Compare commits

..

No commits in common. 'c9' and 'c8-stream-1.22' have entirely different histories.

2
.gitignore vendored

@ -1,2 +1,2 @@
SOURCES/nginx-1.20.1.tar.gz SOURCES/nginx-1.22.1.tar.gz
SOURCES/nginx-logo.png SOURCES/nginx-logo.png

@ -1,2 +1,2 @@
6b4ab4eff3c617e133819f43fdfc14708e593a79 SOURCES/nginx-1.20.1.tar.gz 45a89797f7c789287c7f663811efbbd19e84f154 SOURCES/nginx-1.22.1.tar.gz
e28dd656984cc2894d8124c5278789c656f6a9cb SOURCES/nginx-logo.png e28dd656984cc2894d8124c5278789c656f6a9cb SOURCES/nginx-logo.png

@ -1,31 +0,0 @@
From 00cab63102084b89de0a3494a1d023c4b1d4982b Mon Sep 17 00:00:00 2001
From: Felix Kaechele <felix@kaechele.ca>
Date: Sun, 7 Jun 2020 12:14:02 -0400
Subject: [PATCH 1/2] remove Werror in upstream build scripts
removes -Werror in upstream build scripts. -Werror conflicts with
-D_FORTIFY_SOURCE=2 causing warnings to turn into errors.
Signed-off-by: Felix Kaechele <felix@kaechele.ca>
---
auto/cc/gcc | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/auto/cc/gcc b/auto/cc/gcc
index a5c5c18..cdbbadb 100644
--- a/auto/cc/gcc
+++ b/auto/cc/gcc
@@ -166,7 +166,9 @@ esac
# stop on warning
-CFLAGS="$CFLAGS -Werror"
+# This combined with Fedora's FORTIFY_SOURCE=2 option causes it nginx
+# to not compile.
+#CFLAGS="$CFLAGS -Werror"
# debug
CFLAGS="$CFLAGS -g"
--
2.31.1

@ -1,108 +0,0 @@
From 62470498cca9a209aa9904668c1949f5229123af Mon Sep 17 00:00:00 2001
From: Felix Kaechele <felix@kaechele.ca>
Date: Tue, 20 Apr 2021 21:28:18 -0400
Subject: [PATCH 2/2] fix PIDFile handling
Corresponding RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1869026
Rejected upstream: https://trac.nginx.org/nginx/ticket/1897
Taken from: https://git.launchpad.net/ubuntu/+source/nginx/tree/debian/patches/nginx-fix-pidfile.patch
From original patch:
Author: Tj <ubuntu@iam.tj>
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1581864
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876365
iLast-Update: 2020-06-24
Signed-off-by: Felix Kaechele <felix@kaechele.ca>
---
src/core/nginx.c | 24 +++++++++++++++++++++---
src/os/unix/ngx_daemon.c | 8 ++++++--
2 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/src/core/nginx.c b/src/core/nginx.c
index 48a20e9..32c0afe 100644
--- a/src/core/nginx.c
+++ b/src/core/nginx.c
@@ -339,14 +339,21 @@ main(int argc, char *const *argv)
ngx_process = NGX_PROCESS_MASTER;
}
+ /* tell-tale to detect if this is parent or child process */
+ ngx_int_t child_pid = NGX_BUSY;
+
#if !(NGX_WIN32)
if (ngx_init_signals(cycle->log) != NGX_OK) {
return 1;
}
+ /* tell-tale that this code has been executed */
+ child_pid--;
+
if (!ngx_inherited && ccf->daemon) {
- if (ngx_daemon(cycle->log) != NGX_OK) {
+ child_pid = ngx_daemon(cycle->log);
+ if (child_pid == NGX_ERROR) {
return 1;
}
@@ -359,8 +366,19 @@ main(int argc, char *const *argv)
#endif
- if (ngx_create_pidfile(&ccf->pid, cycle->log) != NGX_OK) {
- return 1;
+ /* If ngx_daemon() returned the child's PID in the parent process
+ * after the fork() set ngx_pid to the child_pid, which gets
+ * written to the PID file, then exit.
+ * For NGX_WIN32 always write the PID file
+ * For others, only write it from the parent process */
+ if (child_pid < NGX_OK || child_pid > NGX_OK) {
+ ngx_pid = child_pid > NGX_OK ? child_pid : ngx_pid;
+ if (ngx_create_pidfile(&ccf->pid, cycle->log) != NGX_OK) {
+ return 1;
+ }
+ }
+ if (child_pid > NGX_OK) {
+ exit(0);
}
if (ngx_log_redirect_stderr(cycle) != NGX_OK) {
diff --git a/src/os/unix/ngx_daemon.c b/src/os/unix/ngx_daemon.c
index 385c49b..3719854 100644
--- a/src/os/unix/ngx_daemon.c
+++ b/src/os/unix/ngx_daemon.c
@@ -7,14 +7,17 @@
#include <ngx_config.h>
#include <ngx_core.h>
+#include <unistd.h>
ngx_int_t
ngx_daemon(ngx_log_t *log)
{
int fd;
+ /* retain the return value for passing back to caller */
+ pid_t pid_child = fork();
- switch (fork()) {
+ switch (pid_child) {
case -1:
ngx_log_error(NGX_LOG_EMERG, log, ngx_errno, "fork() failed");
return NGX_ERROR;
@@ -23,7 +26,8 @@ ngx_daemon(ngx_log_t *log)
break;
default:
- exit(0);
+ /* let caller do the exit() */
+ return pid_child;
}
ngx_parent = ngx_pid;
--
2.31.1

@ -1,96 +0,0 @@
From ee8ea4f1c88a0393206769cd30a545dc3375f868 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Wed, 2 Feb 2022 20:14:55 +0100
Subject: [PATCH] Fix ALPACA security issue
---
src/mail/ngx_mail.h | 3 +++
src/mail/ngx_mail_core_module.c | 10 ++++++++++
src/mail/ngx_mail_handler.c | 15 ++++++++++++++-
3 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
index b865a3b..76cae37 100644
--- a/src/mail/ngx_mail.h
+++ b/src/mail/ngx_mail.h
@@ -115,6 +115,8 @@ typedef struct {
ngx_msec_t timeout;
ngx_msec_t resolver_timeout;
+ ngx_uint_t max_errors;
+
ngx_str_t server_name;
u_char *file_name;
@@ -231,6 +233,7 @@ typedef struct {
ngx_uint_t command;
ngx_array_t args;
+ ngx_uint_t errors;
ngx_uint_t login_attempt;
/* used to parse POP3/IMAP/SMTP command */
diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c
index 4083124..115671c 100644
--- a/src/mail/ngx_mail_core_module.c
+++ b/src/mail/ngx_mail_core_module.c
@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_commands[] = {
offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
NULL },
+ { ngx_string("max_errors"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_num_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_core_srv_conf_t, max_errors),
+ NULL },
+
ngx_null_command
};
@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t *cf)
cscf->timeout = NGX_CONF_UNSET_MSEC;
cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+ cscf->max_errors = NGX_CONF_UNSET_UINT;
+
cscf->resolver = NGX_CONF_UNSET_PTR;
cscf->file_name = cf->conf_file->file.name.data;
@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
30000);
+ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
index 0aaa0e7..71b8151 100644
--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
@@ -871,7 +871,20 @@ ngx_mail_read_command(ngx_mail_session_t *s, ngx_connection_t *c)
return NGX_MAIL_PARSE_INVALID_COMMAND;
}
- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
+ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
+
+ s->errors++;
+
+ if (s->errors >= cscf->max_errors) {
+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
+ "client sent too many invalid commands");
+ s->quit = 1;
+ }
+
+ return rc;
+ }
+
+ if (rc == NGX_IMAP_NEXT) {
return rc;
}
--
2.31.1

@ -16,5 +16,5 @@ Prevent dynamic modules from being enabled automatically
You may want to avoid dynamic modules being enabled automatically. Simply You may want to avoid dynamic modules being enabled automatically. Simply
remove this line from the top of /etc/nginx/nginx.conf: remove this line from the top of /etc/nginx/nginx.conf:
include /usr/lib64/nginx/modules/*.conf; include /usr/share/nginx/modules/*.conf;

@ -17,4 +17,4 @@
--add-dynamic-module=$(realpath %{_nginx_modsrcdir}) --builddir=$(realpath %{_nginx_modbuilddir}) %{**} \ --add-dynamic-module=$(realpath %{_nginx_modsrcdir}) --builddir=$(realpath %{_nginx_modbuilddir}) %{**} \
cd - cd -
%nginx_modbuild %{__make} -C "%{_nginx_buildsrcdir}" %{_make_output_sync} %{?_smp_mflags} %{_make_verbose} modules %nginx_modbuild %{__make} -C "%{_nginx_buildsrcdir}" %{_make_output_sync} %{?_smp_mflags} modules

