
d55097bbf4 ... c3101a05f3

Author SHA1 Message Date
openeuler-ci-bot
c3101a05f3
!106 fix CVE-2025-23419 
From: @eaglegai 
Reviewed-by: @sunsuwan 
Signed-off-by: @sunsuwan
 2025-02-11 01:39:32 +00:00
eaglegai
504a6e2067 fix CVE-2025-23419 2025-02-06 08:19:22 +00:00
openeuler-ci-bot
e6daf8b416
!90 fix CVE-2024-7347 
From: @fundawang 
Reviewed-by: @overweight 
Signed-off-by: @overweight
 2024-08-28 06:24:51 +00:00
Funda Wang
72713a3b28 fix CVE-2024-7347 2024-08-28 08:20:43 +08:00
openeuler-ci-bot
31e7c1ed25
!85 fix CVE-2023-44487 
From: @yangl777 
Reviewed-by: @overweight 
Signed-off-by: @overweight
 2023-10-20 08:05:36 +00:00
yangl777
c4e1d40b6a fix CVE-2023-44487 2023-10-19 15:08:29 +08:00
openeuler-ci-bot
2d60e39708
!68 add package mod-devel 
From: @sherlock2010 
Reviewed-by: @yaqiangchen 
Signed-off-by: @yaqiangchen
 2022-11-30 12:57:28 +00:00
sherlock2010
ae43b06f9e add package mod-devel 2022-11-28 02:19:59 +00:00
openeuler-ci-bot
116d739d64
!58 fix CVE-2022-41742 CVE-2022-41741 
From: @eaglegai 
Reviewed-by: @yaqiangchen 
Signed-off-by: @yaqiangchen
 2022-10-26 06:04:02 +00:00
eaglegai
ec32089ed5 fix CVE-2022-41742 CVE-2022-41741 2022-10-26 03:21:13 +00:00
7 changed files with 598 additions and 7 deletions
Show Stats Expand all files Collapse all files

