.gitignore

@@ -1,2 +1,2 @@
-SOURCES/nginx-1.14.1.tar.gz
+SOURCES/nginx-1.16.1.tar.gz
 SOURCES/poweredby.png

.nginx.metadata

@@ -1,2 +1,2 @@
-a9dc8c5b055a3f0021d09c112d27422f45dd439c SOURCES/nginx-1.14.1.tar.gz
+77ce4d26481b62f7a9d83e399454df0912f01a4b SOURCES/nginx-1.16.1.tar.gz
 2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png

SOURCES/0001-unix-ngx_user-Apply-fix-for-really-old-bug-in-glibc-.patch

@@ -1,30 +0,0 @@
-From f446736d4f4c5f7ae81bb8bf84fda7ce3c9d49a0 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
-Date: Wed, 24 Jan 2018 12:37:48 +0100
-Subject: [PATCH] unix/ngx_user: Apply fix for really old bug in glibc libcrypt
- if needed
-
----
- src/os/unix/ngx_user.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/os/unix/ngx_user.c b/src/os/unix/ngx_user.c
-index 7ebe2b57..d0fe9238 100644
---- a/src/os/unix/ngx_user.c
-+++ b/src/os/unix/ngx_user.c
-@@ -21,8 +21,10 @@ ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
-     struct crypt_data   cd;
- 
-     cd.initialized = 0;
--#ifdef __GLIBC__
--    /* work around the glibc bug */
-+#if (defined(__GLIBC__) && __GLIBC__ == 2) && \
-+    (defined(__GLIBC_MINOR__) && __GLIBC_MINOR__ >= 2 && __GLIBC_MINOR__ < 4)
-+    /* work around glibc-2.2.5 bug,
-+     * has been fixed at some time in glibc-2.3.X */
-     cd.current_salt[0] = ~salt[0];
- #endif
- 
--- 
-2.16.1
-

SOURCES/nginx-1.14.0-pkcs11.patch

@@ -1,42 +0,0 @@
-# HG changeset patch
-# User Anderson Sasaki <ansasaki@redhat.com>
-# Date 1533742801 -7200
-#      Wed Aug 08 17:40:01 2018 +0200
-# Node ID ae457c9b2967da1b05aefcf1e81c099e9375c0d7
-# Parent  ba971deb4b447662e3c47fcc860b34d43469162a
-SSL: added ENGINE_init() call before loading key.
-
-It is necessary to call ENGINE_init() before using an OpenSSL engine
-to get the engine functional reference.  Without this, when
-ENGINE_load_private_key() is called, the engine is still uninitialized.
-
-diff -r ba971deb4b44 -r ae457c9b2967 src/event/ngx_event_openssl.c
---- a/src/event/ngx_event_openssl.c	Tue Aug 07 02:16:07 2018 +0300
-+++ b/src/event/ngx_event_openssl.c	Wed Aug 08 17:40:01 2018 +0200
-@@ -533,6 +533,13 @@
-             return NGX_ERROR;
-         }
- 
-+        if (!ENGINE_init(engine)) {
-+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-+                          "ENGINE_init(\"%s\") failed", p);
-+            ENGINE_free(engine);
-+            return NGX_ERROR;
-+        }
-+
-         *last++ = ':';
- 
-         pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
-@@ -540,10 +547,12 @@
-         if (pkey == NULL) {
-             ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                           "ENGINE_load_private_key(\"%s\") failed", last);
-+            ENGINE_finish(engine);
-             ENGINE_free(engine);
-             return NGX_ERROR;
-         }
- 
-+        ENGINE_finish(engine);
-         ENGINE_free(engine);
- 
-         if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {

SOURCES/nginx-1.14.1-CVE-2019-9511.patch

@@ -1,70 +0,0 @@
-diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
-index 12214e1..3b7f892 100644
---- a/src/http/v2/ngx_http_v2.c
-+++ b/src/http/v2/ngx_http_v2.c
-@@ -4335,6 +4335,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc)
-      */
-     pool = stream->pool;
- 
-+    h2c->frames -= stream->frames;
-+
-     ngx_http_free_request(stream->request, rc);
- 
-     if (pool != h2c->state.pool) {
-diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
-index bec2216..715b7d3 100644
---- a/src/http/v2/ngx_http_v2.h
-+++ b/src/http/v2/ngx_http_v2.h
-@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s {
- 
-     ngx_buf_t                       *preread;
- 
-+    ngx_uint_t                       frames;
-+
-     ngx_http_v2_out_frame_t         *free_frames;
-     ngx_chain_t                     *free_frame_headers;
-     ngx_chain_t                     *free_bufs;
-diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
-index 029e8ec..c7ee553 100644
---- a/src/http/v2/ngx_http_v2_filter_module.c
-+++ b/src/http/v2/ngx_http_v2_filter_module.c
-@@ -1661,22 +1661,34 @@ static ngx_http_v2_out_frame_t *
- ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream,
-     size_t len, ngx_chain_t *first, ngx_chain_t *last)
- {
--    u_char                    flags;
--    ngx_buf_t                *buf;
--    ngx_chain_t              *cl;
--    ngx_http_v2_out_frame_t  *frame;
-+    u_char                     flags;
-+    ngx_buf_t                 *buf;
-+    ngx_chain_t               *cl;
-+    ngx_http_v2_out_frame_t   *frame;
-+    ngx_http_v2_connection_t  *h2c;
- 
-     frame = stream->free_frames;
-+    h2c = stream->connection;
- 
-     if (frame) {
-         stream->free_frames = frame->next;
- 
--    } else {
-+    } else if (h2c->frames < 10000) {
-         frame = ngx_palloc(stream->request->pool,
-                            sizeof(ngx_http_v2_out_frame_t));
-         if (frame == NULL) {
-             return NULL;
-         }
-+
-+        stream->frames++;
-+        h2c->frames++;
-+
-+    } else {
-+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
-+                      "http2 flood detected");
-+
-+        h2c->connection->error = 1;
-+        return NULL;
-     }
- 
-     flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0;

SOURCES/nginx-1.14.1-CVE-2019-9513.patch

@@ -1,47 +0,0 @@
-diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
-index 3b7f892..0aaea47 100644
---- a/src/http/v2/ngx_http_v2.c
-+++ b/src/http/v2/ngx_http_v2.c
-@@ -275,6 +275,7 @@ ngx_http_v2_init(ngx_event_t *rev)
-     h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module);
- 
-     h2c->concurrent_pushes = h2scf->concurrent_pushes;
-+    h2c->priority_limit = h2scf->concurrent_streams;
- 
-     h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);
-     if (h2c->pool == NULL) {
-@@ -1798,6 +1799,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos,
-         return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR);
-     }
- 
-+    if (--h2c->priority_limit == 0) {
-+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
-+                      "client sent too many PRIORITY frames");
-+
-+        return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM);
-+    }
-+
-     if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) {
-         return ngx_http_v2_state_save(h2c, pos, end,
-                                       ngx_http_v2_state_priority);
-@@ -3112,6 +3120,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c, ngx_uint_t push)
-         h2c->processing++;
-     }
- 
-+    h2c->priority_limit += h2scf->concurrent_streams;
-+
-     return stream;
- }
- 
-diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
-index 715b7d3..69d55d1 100644
---- a/src/http/v2/ngx_http_v2.h
-+++ b/src/http/v2/ngx_http_v2.h
-@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s {
-     ngx_uint_t                       processing;
-     ngx_uint_t                       frames;
-     ngx_uint_t                       idle;
-+    ngx_uint_t                       priority_limit;
- 
-     ngx_uint_t                       pushing;
-     ngx_uint_t                       concurrent_pushes;

SOURCES/nginx-1.14.1-CVE-2019-9516.patch

@@ -1,30 +0,0 @@
-diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
-index 0aaea47..fd6ecb0 100644
---- a/src/http/v2/ngx_http_v2.c
-+++ b/src/http/v2/ngx_http_v2.c
-@@ -1549,6 +1549,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
-         header->name.len = h2c->state.field_end - h2c->state.field_start;
-         header->name.data = h2c->state.field_start;
- 
-+        if (header->name.len == 0) {
-+            ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
-+                          "client sent zero header name length");
-+
-+            return ngx_http_v2_connection_error(h2c,
-+                                                NGX_HTTP_V2_PROTOCOL_ERROR);
-+        }
-+
-         return ngx_http_v2_state_field_len(h2c, pos, end);
-     }
- 
-@@ -3259,10 +3267,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
-     ngx_uint_t                 i;
-     ngx_http_core_srv_conf_t  *cscf;
- 
--    if (header->name.len == 0) {
--        return NGX_ERROR;
--    }
--
-     r->invalid_header = 0;
- 
-     cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);