@ -1,69 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF4TqFoBEADNbls05thIAYVVKdMDRdtzGk7HXGqx60u/kh4BL9HskUpyYFTp
N07RJ1TyyusfD7I3skuGHvtQhqdTwHPDEPL5qrAnHps9XWUQrtU7hflcIKt43iDe
TvfVVhN0nPir2++C4qvNnrC/UCisyz00H/I9mobl2qzyKyLT8BnUBVuXDfOTlUCY
oF4z5BieOMvg1DZNKFDnK67ZuO4JXgtMlu4Q3tFd7qSWCWGuCuAGgn6eWFYMzCbB
rPyBYwb7xyycQzqmJiD7Qm9OeVHmZj5rG5hGM14MyTSUVJle0U+CJCF9lmfVuR/c
ySy7WmQgIg327x5Y5xa3pKZAvIAycnDabAk/08p59BG7UdAi2S7+2SicAH89/81V
g4BI4mZp+IuxaP+S+ckaRf1CUvRAJuLTqUeBSuOzjag+ibD6rqusuZ1MZqLxnXyu
gAztNDcmEFa/pqp5bgWbrlTF6zKt4cQf+a/JqFGatsfSzmrIyIZ6GEqgb8oXDDIt
Z1AqsTfp6ZBC1vITE9+b0zBw6qq/nGD0Iq47Vp1VxmlxmnoeR4ir8z/oSukPulLU
K3IqkmRNGEilINrtBt5jFbBlx8kwdCYvxEF6ymibBBqvwwv65jrrKheBQm+HrrVS
aMQmo4Qzj/h/ZLL9KENHibNwUypJnvwEvw0YkAyjICvoNzDUsM+92+B/ewARAQAB
tCFNYXhpbSBLb25vdmFsb3YgPG1heGltQG5naW54LmNvbT6JAlcEEwEKAEECGwMF
CwkIBwMFFQoJCAsFFgIDAQACHgECF4ACGQEWIQRB25JxPTv0v/PukQacXn+i9Ul3
1AUCXhgw1wUJBagi/QAKCRCcXn+i9Ul31LltD/40KNFPvDaORz35udrm0cyVIgbI
lq7Vswfo5JIr8MyJ+VKJFQ2n2JiQT8QbX52Sy5P80ktSAFqcT3vtWB7bI6RfJ8Jx
YM/w3XKnNMoUt7Q/cqZK5Ra/csmaCWqP4UVUvUBjHvly0MpnE1kxEDUglrcyVKjt
fxB/GXeUpKOELXG44zvW2CP9Mce0FbDxrh8iCai9MK+2oSt1aJV+gONLWscRgsc7
6q9/4KUXByt0qxScYPRQRIaxpIA8sCno21owcMOf8aQtun6Ytf+UIovl9DmK2pRm
Ifc2JruW1Jx2r7z955ZFNgTA380jEL85dWbgbHF/pYPlwcTCnaAf294kefjrX9DN
rejbZZ3Fh2QGs0tWW5+wncVWndq4jLQTeamUdzw5MPpOh+bZoHT+7z1PDGWe+PIn
DTbfaFYL7MsXwScMUsexKLOoDO6KKpZjcsw9/b5JsJmP73ZEj02BjRudapObiRxm
MtDl8Zmpg7ZUqMHEuUzyEyI5nSWu4njjrWJO0CnsjLpv2UxAbxDn1NGc/DoyxM1l
4SQv4AJuSLo1x7PTRb9V9HkWqxXf+yCkNpV9UjmlrH104gWL6sof6rX8Jo6k+Sz+
yyQHcVbrJ95Y3hQU7QMMnotzVbL7BRtWMtDYTp7q+gYbZ0s+YRXjaHcA5IuV65tM
tEPwGpOCofQ2avkdqIhdBBARCgAdFiEEZVBsAu/CUPG3o9aU7PDpCywXIIMFAl4T
qXUACgkQ7PDpCywXIIN5CQCgyNFrUBGlUvH9QlDSE/umzoyXW/UAn0ve2/HzpMVN
uPMAAgnHYE2R0eiEtCNNYXhpbSBLb25vdmFsb3YgPG1heGltQEZyZWVCU0Qub3Jn
PokCVAQTAQoAPgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBEHbknE9O/S/
8+6RBpxef6L1SXfUBQJeGDDXBQkFqCL9AAoJEJxef6L1SXfUJ/IQALtwaB7mlBUB
NdzqQRIZAVSnJZ2w6+Iul7Ax4gKrqWj6SvL/5jEdZm65D0kjxJIHq+dO+lJIMLzp
rBkfZ0kkxOPQ1rw/QR31qHLAibknrwIQQVtzFvVg4iW7IZefx6WGbJJC5IbjBUBf
HATqbXmMAcLILh9+t4q7Qvwi2b8ZIsC37cktthad7j4kvXqV5BJ4I+PoDT0CcW48
wgTfMwhib52pLMu3Ghk56kwHBtYSHUDrA4KWRzRHxQ+RoUXLIdtmMRbp8ztwBMJZ
+J/9TLrb3YHUidS3l2nE55l9dJZycCU2EOAhJMbFKbmfW/9we/Sm+vnoALGExepl
FgdGz2NTqPA4ha2y2rBC73TSkfM+4amIrr6kSbeofjQL/w5+fhxAvM5oXuzffPK9
8IR31d66JUTjeueobguzh9ApeHElmihimRJk0KP+NVAMNCIZmlMuOXHPwnCajcBh
Sh9kFGy6tPPPZYQOHSm5KvyjIJDfmkFfJ5ybazkmsGhZMzQs4ZHItC1jf0vYCqsr
d3eVEQesy5nDlSC2lWK84R+J+qTL82ZbCc/VZMniCBCC9xIvEOU9gtIH+58vF8dq
l/jTmGp2h1/kHlJfn0cnxKJDzn2IG16jqR7VdWQEO5hjEMaZdxhM1jPGRdkM82fB
Wwv8BLBpgBstyQlxJ/NNO5+dCtZYWRcviF0EEBEKAB0WIQRlUGwC78JQ8bej1pTs
8OkLLBcggwUCXhOpbwAKCRDs8OkLLBcgg/jfAKCO7DIiB2DGBfLCFftmyuZJN2A6
ZgCfV/cclX++mLyiyYqr2BXnrQk4NVG5Ag0EXhOoWgEQAOmkirptbymUR2JP9DrP
e7aELbUw4bcMx4/nQo1QyKxjDhUdgUui4OiqxmhMjT2IlgFvcYsMeLiYGa/EdBkd
Yq4DtEwc++2eybFQA1z6Hrk+sxdd8neN4azUa5sqVvUwenQ7UMPclSQJaE1nVGCZ
KKVyNsK36RJrE0JfdmE1zKZFWmTCTZ/D/hTCq+hjMpCV+VWFaz3h4S+XsZiBgLB4
+zmyHjyU6E+ecELvAHoXwMbAPiFzzms824Fc1BKHjnc8BBzfUVdIBGhxOVNHDSj3
oxPsiBnuvSlQMlGx0YNLw/tTfw+CFOot5o/KIq9svUp8W9mdj6kKaqBLNxpjHbhQ
yvVSK7O5uS62emMHkRwgu1tmP98d3bGlXRn+S+2MCuyqdFaK40B6vnkPnXpl5ggE
w8JoH11ahNeJ5tX8/JpX/0aQmapt7CKwcgELJap+Qp8i/MFXef7FK/nE0lFIL95o
l9uthd/beX6dz/EEw61lC17Opd3y0N+Dy+eJ0wbULdgKrblZ0PxsumLeICGLs7/P
O9/3nQHJRjmFaVG10t5bL/77gvQ4l7HcuLS1GGHh+RM6EsFuuiqI+aFcDFyRITli
g0QRq4y/C6nqhTWEyYriIi8Dq6JxXisklC1WvSIgPwq1/msmrbiKcJZFPoNtMVtO
dzL3naM5IWOa290R541GjkEVABEBAAGJAjwEGAEKACYCGwwWIQRB25JxPTv0v/Pu
kQacXn+i9Ul31AUCXhgw/QUJBagjIwAKCRCcXn+i9Ul31MQDEACeO6ZBLEWswuyU
RErntoHkY6wIkpfMiERjgfqbNkrdBgXg8dT7kPsXFEtv3ZccjPbsRecJaXdmwGab
mp9MUDYG3SiqgFNriJTv2WECzgYKrZQg38JVwfl7OHPaV2fwZvG56a4qKpIZ3wIg
4acfEPkHQ2ygpKnEJD4IsEK225PtYq5lmNfntvDhbuTPh2vY8T9w0udGCzp4JS60
zLeGGat+52PislEtrSa2B7zSMzGmOqDidaDbEfzdzL+IteZHWDGmYNQ8yICIv6Wj
A80k7uhzDWJf5RMQSNybBykrlWSooaVrBWHgDky5ldAQjDtVrMkBpzglH8FQ44i+
la9caRDfw0Lfxg52vV4eXtpSHAYx3cFREEW9xpTOwOE7Qg0JyHAkUKNb8DJgyehC
BjSeeiMFiZX1plyYFrUAB8dVXi9Z7kqOjTpfYU6kAxDXzQhlqqgYRwoFJQcsQ1Ll
jKptAs6glmDx8dJcjUrK/eH24GGg46eGv2wxY4+sItXfLQ2oeU4uh/vORjvgeeNp
er4z5KLuKxwgpaobavtRZmZSZdGrdC93Si27dpSRiWYn1csoTxG0zZhUVFFW68I4
I5PIdJwblvxayVKdg0aVW/RwDsOLH0twVxwnOPSjLPEB2IwGnlX6rN38cRnibPXM
yh4LsaVRdhbFe9aNd/O5iNgDcQtCUg==
=/pFc
-----END PGP PUBLIC KEY BLOCK-----