310
backport-CVE-2022-41742_CVE-2022-41741.patch Normal file
View File

@ -0,0 +1,310 @@
From 0d23105373e6d8a720b9826079c077b9b4be919d Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Wed, 19 Oct 2022 10:53:17 +0300
Subject: [PATCH] Mp4: disabled duplicate atoms.
Most atoms should not appear more than once in a container. Previously,
this was not enforced by the module, which could result in worker process
crash, memory corruption and disclosure.
---
src/http/modules/ngx_http_mp4_module.c | 147 +++++++++++++++++++++++++
1 file changed, 147 insertions(+)
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index 5721efbe60..75a7315f98 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -1121,6 +1121,12 @@ ngx_http_mp4_read_ftyp_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
return NGX_ERROR;
}
+ if (mp4->ftyp_atom.buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 ftyp atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
ftyp_atom = ngx_palloc(mp4->request->pool, atom_size);
@@ -1179,6 +1185,12 @@ ngx_http_mp4_read_moov_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
return NGX_DECLINED;
}
+ if (mp4->moov_atom.buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 moov atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
conf = ngx_http_get_module_loc_conf(mp4->request, ngx_http_mp4_module);
if (atom_data_size > mp4->buffer_size) {
@@ -1246,6 +1258,12 @@ ngx_http_mp4_read_mdat_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mdat atom");
+ if (mp4->mdat_atom.buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 mdat atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
data = &mp4->mdat_data_buf;
data->file = &mp4->file;
data->in_file = 1;
@@ -1372,6 +1390,12 @@ ngx_http_mp4_read_mvhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "mp4 mvhd atom");
+ if (mp4->mvhd_atom.buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 mvhd atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom_header = ngx_mp4_atom_header(mp4);
mvhd_atom = (ngx_mp4_mvhd_atom_t *) atom_header;
mvhd64_atom = (ngx_mp4_mvhd64_atom_t *) atom_header;
@@ -1637,6 +1661,13 @@ ngx_http_mp4_read_tkhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_TKHD_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 tkhd atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->tkhd_size = atom_size;
trak->movie_duration = duration;
@@ -1676,6 +1707,12 @@ ngx_http_mp4_read_mdia_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_MDIA_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 mdia atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->mdia_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -1799,6 +1836,13 @@ ngx_http_mp4_read_mdhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom_size = sizeof(ngx_mp4_atom_header_t) + (size_t) atom_data_size;
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_MDHD_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 mdhd atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->mdhd_size = atom_size;
trak->timescale = timescale;
trak->duration = duration;
@@ -1862,6 +1906,12 @@ ngx_http_mp4_read_hdlr_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_HDLR_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 hdlr atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->hdlr_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -1890,6 +1940,12 @@ ngx_http_mp4_read_minf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_MINF_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 minf atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->minf_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -1933,6 +1989,15 @@ ngx_http_mp4_read_vmhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf
+ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 vmhd/smhd atom in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->vmhd_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -1964,6 +2029,15 @@ ngx_http_mp4_read_smhd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_VMHD_ATOM].buf
+ || trak->out[NGX_HTTP_MP4_SMHD_ATOM].buf)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 vmhd/smhd atom in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->smhd_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -1995,6 +2069,12 @@ ngx_http_mp4_read_dinf_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_DINF_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 dinf atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->dinf_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -2023,6 +2103,12 @@ ngx_http_mp4_read_stbl_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_STBL_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stbl atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->stbl_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -2144,6 +2230,12 @@ ngx_http_mp4_read_stsd_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
trak = ngx_mp4_last_trak(mp4);
+ if (trak->out[NGX_HTTP_MP4_STSD_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stsd atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
atom = &trak->stsd_atom_buf;
atom->temporary = 1;
atom->pos = atom_header;
@@ -2212,6 +2304,13 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom_end = atom_table + entries * sizeof(ngx_mp4_stts_entry_t);
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_STTS_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stts atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->time_to_sample_entries = entries;
atom = &trak->stts_atom_buf;
@@ -2480,6 +2579,13 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
"sync sample entries:%uD", entries);
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_STSS_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stss atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->sync_samples_entries = entries;
atom_table = atom_header + sizeof(ngx_http_mp4_stss_atom_t);
@@ -2678,6 +2784,13 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
"composition offset entries:%uD", entries);
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_CTTS_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 ctts atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->composition_offset_entries = entries;
atom_table = atom_header + sizeof(ngx_mp4_ctts_atom_t);
@@ -2881,6 +2994,13 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom_end = atom_table + entries * sizeof(ngx_mp4_stsc_entry_t);
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_STSC_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stsc atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->sample_to_chunk_entries = entries;
atom = &trak->stsc_atom_buf;
@@ -3213,6 +3333,13 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
"sample uniform size:%uD, entries:%uD", size, entries);
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_STSZ_ATOM].buf) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stsz atom in \"%s\"", mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->sample_sizes_entries = entries;
atom_table = atom_header + sizeof(ngx_mp4_stsz_atom_t);
@@ -3396,6 +3523,16 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom_end = atom_table + entries * sizeof(uint32_t);
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf
+ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stco/co64 atom in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->chunks = entries;
atom = &trak->stco_atom_buf;
@@ -3602,6 +3739,16 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
atom_end = atom_table + entries * sizeof(uint64_t);
trak = ngx_mp4_last_trak(mp4);
+
+ if (trak->out[NGX_HTTP_MP4_STCO_ATOM].buf
+ || trak->out[NGX_HTTP_MP4_CO64_ATOM].buf)
+ {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "duplicate mp4 stco/co64 atom in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
trak->chunks = entries;
atom = &trak->co64_atom_buf;

76
backport-CVE-2023-44487.patch Normal file
View File

@ -0,0 +1,76 @@
From 6ceef192e7af1c507826ac38a2d43f08bf265fb9 Mon Sep 17 00:00:00 2001
From: Maxim Dounin <mdounin@mdounin.ru>
Date: Tue, 10 Oct 2023 15:13:39 +0300
Subject: [PATCH] HTTP/2: per-iteration stream handling limit.
To ensure that attempts to flood servers with many streams are detected
early, a limit of no more than 2 * max_concurrent_streams new streams per one
event loop iteration was introduced. This limit is applied even if
max_concurrent_streams is not yet reached - for example, if corresponding
streams are handled synchronously or reset.
Further, refused streams are now limited to maximum of max_concurrent_streams
and 100, similarly to priority_limit initial value, providing some tolerance
to clients trying to open several streams at the connection start, yet
low tolerance to flooding attempts.
Conflict: context adapt
Reference: https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9
---
src/http/v2/ngx_http_v2.c | 15 +++++++++++++++
src/http/v2/ngx_http_v2.h | 2 ++
2 files changed, 17 insertions(+)
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 7c05ff1e78..410a8be24e 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -347,6 +347,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev)
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler");
h2c->blocked = 1;
+ h2c->new_streams = 0;
if (c->close) {
c->close = 0;
@@ -1284,6 +1285,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
goto rst_stream;
}
+ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "client sent too many streams at once");
+
+ status = NGX_HTTP_V2_REFUSED_STREAM;
+ goto rst_stream;
+ }
+
if (!h2c->settings_ack
&& !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG)
&& h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW)
@@ -1349,6 +1358,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
rst_stream:
+ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "client sent too many refused streams");
+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR);
+ }
+
if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) {
return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
}
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
index cb9014ccfb..6751b3026d 100644
--- a/src/http/v2/ngx_http_v2.h
+++ b/src/http/v2/ngx_http_v2.h
@@ -131,6 +131,8 @@ struct ngx_http_v2_connection_s {
ngx_uint_t processing;
ngx_uint_t frames;
ngx_uint_t idle;
+ ngx_uint_t new_streams;
+ ngx_uint_t refused_streams;
ngx_uint_t priority_limit;
ngx_uint_t pushing;