SOURCES/nginx-1.16.0-enable-tls1v3-by-default.patch

@@ -1,8 +1,8 @@
 diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
-index 570abd7..ac37936 100644
+index 345914f..d23967f 100644
 --- a/src/event/ngx_event_openssl.c
 +++ b/src/event/ngx_event_openssl.c
-@@ -232,6 +232,8 @@ ngx_ssl_init(ngx_log_t *log)
+@@ -252,6 +252,8 @@ ngx_ssl_init(ngx_log_t *log)
  ngx_int_t
  ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
  {
@@ -11,34 +11,16 @@ index 570abd7..ac37936 100644
      ssl->ctx = SSL_CTX_new(SSLv23_method());
  
      if (ssl->ctx == NULL) {
-@@ -296,39 +298,53 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
+@@ -316,49 +318,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
  
      SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
  
--#ifdef SSL_CTRL_CLEAR_OPTIONS
+-#if OPENSSL_VERSION_NUMBER >= 0x009080dfL
 -    /* only in 0.9.8m+ */
 -    SSL_CTX_clear_options(ssl->ctx,
 -                          SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
-+    if (protocols){
+-#endif
-+#ifdef SSL_OP_NO_TLSv1_3
+-
-+        if (protocols & NGX_SSL_TLSv1_3) {
-+            prot = TLS1_3_VERSION;
-+        } else
-+#endif
-+#ifdef SSL_OP_NO_TLSv1_2
-+        if (protocols & NGX_SSL_TLSv1_2) {
-+            prot =  TLS1_2_VERSION;
-+        } else
-+#endif
-+#ifdef SSL_OP_NO_TLSv1_1
-+        if (protocols & NGX_SSL_TLSv1_1) {
-+            prot = TLS1_1_VERSION;
-+        } else
- #endif
-+        if (protocols & NGX_SSL_TLSv1) {
-+            prot = TLS1_VERSION;
-+        }
- 
 -    if (!(protocols & NGX_SSL_SSLv2)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
 -    }
@@ -48,12 +30,49 @@ index 570abd7..ac37936 100644
 -    if (!(protocols & NGX_SSL_TLSv1)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
 -    }
+-#ifdef SSL_OP_NO_TLSv1_1
+-    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
+-    if (!(protocols & NGX_SSL_TLSv1_1)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
+-    }
++    if (protocols){
++#ifdef SSL_OP_NO_TLSv1_3
++        if (protocols & NGX_SSL_TLSv1_3) {
++            prot = TLS1_3_VERSION;
++        } else
+ #endif
+ #ifdef SSL_OP_NO_TLSv1_2
+-    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
+-    if (!(protocols & NGX_SSL_TLSv1_2)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
+-    }
++        if (protocols & NGX_SSL_TLSv1_2) {
++            prot =  TLS1_2_VERSION;
++        } else
+ #endif
+-#ifdef SSL_OP_NO_TLSv1_3
+-    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
+-    if (!(protocols & NGX_SSL_TLSv1_3)) {
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
+-    }
++#ifdef SSL_OP_NO_TLSv1_1
++        if (protocols & NGX_SSL_TLSv1_1) {
++            prot = TLS1_1_VERSION;
++        } else
+ #endif
++        if (protocols & NGX_SSL_TLSv1) {
++            prot = TLS1_VERSION;
++        }
++
 +        if (prot == NGX_SSL_NO_PROT) {
 +                    ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
 +                      "No SSL protocols available [hint: ssl_protocols]");
 +            return NGX_ERROR;
 +        }
-+
+ 
+-#ifdef SSL_CTX_set_min_proto_version
+-    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
+-    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
 +        SSL_CTX_set_max_proto_version(ssl->ctx, prot);
 +
 +        /* Now, we have to scan for minimal protocol version,
@@ -62,40 +81,31 @@ index 570abd7..ac37936 100644
 +        if ((prot == TLS1_3_VERSION) && (protocols & NGX_SSL_TLSv1_2)) {
 +            prot = TLS1_2_VERSION;
 +        }
-+#endif
+ #endif
- #ifdef SSL_OP_NO_TLSv1_1
+ 
--    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
+-#ifdef TLS1_3_VERSION
--    if (!(protocols & NGX_SSL_TLSv1_1)) {
+-    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
--        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
+-    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
--    }
++#ifdef SSL_OP_NO_TLSv1_1
 +        if ((prot == TLS1_2_VERSION) && (protocols & NGX_SSL_TLSv1_1)) {
 +            prot = TLS1_1_VERSION;
 +        }
- #endif
++#endif
- #ifdef SSL_OP_NO_TLSv1_2
++#ifdef SSL_OP_NO_TLSv1_2
--    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
--    if (!(protocols & NGX_SSL_TLSv1_2)) {
--        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
--    }
 +        if ((prot == TLS1_1_VERSION) && (protocols & NGX_SSL_TLSv1)) {
 +            prot = TLS1_VERSION;
 +        }
  #endif
--#ifdef SSL_OP_NO_TLSv1_3
--    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
--    if (!(protocols & NGX_SSL_TLSv1_3)) {
--        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
 +        SSL_CTX_set_min_proto_version(ssl->ctx, prot);
-     }
++    }
--#endif
  