@ -1,33 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (FreeBSD)
mQENBE7SKu8BCADQo6x4ZQfAcPlJMLmL8zBEBUS6GyKMMMDtrTh3Yaq481HB54oR
0cpKL05Ff9upjrIzLD5TJUCzYYM9GQOhguDUP8+ZU9JpSz3yO2TvH7WBbUZ8FADf
hblmmUBLNgOWgLo3W+FYhl3mz1GFS2Fvid6Tfn02L8CBAj7jxbjL1Qj/OA/WmLLc
m6BMTqI7IBlYW2vyIOIHasISGiAwZfp0ucMeXXvTtt14LGa8qXVcFnJTdwbf03AS
ljhYrQnKnpl3VpDAoQt8C68YCwjaNJW59hKqWB+XeIJ9CW98+EOAxLAFszSyGanp
rCqPd0numj9TIddjcRkTA/ZbmCWK+xjpVBGXABEBAAG0IU1heGltIERvdW5pbiA8
bWRvdW5pbkBtZG91bmluLnJ1PokBOAQTAQIAIgUCTtIq7wIbAwYLCQgHAwIGFQgC
CQoLBBYCAwECHgECF4AACgkQUgqZk6HAUvj+iwf/b4FS6zVzJ5T0v1vcQGD4ZzXe
D5xMC4BJW414wVMU15rfX7aCdtoCYBNiApPxEd7SwiyxWRhRA9bikUq87JEgmnyV
0iYbHZvCvc1jOkx4WR7E45t1Mi29KBoPaFXA9X5adZkYcOQLDxa2Z8m6LGXnlF6N
tJkxQ8APrjZsdrbDvo3HxU9muPcq49ydzhgwfLwpUs11LYkwB0An9WRPuv3jporZ
/XgI6RfPMZ5NIx+FRRCjn6DnfHboY9rNF6NzrOReJRBhXCi6I+KkHHEnMoyg8XET
9lVkfHTOl81aIZqrAloX3/00TkYWyM2zO9oYpOg6eUFCX/Lw4MJZsTcT5EKVxIhG
BBARAgAGBQJO01Y/AAoJEOzw6QssFyCDVyQAn3qwTZlcZgyyzWu9Cs8gJ0CXREaS
AJ92QjGLT9DijTcbB+q9OS/nl16Z/IhGBBARAgAGBQJO02JDAAoJEKk3YTmlJMU+
P64AnjCKEXFelSVMtgefJk3+vpyt3QX1AKCH9M3MbTWPeDUL+MpULlfdyfvjj7kB
DQRO0irvAQgA0LjCc8S6oZzjiap2MjRNhRFA5BYjXZRZBdKF2VP74avt2/RELq8G
W0n7JWmKn6vvrXabEGLyfkCngAhTq9tJ/K7LPx/bmlO5+jboO/1inH2BTtLiHjAX
vicXZk3oaZt2Sotx5mMI3yzpFQRVqZXsi0LpUTPJEh3oS8IdYRjslQh1A7P5hfCZ
wtzwb/hKm8upODe/ITUMuXeWfLuQj/uEU6wMzmfMHb+jlYMWtb+v98aJa2FODeKP
mWCXLa7bliXp1SSeBOEfIgEAmjM6QGlDx5sZhr2Ss2xSPRdZ8DqD7oiRVzmstX1Y
oxEzC0yXfaefC7SgM0nMnaTvYEOYJ9CH3wARAQABiQEfBBgBAgAJBQJO0irvAhsM
AAoJEFIKmZOhwFL4844H/jo8icCcS6eOWvnen7lg0FcCo1fIm4wW3tEmkQdchSHE
CJDq7pgTloN65pwB5tBoT47cyYNZA9eTfJVgRc74q5cexKOYrMC3KuAqWbwqXhkV
s0nkWxnOIidTHSXvBZfDFA4Idwte94Thrzf8Pn8UESudTiqrWoCBXk2UyVsl03gJ
blSJAeJGYPPeo+Yj6m63OWe2+/S2VTgmbPS/RObn0Aeg7yuff0n5+ytEt2KL51gO
QE2uIxTCawHr12PsllPkbqPk/PagIttfEJqn9b0CrqPC3HREePb2aMJ/Ctw/76CO
wn0mtXeIXLCTvBmznXfaMKllsqbsy2nCJ2P2uJjOntw=
=Tavt
-----END PGP PUBLIC KEY BLOCK-----

@ -0,0 +1,13 @@
diff --git a/src/core/ngx_cycle.c b/src/core/ngx_cycle.c
index aee7a58..bcceecb 100644
--- a/src/core/ngx_cycle.c
+++ b/src/core/ngx_cycle.c
@@ -1108,7 +1108,7 @@ ngx_reopen_files(ngx_cycle_t *cycle, ngx_uid_t user)
}
fd = ngx_open_file(file[i].name.data, NGX_FILE_APPEND,
- NGX_FILE_CREATE_OR_OPEN, NGX_FILE_DEFAULT_ACCESS);
+ NGX_FILE_CREATE_OR_OPEN, NGX_FILE_DEFAULT_ACCESS | 0220);
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, cycle->log, 0,
"reopen file \"%s\", old:%d new:%d",

@ -1,13 +1,3 @@
From 80c0ee172cceaef933ff5a451ec2a16213e03996 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Wed, 22 Sep 2021 15:55:39 +0200
Subject: [PATCH] Set proper compiler optimalization level (O2) for perl
module.
---
src/http/modules/perl/Makefile.PL | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/http/modules/perl/Makefile.PL b/src/http/modules/perl/Makefile.PL diff --git a/src/http/modules/perl/Makefile.PL b/src/http/modules/perl/Makefile.PL
index 7edadcb..2ebb7c4 100644 index 7edadcb..2ebb7c4 100644
--- a/src/http/modules/perl/Makefile.PL --- a/src/http/modules/perl/Makefile.PL
@ -21,6 +11,3 @@ index 7edadcb..2ebb7c4 100644
LDDLFLAGS => "$ENV{NGX_PM_LDFLAGS}", LDDLFLAGS => "$ENV{NGX_PM_LDFLAGS}",
--
2.31.1

@ -1,17 +1,8 @@
From a769a35a6197c76390e1dd8f5054d426fbbbda05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Wed, 22 Sep 2021 16:12:58 +0200
Subject: [PATCH] Init openssl engine properly
---
src/event/ngx_event_openssl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 270b200..f813458 100644 index 7be4fb4..ab3865a 100644
--- a/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c
@@ -798,16 +798,24 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, @@ -727,16 +727,24 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
return NULL; return NULL;
} }
@ -36,6 +27,3 @@ index 270b200..f813458 100644
ENGINE_free(engine); ENGINE_free(engine);
return pkey; return pkey;
--
2.31.1

@ -1,17 +1,8 @@
From 4e5f12d6584536ead82d20554d8f3f2ab0107b0b Mon Sep 17 00:00:00 2001
From: Lubos Uhliarik <luhliari@redhat.com>
Date: Fri, 30 Apr 2021 13:07:45 +0000
Subject: [PATCH 3/3] Support loading certificates from hardware token (PKCS#11)
---
src/event/ngx_event_openssl.c | 65 +++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index d762d6b..270b200 100644 index 0a2f260..606b6e2 100644
--- a/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c
@@ -617,6 +617,71 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, @@ -616,6 +616,71 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
X509 *x509, *temp; X509 *x509, *temp;
u_long n; u_long n;
@ -83,6 +74,3 @@ index d762d6b..270b200 100644
if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) { if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) {
bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1, bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1,
--
2.26.3

@ -1,18 +1,5 @@
From cc7b92c61a2833ff9dc2b4dfba4591966769da78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Tue, 21 Jun 2022 13:55:04 +0200
Subject: [PATCH] Enable TLSv1.3 by default in nginx
---
src/event/ngx_event_openssl.c | 77 ++++++++++++++------------
src/event/ngx_event_openssl.h | 1 +
src/http/modules/ngx_http_ssl_module.c | 3 +-
src/mail/ngx_mail_ssl_module.c | 3 +-
src/stream/ngx_stream_ssl_module.c | 3 +-
5 files changed, 46 insertions(+), 41 deletions(-)
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index f813458..2e6a6c0 100644 index 2b0c5e6..9278087 100644
--- a/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c
@@ -258,6 +258,8 @@ ngx_ssl_init(ngx_log_t *log) @@ -258,6 +258,8 @@ ngx_ssl_init(ngx_log_t *log)
@ -90,7 +77,7 @@ index f813458..2e6a6c0 100644
+ +
+ /* Now, we have to scan for minimal protocol version, + /* Now, we have to scan for minimal protocol version,
+ *without allowing holes between min and max*/ + *without allowing holes between min and max*/
+#ifdef SSL_OP_NO_TLSv1_3 +#if SSL_OP_NO_TLSv1_3
+ if ((prot == TLS1_3_VERSION) && (protocols & NGX_SSL_TLSv1_2)) { + if ((prot == TLS1_3_VERSION) && (protocols & NGX_SSL_TLSv1_2)) {
+ prot = TLS1_2_VERSION; + prot = TLS1_2_VERSION;
+ } + }
@ -168,6 +155,3 @@ index d8c0471..cef590d 100644
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
--
2.31.1