43
backport-CVE-2024-7347.patch Normal file
View File

@ -0,0 +1,43 @@
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -3099,7 +3099,8 @@ static ngx_int_t
ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
ngx_http_mp4_trak_t *trak, ngx_uint_t start)
{
- uint32_t start_sample, chunk, samples, id, next_chunk, n,
+ uint64_t n;
+ uint32_t start_sample, chunk, samples, id, next_chunk,
prev_samples;
ngx_buf_t *data, *buf;
ngx_uint_t entries, target_chunk, chunk_samples;
@@ -3155,12 +3156,19 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4
next_chunk = ngx_mp4_get_32value(entry->chunk);
+ if (next_chunk < chunk) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "unordered mp4 stsc chunks in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
"sample:%uD, chunk:%uD, chunks:%uD, "
"samples:%uD, id:%uD",
start_sample, chunk, next_chunk - chunk, samples, id);
- n = (next_chunk - chunk) * samples;
+ n = (uint64_t) (next_chunk - chunk) * samples;
if (start_sample < n) {
goto found;
@@ -3182,7 +3190,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4
"sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
start_sample, chunk, next_chunk - chunk, samples);
- n = (next_chunk - chunk) * samples;
+ n = (uint64_t) (next_chunk - chunk) * samples;
if (start_sample > n) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,

69
backport-CVE-2025-23419.patch Normal file
View File

@ -0,0 +1,69 @@
From 13935cf9fdc3c8d8278c70716417d3b71c36140e Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Wed, 22 Jan 2025 18:55:44 +0400
Subject: [PATCH] SNI: added restriction for TLSv1.3 cross-SNI session
resumption.
In OpenSSL, session resumption always happens in the default SSL context,
prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older
protocols, SSL_get_servername() returns values received in the resumption
handshake, which may be different from the value in the initial handshake.
Notably, this makes the restriction added in b720f650b insufficient for
sessions resumed with different SNI server name.
Considering the example from b720f650b, previously, a client was able to
request example.org by presenting a certificate for example.org, then to
resume and request example.com.
The fix is to reject handshakes resumed with a different server name, if
verification of client certificates is enabled in a corresponding server
configuration.
---
src/http/ngx_http_request.c | 27 +++++++++++++++++++++++++--
1 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 3cca57cf5ee..9593b7fb506 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -932,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
goto done;
}
+ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
+
+#if (defined TLS1_3_VERSION \
+ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
+
+ /*
+ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
+ * but servername being negotiated in every TLSv1.3 handshake
+ * is only returned in OpenSSL 1.1.1+ as well
+ */
+
+ if (sscf->verify) {
+ const char *hostname;
+
+ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
+
+ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
+ c->ssl->handshake_rejected = 1;
+ *ad = SSL_AD_ACCESS_DENIED;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+ }
+
+#endif
+
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
if (hc->ssl_servername == NULL) {
goto error;
@@ -945,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
ngx_set_connection_log(c, clcf->error_log);
- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
-
c->ssl->buffer_size = sscf->buffer_size;
if (sscf->ssl.ctx) {

