import nginx-1.18.0-3.module+el8.4.0+11152+f736ed63.1

SOURCES/nginx-1.18.0-CVE-2021-23017.patch

@@ -0,0 +1,24 @@
+diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
+index e51712c..4e75ab8 100644
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -3993,15 +3993,15 @@ done:
+             n = *src++;
+ 
+         } else {
++            if (dst != name->data) {
++                *dst++ = '.';
++            }
++
+             ngx_strlow(dst, src, n);
+             dst += n;
+             src += n;
+ 
+             n = *src++;
+-
+-            if (n != 0) {
+-                *dst++ = '.';
+-            }
+         }
+ 
+         if (n == 0) {

SPECS/nginx.spec

@@ -19,7 +19,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.18.0
-Release:           3%{?dist}
+Release:           3%{?dist}.1
 
 Summary:           A high performance web server and reverse proxy server
 Group:             System Environment/Daemons
@@ -60,6 +60,9 @@ Patch4:            nginx-1.16.0-enable-tls1v3-by-default.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1668717
 Patch5:            nginx-1.18.0-pkcs11-cert.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1963121
+Patch6:            nginx-1.18.0-CVE-2021-23017.patch
+
 %if 0%{?with_gperftools}
 BuildRequires:     gperftools-devel
 %endif
@@ -192,6 +195,7 @@ Requires:          nginx
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
 
@@ -473,6 +477,11 @@ fi
 
 
 %changelog
+* Tue May 25 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.18.0-3.1
+- Resolves: #1963178 - CVE-2021-23017 nginx:1.18/nginx: Off-by-one in
+  ngx_resolver_copy() when labels are followed by a pointer to a root
+  domain name
+
 * Thu Nov 12 2020 Lubos Uhliarik <luhliari@redhat.com> - 1:1.18.0-3
 - Resolves: #1651377 - centralizing default index.html on nginx
 - Resolves: #1825683 - Outdated Red Hat branding used in nginx default pages