@ -1,10 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEcBAABCAAGBQJgrPDQAAoJEFIKmZOhwFL4dlIH/RFvUn4wiazXVujdm1df2/Q5
b+NVlr+O9WZ2Mb35dooOshG/G2wVjI95Cd5NU6svulJ05uv6tGgHA0CUZP6PLqIm
4os5QcgbEbfdDbfQEw7wyc831DqiBPwzk/xt954vsqwzX3mkXvUNTEYpynguwN1J
2iMb/bFRSlLZkKGbKOmLMO7iav0r88qtpmQIzG1mFTDg3leH0q3hEMAJl7pIicYd
Of3+/EHnM8CXORtA1q6YTLbcHAzhSmjdrMyw+RQGQkxoPtdj9vwL4Z6Wk8+6dDK7
dVBaiKp80tDM/iJizPbkbrBVbnR/9W48+QBC7tmOJMuj2c1Q/kvwJg9CLyHlqCU=
=tPti
-----END PGP SIGNATURE-----

@ -19,7 +19,7 @@ low tolerance to flooding attempts.
2 files changed, 17 insertions(+) 2 files changed, 17 insertions(+)
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 3611a2e..291677a 100644 index 0e45a7b..253718f 100644
--- a/src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c
@@ -361,6 +361,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev) @@ -361,6 +361,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev)
@ -30,7 +30,7 @@ index 3611a2e..291677a 100644
if (c->close) { if (c->close) {
c->close = 0; c->close = 0;
@@ -1320,6 +1321,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, @@ -1321,6 +1322,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
goto rst_stream; goto rst_stream;
} }
@ -45,7 +45,7 @@ index 3611a2e..291677a 100644
if (!h2c->settings_ack if (!h2c->settings_ack
&& !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG) && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG)
&& h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW) && h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW)
@@ -1385,6 +1394,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, @@ -1386,6 +1395,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
rst_stream: rst_stream:
@ -59,10 +59,10 @@ index 3611a2e..291677a 100644
return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
} }
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
index 3492297..6a7aaa6 100644 index 70ee287..7593f1c 100644
--- a/src/http/v2/ngx_http_v2.h --- a/src/http/v2/ngx_http_v2.h
+++ b/src/http/v2/ngx_http_v2.h +++ b/src/http/v2/ngx_http_v2.h
@@ -125,6 +125,8 @@ struct ngx_http_v2_connection_s { @@ -124,6 +124,8 @@ struct ngx_http_v2_connection_s {
ngx_uint_t processing; ngx_uint_t processing;
ngx_uint_t frames; ngx_uint_t frames;
ngx_uint_t idle; ngx_uint_t idle;
@ -71,6 +71,3 @@ index 3492297..6a7aaa6 100644
ngx_uint_t priority_limit; ngx_uint_t priority_limit;
ngx_uint_t pushing; ngx_uint_t pushing;
--
2.31.1

@ -0,0 +1,13 @@
--- auto/cc/gcc.orig 2007-03-22 08:34:53.000000000 -0600
+++ auto/cc/gcc 2007-03-22 08:58:47.000000000 -0600
@@ -172,7 +172,9 @@
# stop on warning
-CFLAGS="$CFLAGS -Werror"
+# This combined with Fedora's FORTIFY_SOURCE=2 option causes it nginx
+# to not compile.
+#CFLAGS="$CFLAGS -Werror"
# debug
CFLAGS="$CFLAGS -g"

@ -4,7 +4,7 @@
user nginx; user nginx;
worker_processes auto; worker_processes auto;
error_log /var/log/nginx/error.log; error_log /var/log/nginx/error.log notice;
pid /run/nginx.pid; pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
@ -23,7 +23,6 @@ http {
sendfile on; sendfile on;
tcp_nopush on; tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65; keepalive_timeout 65;
types_hash_max_size 4096; types_hash_max_size 4096;
@ -72,11 +71,11 @@ http {
# include /etc/nginx/default.d/*.conf; # include /etc/nginx/default.d/*.conf;
# #
# error_page 404 /404.html; # error_page 404 /404.html;
# location = /40x.html { # location = /404.html {
# } # }
# #
# error_page 500 502 503 504 /50x.html; # error_page 500 502 503 504 /50x.html;
# location = /50x.html { # location = /50x.html {
# } # }
# } # }

@ -1,14 +1,2 @@
%__nginxmods_requires() %{lua: %__nginxmods_requires %{_rpmconfigdir}/nginxmods.req
-- Match buildroot paths of the form
-- /PATH/OF/BUILDROOT/usr/lib/nginx/modules/ and
-- /PATH/OF/BUILDROOT/usr/lib64/nginx/modules/
-- generating a line of the form:
-- nginx(abi) = VERSION
local path = rpm.expand("%1")
if path:match("/usr/lib%d*/nginx/modules/.*") then
local requires = "nginx(abi) = " .. rpm.expand("%{_nginx_abiversion}")
print(requires)
end
}
%__nginxmods_path ^%{_prefix}/lib(64)?/nginx/modules/.*\\.so$ %__nginxmods_path ^%{_prefix}/lib(64)?/nginx/modules/.*\\.so$

@ -0,0 +1,6 @@
#!/bin/sh
# Generate Requires: nginx(abi) = VERSION
echo "nginx(abi) = $(rpm --eval '%{_nginx_abiversion}')"
exit 0

@ -1,41 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (FreeBSD)
mQENBE5E4vkBCADPkWWzk7W5cXOqeZ1ULNSj8nt5azbYjfQ8OyR2AaDW8J7oazYH
reIHKid5uZVJxwr1uLoMloGiYTdy4XYIF2WcOfDnjNGumrAT0Nd4Kdax/pHr5Pdp
jFsO4BkHyWk/5/zDCijyoGYLBR6I8hqn+WDuLG/sTtVuTWkUeOlfxb2eZdLyZ3oP
5T5FXtWTpKvr2y7RGshmS6EJnjiVvvErdbNItFXghqvBBaFOJaS2PRBEO9RfKpti
i+eS/cmlrm+Tjv44EPfQyLtAmCQ8uqfL50uIKEp6/dsC/OVJ6JlJOYl4j90DX7vB
TJaOyUm4s+BLF2BK+Ow8+s+B6jQ5noa/o16NABEBAAG0IFNlcmdleSBCdWRuZXZp
dGNoIDxzYkBuZ2lueC5jb20+iQE+BBMBAgAoBQJOROQ6AhsDBQkJZgGABgsJCAcD
AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCmT9Wxets5qEQgB/43Mxmiy7DjXEbxIYkC
9xPC4kf1X+bHkJ9BtAgaYDQewjtQ7vS98TKJBibm3l4egmBjFWjCpL8845n966+u
XDqrDWJtOPUXvSEQNXGlijDGSxxpdK2dxDOKIOC8nIlZq/Xz/Uqjb2ZrszmYK2LD
IHI1mN9HdI6aTt41QbtG0nkaPPgv3MEvxSMVCzVddroyPXvf/ErT4OSYU+dqJhH+
SBIezuF0suzH/siCksbSBZHIst5rggpjsZvijP5YFH/hpEsR+tKXo9EFk49xn9Ou
WdmpOEs7CKDbTApkh9XN/Pk5nJQ/HIDuW8pkgzf2wxNWlMSYw6xnozDkeIqpJcDD
4niqiEYEEBECAAYFAk5OYocACgkQ7PDpCywXIIMKtQCfaAl2rvbEImu6MnDR32KG
HTDH2TEAoNeWrSlavyFzbSQka53E9Gs6gF63tCBTZXJnZXkgQnVkbmV2aXRjaCA8
c2JAd2FlbWUubmV0PokBQQQTAQIAKwIbAwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYC
AwECHgECF4AFAk5OR38CGQEACgkQpk/VsXrbOagPmAf/QmIEDkkiovc1MgQ81lh4
eeHfvtptb+U4GVCu07DQUR9kEtN6Jqi65gKb95fEztI14PpX+euiWrc/RlnsxWc0
jYF0UmyacWLN6oHPoxlCK5+7zyoz5UTNrYGkTfWfcNtTU509CEZRClBNjMZOTZjP
QhdR+Ce6tngRcQvMGNaLjJkKuY7vPh6FjT5oqxpnEIRTsWq6bUaeCXm7j9x0as1Z
w1E5D5it3Ug3VlAe58jFJmRgatOsWznKuNoLRjQ2Chp2ce+dLgXriuJMrvEsn5S4
dImUGL5DVYWDVZNG+r85XnOhMfKG308pZby1uzFvD+j3P6yMj1tpaCAAi5lUkHh6
bIhGBBARAgAGBQJOTmJ/AAoJEOzw6QssFyCDH50AoMyJPvPDTYXK5KHOlPYPZQ5M
OuCAAJ9zQ/3hKedm3xCLGl4Y6hjxJNlUTbkBDQROROL5AQgAuGIfx9aVOOXVdj8b
XvjBQt+UkBURYGACHFQ69w71Aupsg9pZ7FgwgVKxnoNlmRag8sInjQbs3M/lS0sB
dg75zZ7Ph7aPev8RAqdtX5+xxvujv1cmkFBExFuC5Wp/Yfzk/lPWZR4vXZrTpRiF
PLMlRu0CEJFqoqPPygGFar02Q7rO+da35pxAuYrOWGM7MNr8H/vk13+GiqniBQCa
uSoWwZQzaEdG5VGgm/vAwPzO+Cbam3r+Hs7OieykAy8fv+B+qhHn8Vc/520iGvdO
IAKpxl6oZrkbNL/wozOOLZni7iWl30C43ujxPiGRlg/YotHmhlnMic85QKyakXCS
WXI/JQARAQABiQElBBgBAgAPBQJOROL5AhsMBQkJZgGAAAoJEKZP1bF62zmoGCwH
/2a6zlu4Jwmv21vuroaAzECV8gp1luBeagn23EgMMukYhkbwLtL/0twAHmZlkpzl
atfq/EH2PgOasl2biJixqp7o9V7Uw6PS5JoY+1IrLEurG+FU2TN/Ysp12al4Z0Hh
p4yBRSEikISO9gkeUThixDPX1PjCpx8G/ZYqk+8jRCcDgWsUc/WV3VGPht68oDd7
56/hfQYc/V3eJmm5WYLVGV7Q69tGtp6D09SpoeqCD2K77auEBRVJ4jaT4B2/EfSb
x6y7Dy4Oxm8TBOQ2EZw2vEixKxtEt86/oBtLUkqVockPq/Ek9AL+KzT6VR1xU+Cm
CoHAyoqJeb/xLBwuKWg0/4U=
=iFlP
-----END PGP PUBLIC KEY BLOCK-----