20
macros.nginxmods.in Normal file
View File

@ -0,0 +1,20 @@
%_nginx_abiversion @@NGINX_ABIVERSION@@
%_nginx_srcdir @@NGINX_SRCDIR@@
%_nginx_buildsrcdir nginx-src
%_nginx_modsrcdir ..
%_nginx_modbuilddir ../%{_vpath_builddir}
%nginx_moddir @@NGINX_MODDIR@@
%nginx_modconfdir @@NGINX_MODCONFDIR@@
%nginx_modrequires Requires: nginx(abi) = %{_nginx_abiversion}
%nginx_modconfigure(:-:) \\\
%undefine _strict_symbol_defs_build \
cp -a "%{_nginx_srcdir}" "%{_nginx_buildsrcdir}" \
cd "%{_nginx_buildsrcdir}" \
nginx_ldopts="$RPM_LD_FLAGS -Wl,-E" \
./configure --with-compat --with-cc-opt="%{optflags} $(pcre-config --cflags)" --with-ld-opt="$nginx_ldopts" \\\
--add-dynamic-module=$(realpath %{_nginx_modsrcdir}) --builddir=$(realpath %{_nginx_modbuilddir}) %{**} \
cd -
%nginx_modbuild %{__make} -C "%{_nginx_buildsrcdir}" %{_make_output_sync} %{?_smp_mflags} %{_make_verbose} modules