@ -5,20 +5,10 @@
# See: https://src.fedoraproject.org/rpms/redhat-rpm-config/c/078af19 # See: https://src.fedoraproject.org/rpms/redhat-rpm-config/c/078af19
%undefine _strict_symbol_defs_build %undefine _strict_symbol_defs_build
%global with_gperftools 0
%bcond_with geoip %bcond_with geoip
# nginx gperftools support should be dissabled for RHEL >= 8
# see: https://bugzilla.redhat.com/show_bug.cgi?id=1931402
%if 0%{?rhel} >= 8
%global with_gperftools 0
%else
# gperftools exist only on selected arches
# gperftools *detection* is failing on ppc64*, possibly only configure
# bug, but disable anyway.
%ifnarch s390 s390x ppc64 ppc64le
%global with_gperftools 1
%endif
%endif
%global with_aio 1 %global with_aio 1
@ -37,24 +27,19 @@
%global __provides_exclude_from ^%{nginx_srcdir}/.*$ %global __provides_exclude_from ^%{nginx_srcdir}/.*$
%global __requires_exclude_from ^%{nginx_srcdir}/.*$ %global __requires_exclude_from ^%{nginx_srcdir}/.*$
Name: nginx Name: nginx
Epoch: 1 Epoch: 1
Version: 1.20.1 Version: 1.22.1
Release: 14%{?dist}.1 Release: 1%{?dist}.1
Summary: A high performance web server and reverse proxy server Summary: A high performance web server and reverse proxy server
Group: System Environment/Daemons
# BSD License (two clause) # BSD License (two clause)
# http://www.freebsd.org/copyright/freebsd-license.html # http://www.freebsd.org/copyright/freebsd-license.html
License: BSD License: BSD
URL: https://nginx.org URL: http://nginx.org/
Source0: https://nginx.org/download/nginx-%{version}.tar.gz Source0: https://nginx.org/download/nginx-%{version}.tar.gz
Source1: https://nginx.org/download/nginx-%{version}.tar.gz.asc
# Keys are found here: https://nginx.org/en/pgp_keys.html
Source2: https://nginx.org/keys/maxim.key
Source3: https://nginx.org/keys/mdounin.key
Source4: https://nginx.org/keys/sb.key
Source10: nginx.service Source10: nginx.service
Source11: nginx.logrotate Source11: nginx.logrotate
Source12: nginx.conf Source12: nginx.conf
@ -62,6 +47,7 @@ Source13: nginx-upgrade
Source14: nginx-upgrade.8 Source14: nginx-upgrade.8
Source15: macros.nginxmods.in Source15: macros.nginxmods.in
Source16: nginxmods.attr Source16: nginxmods.attr
Source17: nginxmods.req
Source102: nginx-logo.png Source102: nginx-logo.png
Source103: 404.html Source103: 404.html
Source104: 50x.html Source104: 50x.html
@ -70,62 +56,49 @@ Source210: UPGRADE-NOTES-1.6-to-1.10
# removes -Werror in upstream build scripts. -Werror conflicts with # removes -Werror in upstream build scripts. -Werror conflicts with
# -D_FORTIFY_SOURCE=2 causing warnings to turn into errors. # -D_FORTIFY_SOURCE=2 causing warnings to turn into errors.
Patch0: 0001-remove-Werror-in-upstream-build-scripts.patch Patch0: nginx-auto-cc-gcc.patch
# downstream patch - fix PIDFile race condition (rhbz#1869026)
# rejected upstream: https://trac.nginx.org/nginx/ticket/1897
Patch1: 0002-fix-PIDFile-handling.patch
# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=1955564 # downstream patch - changing logs permissions to 664 instead
Patch2: 0003-Support-loading-cert-hardware-token-PKC.patch # previous 644
Patch1: nginx-1.14.0-logs-perm.patch
# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006822 # PKCS#11 engine fix
Patch3: 0004-Set-proper-compiler-optimalization-level-O2-for-perl.patch Patch2: nginx-1.16.0-pkcs11.patch
# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006420 # https://bugzilla.redhat.com/show_bug.cgi?id=1655530
Patch4: 0005-Init-openssl-engine-properly.patch Patch3: nginx-1.14.1-perl-module-hardening.patch
# upstream patch - fixing ALPACA(CVE-2021-3618) security issue - https://bugzilla.redhat.com/show_bug.cgi?id=1975623 # https://bugzilla.redhat.com/show_bug.cgi?id=1643647
Patch5: 0006-Fix-ALPACA-security-issue.patch Patch4: nginx-1.20.0-enable-tls1v3-by-default.patch
# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2028781 # https://bugzilla.redhat.com/show_bug.cgi?id=1668717
Patch6: 0007-Enable-TLSv1.3-by-default.patch Patch5: nginx-1.18.0-pkcs11-cert.patch
# security fix - https://issues.redhat.com/browse/RHEL-12516 # https://issues.redhat.com/browse/RHEL-12726
Patch7: 0008-CVE-2023-44487-HTTP-2-per-iteration-stream-handling.patch Patch6: nginx-1.22-CVE-2023-44487.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: gnupg2
%if 0%{?with_gperftools} %if 0%{?with_gperftools}
BuildRequires: gperftools-devel BuildRequires: gperftools-devel
%endif %endif
%if 0%{?fedora} || 0%{?rhel} >= 8
BuildRequires: openssl-devel BuildRequires: openssl-devel
%else
BuildRequires: openssl11-devel
%endif
BuildRequires: pcre-devel BuildRequires: pcre-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
Requires: nginx-filesystem = %{epoch}:%{version}-%{release} Requires: nginx-filesystem = %{epoch}:%{version}-%{release}
%if 0%{?el7} Requires: system-logos-httpd >= 82.0
# centos-logos el7 does not provide 'system-indexhtml'
Requires: system-logos redhat-indexhtml %if 0%{?rhel} > 0 && 0%{?rhel} < 8
# need to remove epel7 geoip sub-package, doesn't work anymore # Introduced at 1:1.10.0-1 to ease upgrade path. To be removed later.
# https://bugzilla.redhat.com/show_bug.cgi?id=1576034 Requires: nginx-all-modules = %{epoch}:%{version}-%{release}
# https://bugzilla.redhat.com/show_bug.cgi?id=1664957
Obsoletes: nginx-mod-http-geoip <= 1:1.16
%else
Requires: system-logos-httpd
%endif %endif
Requires: openssl
Requires: pcre Requires: pcre
Provides: webserver Requires(pre): nginx-filesystem
%if 0%{?fedora} || 0%{?rhel} >= 8 %if 0%{?with_mailcap_mimetypes}
Recommends: logrotate Requires: nginx-mimetypes
%endif %endif
Requires: %{name}-core = %{epoch}:%{version}-%{release} Provides: webserver
BuildRequires: systemd BuildRequires: systemd
Requires(post): systemd Requires(post): systemd
@ -139,19 +112,8 @@ Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
IMAP protocols, with a strong focus on high concurrency, performance and low IMAP protocols, with a strong focus on high concurrency, performance and low
memory usage. memory usage.
%package core
Summary: nginx minimal core
%if 0%{?with_mailcap_mimetypes}
Requires: nginx-mimetypes
%endif
Requires: openssl-libs
Requires(pre): nginx-filesystem
Conflicts: nginx < 1:1.20.1-13
%description core
nginx minimal core
%package all-modules %package all-modules
Group: System Environment/Daemons
Summary: A meta package that installs all available Nginx modules Summary: A meta package that installs all available Nginx modules
BuildArch: noarch BuildArch: noarch
@ -165,9 +127,10 @@ Requires: nginx-mod-mail = %{epoch}:%{version}-%{release}
Requires: nginx-mod-stream = %{epoch}:%{version}-%{release} Requires: nginx-mod-stream = %{epoch}:%{version}-%{release}
%description all-modules %description all-modules
Meta package that installs all available nginx modules. A meta package that installs all available Nginx modules.
%package filesystem %package filesystem
Group: System Environment/Daemons
Summary: The basic directory layout for the Nginx server Summary: The basic directory layout for the Nginx server
BuildArch: noarch BuildArch: noarch
Requires(pre): shadow-utils Requires(pre): shadow-utils
@ -179,6 +142,7 @@ directories.
%if %{with geoip} %if %{with geoip}
%package mod-http-geoip %package mod-http-geoip
Group: System Environment/Daemons
Summary: Nginx HTTP geoip module Summary: Nginx HTTP geoip module
BuildRequires: GeoIP-devel BuildRequires: GeoIP-devel
Requires: nginx(abi) = %{nginx_abiversion} Requires: nginx(abi) = %{nginx_abiversion}
@ -189,6 +153,7 @@ Requires: GeoIP
%endif %endif
%package mod-http-image-filter %package mod-http-image-filter
Group: System Environment/Daemons
Summary: Nginx HTTP image filter module Summary: Nginx HTTP image filter module
BuildRequires: gd-devel BuildRequires: gd-devel
Requires: nginx(abi) = %{nginx_abiversion} Requires: nginx(abi) = %{nginx_abiversion}
@ -198,9 +163,10 @@ Requires: gd
%{summary}. %{summary}.
%package mod-http-perl %package mod-http-perl
Group: System Environment/Daemons
Summary: Nginx HTTP perl module Summary: Nginx HTTP perl module
BuildRequires: perl-devel BuildRequires: perl-devel
%if 0%{?fedora} >= 24 || 0%{?rhel} >= 7 %if 0%{?fedora} >= 24
BuildRequires: perl-generators BuildRequires: perl-generators
%endif %endif
BuildRequires: perl(ExtUtils::Embed) BuildRequires: perl(ExtUtils::Embed)
@ -212,6 +178,7 @@ Requires: perl(constant)
%{summary}. %{summary}.
%package mod-http-xslt-filter %package mod-http-xslt-filter
Group: System Environment/Daemons
Summary: Nginx XSLT module Summary: Nginx XSLT module
BuildRequires: libxslt-devel BuildRequires: libxslt-devel
Requires: nginx(abi) = %{nginx_abiversion} Requires: nginx(abi) = %{nginx_abiversion}
@ -220,6 +187,7 @@ Requires: nginx(abi) = %{nginx_abiversion}
%{summary}. %{summary}.
%package mod-mail %package mod-mail
Group: System Environment/Daemons
Summary: Nginx mail modules Summary: Nginx mail modules
Requires: nginx(abi) = %{nginx_abiversion} Requires: nginx(abi) = %{nginx_abiversion}
@ -227,6 +195,7 @@ Requires: nginx(abi) = %{nginx_abiversion}
%{summary}. %{summary}.
%package mod-stream %package mod-stream
Group: System Environment/Daemons
Summary: Nginx stream modules Summary: Nginx stream modules
Requires: nginx(abi) = %{nginx_abiversion} Requires: nginx(abi) = %{nginx_abiversion}
@ -246,11 +215,7 @@ Requires: gperftools-devel
Requires: GeoIP-devel Requires: GeoIP-devel
%endif %endif
Requires: libxslt-devel Requires: libxslt-devel
%if 0%{?fedora} || 0%{?rhel} >= 8
Requires: openssl-devel Requires: openssl-devel
%else
Requires: openssl11-devel
%endif
Requires: pcre-devel Requires: pcre-devel
Requires: perl-devel Requires: perl-devel
Requires: perl(ExtUtils::Embed) Requires: perl(ExtUtils::Embed)
@ -261,10 +226,15 @@ Requires: zlib-devel
%prep %prep
# Combine all keys from upstream into one file %setup -q
cat %{S:2} %{S:3} %{S:4} > %{_builddir}/%{name}.gpg %patch0 -p0
%{gpgverify} --keyring='%{_builddir}/%{name}.gpg' --signature='%{SOURCE1}' --data='%{SOURCE0}' %patch1 -p1
%autosetup -p1 %patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} . cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
%if 0%{?rhel} > 0 && 0%{?rhel} < 8 %if 0%{?rhel} > 0 && 0%{?rhel} < 8
@ -272,13 +242,6 @@ sed -i -e 's#KillMode=.*#KillMode=process#g' nginx.service
sed -i -e 's#PROFILE=SYSTEM#HIGH:!aNULL:!MD5#' nginx.conf sed -i -e 's#PROFILE=SYSTEM#HIGH:!aNULL:!MD5#' nginx.conf
%endif %endif
%if 0%{?rhel} == 7
sed \
-e 's|\(ngx_feature_path=\)$|\1%{_includedir}/openssl11|' \
-e 's|\(ngx_feature_libs="\)|\1-L%{_libdir}/openssl11 |' \
-i auto/lib/openssl/conf
%endif
# Prepare sources for installation # Prepare sources for installation
cp -a ../%{name}-%{version} ../%{name}-%{version}-%{release}-src cp -a ../%{name}-%{version} ../%{name}-%{version}-%{release}-src
mv ../%{name}-%{version}-%{release}-src . mv ../%{name}-%{version}-%{release}-src .
@ -290,9 +253,7 @@ mv ../%{name}-%{version}-%{release}-src .
# to error out. This is is also the reason for the DESTDIR environment # to error out. This is is also the reason for the DESTDIR environment
# variable. # variable.
export DESTDIR=%{buildroot} export DESTDIR=%{buildroot}
# So the perl module finds its symbols: ./configure \
nginx_ldopts="$RPM_LD_FLAGS -Wl,-E"
if ! ./configure \
--prefix=%{_datadir}/nginx \ --prefix=%{_datadir}/nginx \
--sbin-path=%{_sbindir}/nginx \ --sbin-path=%{_sbindir}/nginx \
--modules-path=%{nginx_moduledir} \ --modules-path=%{nginx_moduledir} \
@ -308,56 +269,53 @@ if ! ./configure \
--lock-path=/run/lock/subsys/nginx \ --lock-path=/run/lock/subsys/nginx \
--user=%{nginx_user} \ --user=%{nginx_user} \
--group=%{nginx_user} \ --group=%{nginx_user} \
--with-compat \
--with-debug \
%if 0%{?with_aio} %if 0%{?with_aio}
--with-file-aio \ --with-file-aio \
%endif %endif
%if 0%{?with_gperftools} --with-http_ssl_module \
--with-google_perftools_module \ --with-http_v2_module \
%endif --with-http_realip_module \
--with-stream_ssl_preread_module \
--with-http_addition_module \ --with-http_addition_module \
--with-http_auth_request_module \ --with-http_xslt_module=dynamic \
--with-http_dav_module \ --with-http_image_filter_module=dynamic \
--with-http_degradation_module \
--with-http_flv_module \
%if %{with geoip} %if %{with geoip}
--with-http_geoip_module=dynamic \ --with-http_geoip_module=dynamic \
--with-stream_geoip_module=dynamic \
%endif %endif
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
--with-http_mp4_module \
--with-http_gunzip_module \ --with-http_gunzip_module \
--with-http_gzip_static_module \ --with-http_gzip_static_module \
--with-http_image_filter_module=dynamic \
--with-http_mp4_module \
--with-http_perl_module=dynamic \
--with-http_random_index_module \ --with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module \ --with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \ --with-http_slice_module \
--with-http_ssl_module \
--with-http_stub_status_module \ --with-http_stub_status_module \
--with-http_sub_module \ --with-http_perl_module=dynamic \
--with-http_v2_module \ --with-http_auth_request_module \
--with-http_xslt_module=dynamic \
--with-mail=dynamic \ --with-mail=dynamic \
--with-mail_ssl_module \ --with-mail_ssl_module \
--with-pcre \ --with-pcre \
--with-pcre-jit \ --with-pcre-jit \
--with-stream=dynamic \ --with-stream=dynamic \
--with-stream_realip_module \
--with-stream_ssl_module \ --with-stream_ssl_module \
--with-stream_ssl_preread_module \ %if 0%{?with_gperftools}
--with-threads \ --with-google_perftools_module \
%endif
--with-debug \
--with-cc-opt="%{optflags} $(pcre-config --cflags)" \ --with-cc-opt="%{optflags} $(pcre-config --cflags)" \
--with-ld-opt="$nginx_ldopts"; then --with-compat \
: configure failed --with-ld-opt="$RPM_LD_FLAGS -Wl,-E" # so the perl module finds its symbols
cat objs/autoconf.err
exit 1
fi
%make_build make %{?_smp_mflags}
%install %install
%make_install INSTALLDIRS=vendor make install DESTDIR=%{buildroot} INSTALLDIRS=vendor
find %{buildroot} -type f -name .packlist -exec rm -f '{}' \; find %{buildroot} -type f -name .packlist -exec rm -f '{}' \;
find %{buildroot} -type f -name perllocal.pod -exec rm -f '{}' \; find %{buildroot} -type f -name perllocal.pod -exec rm -f '{}' \;
@ -383,22 +341,12 @@ install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/html
install -p -d -m 0755 %{buildroot}%{nginx_moduleconfdir} install -p -d -m 0755 %{buildroot}%{nginx_moduleconfdir}
install -p -d -m 0755 %{buildroot}%{nginx_moduledir} install -p -d -m 0755 %{buildroot}%{nginx_moduledir}
install -p -m 0644 ./nginx.conf \ install -p -m 0644 ./nginx.conf \
%{buildroot}%{_sysconfdir}/nginx %{buildroot}%{_sysconfdir}/nginx
rm -f %{buildroot}%{_datadir}/nginx/html/index.html rm -f %{buildroot}%{_datadir}/nginx/html/index.html
%if 0%{?el7}
ln -s ../../doc/HTML/index.html \
%{buildroot}%{_datadir}/nginx/html/index.html
ln -s ../../doc/HTML/img \
%{buildroot}%{_datadir}/nginx/html/img
ln -s ../../doc/HTML/en-US \
%{buildroot}%{_datadir}/nginx/html/en-US
%else
ln -s ../../testpage/index.html \ ln -s ../../testpage/index.html \