73
nginx.spec
View File

@ -11,10 +11,13 @@
%global with_aio 1
%global __provides_exclude_from ^%{_usrsrc}/%{name}-%{version}-%{release}/.*$
%global __requires_exclude_from ^%{_usrsrc}/%{name}-%{version}-%{release}/.*$
Name: nginx
Epoch: 1
Version: 1.21.5
Release: 1
Release: 6
Summary: A HTTP server, reverse proxy and mail proxy server
License: BSD
URL: http://nginx.org/
@ -24,6 +27,8 @@ Source10: nginx.service
Source11: nginx.logrotate
Source12: nginx.conf
Source13: nginx-upgrade
Source14: macros.nginxmods.in
Source15: nginxmods.attr
Source100: index.html
Source102: nginx-logo.png
Source103: 404.html
@ -34,6 +39,11 @@ Source210: UPGRADE-NOTES-1.6-to-1.10
Patch0: nginx-auto-cc-gcc.patch
Patch2: nginx-1.12.1-logs-perm.patch
Patch4: nginx-fix-pidfile.patch
Patch5: backport-CVE-2022-41742_CVE-2022-41741.patch
Patch6: backport-CVE-2023-44487.patch
# https://nginx.org/download/patch.2024.mp4.txt
Patch7: backport-CVE-2024-7347.patch
Patch8: backport-CVE-2025-23419.patch
BuildRequires: gcc openssl-devel pcre-devel zlib-devel systemd gperftools-devel
Requires: nginx-filesystem = %{epoch}:%{version}-%{release} openssl pcre
@ -46,6 +56,7 @@ Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
Provides: webserver
Provides: nginx(abi) = %{version}
Provides: %{name}-help = %{epoch}:%{version}-%{release}
Obsoletes: %{name}-help < %{epoch}:%{version}-%{release}
Requires: (mailcap >= 2.1.49-3 if mailcap)
@ -86,7 +97,7 @@ The package contains the basic directory layout for the Nginx server.
%package mod-http-geoip
Summary: HTTP geoip module for nginx
BuildRequires: GeoIP-devel
Requires: nginx GeoIP
Requires: nginx(abi) = %{version} GeoIP
%description mod-http-geoip
The package is the Nginx HTTP geoip module.
@ -95,7 +106,7 @@ The package is the Nginx HTTP geoip module.
%package mod-http-image-filter
Summary: HTTP image filter module for nginx
BuildRequires: gd-devel
Requires: nginx gd
Requires: nginx(abi) = %{version} gd
%description mod-http-image-filter
Nginx HTTP image filter module.
@ -103,7 +114,7 @@ Nginx HTTP image filter module.
%package mod-http-perl
Summary: HTTP perl module for nginx
BuildRequires: perl-devel perl(ExtUtils::Embed)
Requires: nginx perl(constant)
Requires: nginx(abi) = %{version} perl(constant)
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
%description mod-http-perl
@ -112,29 +123,45 @@ Nginx HTTP perl module.
%package mod-http-xslt-filter
Summary: XSLT module for nginx
BuildRequires: libxslt-devel
Requires: nginx
Requires: nginx(abi) = %{version}
%description mod-http-xslt-filter
Nginx XSLT module.
%package mod-mail
Summary: mail modules for nginx
Requires: nginx
Requires: nginx(abi) = %{version}
%description mod-mail
Nginx mail modules
%package mod-stream
Summary: stream modules for nginx
Requires: nginx
Requires: nginx(abi) = %{version}
%description mod-stream
Nginx stream modules.
%package mod-devel
Summary: nginx module development
Requires: nginx = %{epoch}:%{version}-%{release}
Requires: make gcc gd-devel libxslt-devel openssl-devel
Requires: pcre-devel perl-devel perl(ExtUtils::Embed) zlib-devel
%if 0%{?with_gperftools}
Requires: gperftools-devel
%endif
%if %{with geoip}
Requires: GeoIP-devel
%endif
%description mod-devel
Nginx module development
%prep
%autosetup -n %{name}-%{version} -p1
cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
cp -a ../%{name}-%{version} ../%{name}-%{version}-%{release}-src
mv ../%{name}-%{version}-%{release}-src .
%build
export DESTDIR=%{buildroot}
@ -229,6 +256,17 @@ echo 'load_module "%{_libdir}/nginx/modules/ngx_stream_module.so";' \
> .%{_datadir}/nginx/modules/mod-stream.conf
popd
mkdir -p %{buildroot}%{_usrsrc}
mv %{name}-%{version}-%{release}-src %{buildroot}%{_usrsrc}/%{name}-%{version}-%{release}
mkdir -p %{buildroot}%{_rpmmacrodir}
sed -e "s|@@NGINX_ABIVERSION@@|%{version}|g" \
-e "s|@@NGINX_MODDIR@@|%{_libdir}\/nginx\/modules|g" \
-e "s|@@NGINX_MODCONFDIR@@|%{_datadir}\/nginx\/modules|g" \
-e "s|@@NGINX_SRCDIR@@|%{_usrsrc}\/%{name}-%{version}-%{release}|g" \
%{SOURCE14} > %{buildroot}%{_rpmmacrodir}/macros.nginxmods
install -Dpm0644 %{SOURCE15} %{buildroot}%{_fileattrsdir}/nginxmods.attr
%pre filesystem
getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user}
getent passwd %{nginx_user} > /dev/null || useradd -r -d %{_localstatedir}/lib/nginx -g %{nginx_user} \
@ -295,6 +333,7 @@ fi
%{_bindir}/nginx-upgrade
%{_sbindir}/nginx
%dir %{_libdir}/nginx/modules
%dir %{_datadir}/nginx/modules
%attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx
%attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx/tmp
%{_unitdir}/nginx.service
@ -339,12 +378,32 @@ fi
%{_libdir}/nginx/modules/ngx_mail_module.so
%{_datadir}/nginx/modules/mod-mail.conf
%files mod-devel
%{_rpmmacrodir}/macros.nginxmods
%{_fileattrsdir}/nginxmods.attr
%{_usrsrc}/%{name}-%{version}-%{release}
%files mod-stream
%{_libdir}/nginx/modules/ngx_stream_module.so
%{_datadir}/nginx/modules/mod-stream.conf
%changelog
* Thu Feb 06 2025 gaihuiying <eaglegai@163.com> - 1:1.21.5-6
- fix CVE-2025-23419
* Thu Aug 15 2024 Funda Wang <fundawang@yeah.net> - 1:1.21.5-5
- fix CVE-2024-7347
* Thu Oct 19 2023 yanglu <yanglu72@h-partners.com> - 1:1.21.5-4
- fix CVE-2023-44487
* Thu Nov 24 2022 zhouyihang <zhouyihang3@h-partners.com> - 1:1.21.5-3
- add package mod-devel
* Wed Oct 26 2022 gaihuiying <eaglegai@163.com> - 1:1.21.5-2
- fix CVE-2022-41742 CVE-2022-41741
* Mon Apr 25 2022 houyingchao <houyingchao@h-partners.com> - 1:1.21.5-1
- Upgrade to 1.21.5
- Fix CVE-2021-3618

14
nginxmods.attr Normal file
View File

@ -0,0 +1,14 @@
%__nginxmods_requires() %{lua:
-- Match buildroot paths of the form
-- /PATH/OF/BUILDROOT/usr/lib/nginx/modules/ and
-- /PATH/OF/BUILDROOT/usr/lib64/nginx/modules/
-- generating a line of the form:
-- nginx(abi) = VERSION
local path = rpm.expand("%1")
if path:match("/usr/lib%d*/nginx/modules/.*") then
local requires = "nginx(abi) = " .. rpm.expand("%{_nginx_abiversion}")
print(requires)
end
}
%__nginxmods_path ^%{_prefix}/lib(64)?/nginx/modules/.*\\.so$