%{buildroot}%{_datadir}/nginx/html/index.html %{buildroot}%{_datadir}/nginx/html/index.html
%endif
install -p -m 0644 %{SOURCE102} \ install -p -m 0644 %{SOURCE102} \
%{buildroot}%{_datadir}/nginx/html %{buildroot}%{_datadir}/nginx/html
ln -s nginx-logo.png %{buildroot}%{_datadir}/nginx/html/poweredby.png ln -s nginx-logo.png %{buildroot}%{_datadir}/nginx/html/poweredby.png
@ -406,12 +354,7 @@ mkdir -p %{buildroot}%{_datadir}/nginx/html/icons
# Symlink for the powered-by-$DISTRO image: # Symlink for the powered-by-$DISTRO image:
ln -s ../../../pixmaps/poweredby.png \ ln -s ../../../pixmaps/poweredby.png \
%{buildroot}%{_datadir}/nginx/html/icons/poweredby.png %{buildroot}%{_datadir}/nginx/html/icons/poweredby.png
%if 0%{?rhel} >= 9
ln -s ../../pixmaps/system-noindex-logo.png \
%{buildroot}%{_datadir}/nginx/html/system_noindex_logo.png
%endif
install -p -m 0644 %{SOURCE103} %{SOURCE104} \ install -p -m 0644 %{SOURCE103} %{SOURCE104} \
%{buildroot}%{_datadir}/nginx/html %{buildroot}%{_datadir}/nginx/html
@ -426,7 +369,7 @@ install -p -D -m 0644 %{_builddir}/nginx-%{version}/objs/nginx.8 \
install -p -D -m 0755 %{SOURCE13} %{buildroot}%{_bindir}/nginx-upgrade install -p -D -m 0755 %{SOURCE13} %{buildroot}%{_bindir}/nginx-upgrade
install -p -D -m 0644 %{SOURCE14} %{buildroot}%{_mandir}/man8/nginx-upgrade.8 install -p -D -m 0644 %{SOURCE14} %{buildroot}%{_mandir}/man8/nginx-upgrade.8
for i in ftdetect ftplugin indent syntax; do for i in ftdetect indent syntax; do
install -p -D -m644 contrib/vim/${i}/nginx.vim \ install -p -D -m644 contrib/vim/${i}/nginx.vim \
%{buildroot}%{_datadir}/vim/vimfiles/${i}/nginx.vim %{buildroot}%{_datadir}/vim/vimfiles/${i}/nginx.vim
done done
@ -459,7 +402,7 @@ sed -e "s|@@NGINX_ABIVERSION@@|%{nginx_abiversion}|g" \
%{SOURCE15} > %{buildroot}%{_rpmmacrodir}/macros.nginxmods %{SOURCE15} > %{buildroot}%{_rpmmacrodir}/macros.nginxmods
## Install dependency generator ## Install dependency generator
install -Dpm0644 -t %{buildroot}%{_fileattrsdir} %{SOURCE16} install -Dpm0644 -t %{buildroot}%{_fileattrsdir} %{SOURCE16}
install -Dpm0755 -t %{buildroot}%{_rpmconfigdir} %{SOURCE17}
%pre filesystem %pre filesystem
@ -514,24 +457,21 @@ if [ $1 -ge 1 ]; then
fi fi
%files %files
%license LICENSE
%doc CHANGES README README.dynamic
%if 0%{?rhel} == 7 %if 0%{?rhel} == 7
%doc UPGRADE-NOTES-1.6-to-1.10 %doc UPGRADE-NOTES-1.6-to-1.10
%endif %endif
%{_datadir}/nginx/html/* %{_datadir}/nginx/html/*
%{_bindir}/nginx-upgrade %{_bindir}/nginx-upgrade
%{_sbindir}/nginx
%{_datadir}/vim/vimfiles/ftdetect/nginx.vim %{_datadir}/vim/vimfiles/ftdetect/nginx.vim
%{_datadir}/vim/vimfiles/ftplugin/nginx.vim
%{_datadir}/vim/vimfiles/syntax/nginx.vim %{_datadir}/vim/vimfiles/syntax/nginx.vim
%{_datadir}/vim/vimfiles/indent/nginx.vim %{_datadir}/vim/vimfiles/indent/nginx.vim
%{_mandir}/man3/nginx.3pm* %{_mandir}/man3/nginx.3pm*
%{_mandir}/man8/nginx.8* %{_mandir}/man8/nginx.8*
%{_mandir}/man8/nginx-upgrade.8* %{_mandir}/man8/nginx-upgrade.8*
%{_unitdir}/nginx.service %{_unitdir}/nginx.service
%files core
%license LICENSE
%doc CHANGES README README.dynamic
%{_sbindir}/nginx
%config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf %config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf
%config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf.default %config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf.default
%config(noreplace) %{_sysconfdir}/nginx/fastcgi_params %config(noreplace) %{_sysconfdir}/nginx/fastcgi_params
@ -598,187 +538,114 @@ fi
%{nginx_moduleconfdir}/mod-stream.conf %{nginx_moduleconfdir}/mod-stream.conf
%{nginx_moduledir}/ngx_stream_module.so %{nginx_moduledir}/ngx_stream_module.so
%files mod-devel %files mod-devel
%{_rpmmacrodir}/macros.nginxmods %{_rpmmacrodir}/macros.nginxmods
%{_fileattrsdir}/nginxmods.attr %{_fileattrsdir}/nginxmods.attr
%{_rpmconfigdir}/nginxmods.req
%{nginx_srcdir}/ %{nginx_srcdir}/
%changelog %changelog
* Wed Oct 11 2023 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-14.1 * Wed Oct 11 2023 Luboš Uhliarik <luhliari@redhat.com> - 1:1.22.1-1.1
- Resolves: RHEL-12516 - nginx: HTTP/2: Multiple HTTP/2 enabled web - Resolves: RHEL-12726 - nginx:1.22/nginx: HTTP/2: Multiple HTTP/2 enabled web
servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) servers are vulnerable to a DDoS attack (Rapid Reset Attack)(CVE-2023-44487)
* Thu Nov 24 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-14
- Resolves: #2086527 - Fix logrotate config and nginx log dir permissions
* Wed Jun 22 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-13 * Thu Dec 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.22.1-1
- Resolves: #2099752 - nginx minimisation for ubi-micro - Resolves: #2112345 - nginx:1.22 for RHEL 8
- add stream_geoip_module and stream_realip_module
- remove obsolete --with-ipv6
* Tue Jun 21 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-11 * Tue Dec 21 2021 Joe Orton <jorton@redhat.com> - 1:1.20.1-1
- Resolves: #2028781 - Protocol : TLSv1.3 missing in rhel9 - rebase to 1.20.1 (addressing CVE-2021-23017)
* Wed Feb 02 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-10 * Wed Dec 1 2021 Joe Orton <jorton@redhat.com> - 1:1.20.0-4
- Resolves: #1975747 - CVE-2021-3618 nginx: ALPACA: Application Layer Protocol - add delaycompress to logrotate config (#2015243)
Confusion - Analyzing and Mitigating Cracks in TLS Authentication
* Thu Dec 2 2021 Joe Orton <jorton@redhat.com> - 1:1.20.1-9 * Fri Sep 10 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.0-3
- add delaycompress to logrotate config (#2015250) - Add -mod-devel subpackage for building external nginx modules (Neal Gompa)
Resolves: #1991787
* Wed Sep 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-8 * Fri Aug 20 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.0-2
- Resolves: #2007019 - use proper wording in error pages - Resolves: #1991796 - build nginx with --with-compat
* Wed Sep 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-7 * Wed May 05 2021 Lubos Uhliarik <luhliari@redhat.com> - 1:1.20.0-1
- Resolves: #2006420 - Broken loading certificates from hardware token (PKCS#11) - new version 1.20.0
- Resolves: #1945671 - RFE: add nginx:1.20 module stream
* Wed Sep 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-6 * Thu Nov 12 2020 Lubos Uhliarik <luhliari@redhat.com> - 1:1.18.0-3
- Resolves: #2006822 - Hardening tests fail for nginx - Resolves: #1651377 - centralizing default index.html on nginx
- Resolves: #1825683 - Outdated Red Hat branding used in nginx default pages
* Tue Sep 21 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-5 * Wed Apr 22 2020 Lubos Uhliarik <luhliari@redhat.com> - 1:1.18.0-2
- Add -mod-devel subpackage for building external nginx modules - new version 1.18.0
Resolves: rhbz#1991720 (Neal Gompa) - Resolves: #1668717 - [RFE] Support loading certificates from hardware token
(PKCS#11)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.20.1-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Aug 09 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-3
- Resolves: #1991600 - Add logo symlink required by new testpage
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.20.1-2
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Wed Jun 02 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-1
- new version 1.20.1
- Resolves: #1964814 - CVE-2021-23017 nginx: Off-by-one in ngx_resolver_copy()
when labels are followed by a pointer to a root domain name
* Fri Apr 30 2021 Lubos Uhliarik <luhliari@redhat.com> - 1:1.20.0-5
- Resolves: #1955564 - [RFE] Support loading certificates from hardware
token (PKCS#11)
* Fri Apr 30 2021 Lubos Uhliarik <luhliari@redhat.com> - 1:1.20.0-4
- Resolves: #1955560 - centralizing default index.html on nginx
* Mon Apr 26 2021 Lubos Uhliarik <luhliari@redhat.com> - 1:1.20.0-3
- Resolve: #1953639 - Rebase nginx to 1.20
* Wed Apr 21 2021 Felix Kaechele <heffer@fedoraproject.org> - 1:1.20.0-2
- sync rawhide and EPEL7 spec files again
- systemd service reload now checks config file (rhbz#1565377)
- drop nginx requirement on nginx-all-modules (rhbz#1708799)
- let nginx handle log creation on logrotate (rhbz#1683388)
- have log directory owned by root (rhbz#1390183, CVE-2016-1247)
- remove obsolete --with-ipv6 (src PR#8)
- correction: pcre2 is actually not supported by nginx, reintroduce pcre
* Wed Apr 21 2021 Felix Kaechele <heffer@fedoraproject.org> - 1:1.20.0-1
- update to 1.20.0
- sync with mainline spec file
- order configure options alphabetically for easier comparinggit
- add --with-compat option (rhbz#1834452)
- add patch to fix PIDFile race condition (rhbz#1869026)
- use pcre2 instead of pcre (rhbz#1938984)
- add Wants=network-online.target to systemd unit (rhbz#1943779)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.18.0-6
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Feb 22 2021 Lubos Uhliarik <luhliari@redhat.com> - 1:1.18.0-5
- Resolves: #1931402 - drop gperftools module
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.18.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.18.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jun 22 2020 Jitka Plesnikova <jplesnik@redhat.com> - 1:1.18.0-2
- Perl 5.32 rebuild
* Fri Apr 24 2020 Felix Kaechele <heffer@fedoraproject.org> - 1:1.18.0-1
- Update to 1.18.0
- Increased types_hash_max_size to 4096 in default config - Increased types_hash_max_size to 4096 in default config
- Add gpg source verification
- Add Recommends: logrotate
- Drop location / from default config (rhbz#1564768) - Drop location / from default config (rhbz#1564768)
- Drop default_sever from default config (rhbz#1373822) - Drop default_sever from default config (rhbz#1373822)
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.16.1-2 * Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.1-1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - update to 1.16.1
- Resolves: #1745697 - CVE-2019-9511 nginx:1.16/nginx: HTTP/2: large amount
* Sun Sep 15 2019 Warren Togami <warren@blockstream.com> of data request leads to denial of service
- add conditionals for EPEL7, see rhbz#1750857 - Resolves: #1745690 - CVE-2019-9513 nginx:1.16/nginx: HTTP/2: flood using
PRIORITY frames resulting in excessive resource consumption
* Tue Aug 13 2019 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.16.1-1 - Resolves: #1745645 - CVE-2019-9516 nginx:1.16/nginx: HTTP/2: 0-length
- Update to upstream release 1.16.1 headers leads to denial of service
- Fixes CVE-2019-9511, CVE-2019-9513, CVE-2019-9516
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.16.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1:1.16.0-4
- Perl 5.30 rebuild
* Tue May 14 2019 Stephen Gallagher <sgallagh@redhat.com> - 1.16.0-3
- Move to common default index.html
- Resolves: rhbz#1636235
* Tue May 07 2019 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.16.0-2 * Wed Jun 26 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.0-2
- Add missing directory for vim plugin - Resolves: #1718929 - ssl_protocols config option has faulty behavior
in nginx:1.16
* Fri Apr 26 2019 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.16.0-1 * Mon May 06 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.0-1
- Update to upstream release 1.16.0 - new version 1.16.0
- enable ngx_stream_ssl_preread module
- main package does NOT require all-modules package
* Mon Mar 04 2019 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.15.9-1 * Wed Dec 12 2018 Lubos Uhliarik <luhliari@redhat.com> - 1:1.14.1-8
- Update to upstream release 1.15.9 - enable TLS 1.3 by default (#1643647)
- Enable ngx_stream_ssl_preread module - TLSv1.0 and TLSv1.1 can be enabled now (#1644746)
- Remove redundant conditionals
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.14.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 1:1.14.1-4
- Rebuilt for libcrypt.so.2 (#1666033)
* Tue Dec 11 2018 Joe Orton <jorton@redhat.com> - 1:1.14.1-3 * Tue Dec 11 2018 Joe Orton <jorton@redhat.com> - 1:1.14.1-3
- fix unexpanded paths in nginx(8) - fix unexpanded paths in nginx(8) (#1643069)
* Mon Dec 03 2018 Lubos Uhliarik <luhliari@redhat.com> - 1:1.14.1-2
- Resolves: #1655530 - Hardening tests fail for nginx
* Tue Nov 20 2018 Luboš Uhliarik <luhliari@redhat.com> - 1:1.14.1-2 * Mon Nov 19 2018 Lubos Uhliarik <luhliari@redhat.com> - 1:1.14.1-1
- new version 1.14.1 - new version 1.14.1
- Resolves: #1584426 - Upstream Nginx 1.14.0 is now available - Resolves: #1647257 - CVE-2018-16845 nginx: Denial of service and
- Resolves: #1647255 - CVE-2018-16845 nginx: Denial of service and memory memory disclosure via mp4 module
disclosure via mp4 module - Resolves: #1647262 - CVE-2018-16844 nginx: Excessive CPU usage
- Resolves: #1647259 - CVE-2018-16843 nginx: Excessive memory consumption
via flaw in HTTP/2 implementation via flaw in HTTP/2 implementation
- Resolves: #1647258 - CVE-2018-16844 nginx: Excessive CPU usage via flaw - Resolves: #1647263 - CVE-2018-16843 nginx: Excessive memory consumption
in HTTP/2 implementation via flaw in HTTP/2 implementation
* Wed Aug 8 2018 Joe Orton <jorton@redhat.com> - 1:1.14.0-3
- fix PKCS#11 support (Anderson Sasaki, #1545526)
* Mon Aug 06 2018 Luboš Uhliarik <luhliari@redhat.com> - 1:1.12.1-14 * Mon Aug 06 2018 Lubos Uhliarik <luhliari@redhat.com> - 1:1.14.0-2
- add requires on perl(constant) for mod-http-perl - add dependency on perl(constant)
* Mon Jul 30 2018 Luboš Uhliarik <luhliari@redhat.com> - 1:1.12.1-13 * Mon Jul 30 2018 Luboš Uhliarik <luhliari@redhat.com> - 1:1.14.0-1
- don't build with geoip by default - Resolves: #1558420 - directory permissions are now correct after processing
USR1 signal
- Resolves: #1601414 - nginx: drop GeoIP support
* Thu Jul 19 2018 Joe Orton <jorton@redhat.com> - 1:1.12.1-12 * Thu Jul 19 2018 Joe Orton <jorton@redhat.com> - 1:1.12.1-12
- add build conditional for geoip support - add build conditional for geoip support
* Mon Jul 16 2018 Tadej Janež <tadej.j@nez.si> - 1:1.12.1-11 * Thu May 03 2018 Luboš Uhliarik <luhliari@redhat.com> - 1:1.14.0-1
- Add gcc to BuildRequires to account for - new version 1.14.0
https://fedoraproject.org/wiki/Changes/Remove_GCC_from_BuildRoot
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.12.1-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jun 27 2018 Jitka Plesnikova <jplesnik@redhat.com> - 1:1.12.1-9 * Wed Apr 25 2018 Luboš Uhliarik <luhliari@redhat.com> - 1:1.12.1-9
- Perl 5.28 rebuild - changed directory permissions (#1558420)
* Mon May 14 2018 Luboš Uhliarik <luhliari@redhat.com> - 1:1.12.1-8 * Fri Mar 23 2018 Joe Orton <jorton@redhat.com> - 1:1.12.1-8
- Related: #1573942 - nginx fails on start - disable gperftools (#1496868)
* Wed May 02 2018 Luboš Uhliarik <luhliari@redhat.com> - 1:1.12.1-7 * Thu Mar 22 2018 Joe Orton <jorton@redhat.com> - 1:1.12.1-7
- Resolves: #1573942 - nginx fails on start - update branding (#1512565)
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.12.1-6 * Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.12.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

Loading…
Cancel
Save