  #ifdef SSL_OP_NO_COMPRESSION
      SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
 diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
-index 623d851..6f3d7ee 100644
+index 61da0c5..fa7ac41 100644
 --- a/src/event/ngx_event_openssl.h
 +++ b/src/event/ngx_event_openssl.h
-@@ -132,6 +132,7 @@ typedef struct {
+@@ -145,6 +145,7 @@ typedef struct {
  #endif
  
  
@@ -104,11 +114,11 @@ index 623d851..6f3d7ee 100644
  #define NGX_SSL_SSLv3    0x0004
  #define NGX_SSL_TLSv1    0x0008
 diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
-index 7d62176..f9ef07d 100644
+index b3f8f47..8340a12 100644
 --- a/src/http/modules/ngx_http_ssl_module.c
 +++ b/src/http/modules/ngx_http_ssl_module.c
-@@ -590,8 +588,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+@@ -613,8 +613,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
-                          prev->prefer_server_ciphers, 0);
+     ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
  
      ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
 -                         (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
@@ -118,10 +128,10 @@ index 7d62176..f9ef07d 100644
      ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
                           NGX_SSL_BUFSIZE);
 diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
-index aebd179..50c7023 100644
+index 5544f75..3316a4b 100644
 --- a/src/mail/ngx_mail_ssl_module.c
 +++ b/src/mail/ngx_mail_ssl_module.c
-@@ -285,8 +283,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
+@@ -291,8 +291,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
                           prev->prefer_server_ciphers, 0);
  
      ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
@@ -132,10 +142,10 @@ index aebd179..50c7023 100644
      ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
      ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
 diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
-index 3e5a1f2..c8fce57 100644
+index ec9524e..37af046 100644
 --- a/src/stream/ngx_stream_ssl_module.c
 +++ b/src/stream/ngx_stream_ssl_module.c
-@@ -554,8 +552,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
+@@ -625,8 +625,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
                           prev->prefer_server_ciphers, 0);
  
      ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,

SOURCES/nginx-1.16.0-pkcs11.patch

@@ -0,0 +1,29 @@
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index 7be4fb4..ab3865a 100644
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -727,16 +727,24 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
+             return NULL;
+         }
+ 
++        if (!ENGINE_init(engine)) {
++            *err = "ENGINE_init() failed";
++            ENGINE_free(engine);
++            return NULL;
++        }
++
+         *last++ = ':';
+ 
+         pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
+ 
+         if (pkey == NULL) {
+             *err = "ENGINE_load_private_key() failed";
++            ENGINE_finish(engine);
+             ENGINE_free(engine);
+             return NULL;
+         }
+ 
++        ENGINE_finish(engine);
+         ENGINE_free(engine);
+ 
+         return pkey;

SPECS/nginx.spec

@@ -18,8 +18,8 @@
 
 Name:              nginx
 Epoch:             1
-Version:           1.14.1
+Version:           1.16.1
-Release:           9%{?dist}
+Release:           1%{?dist}
 
 Summary:           A high performance web server and reverse proxy server
 Group:             System Environment/Daemons
@@ -46,30 +46,18 @@ Source210:         UPGRADE-NOTES-1.6-to-1.10
 # -D_FORTIFY_SOURCE=2 causing warnings to turn into errors.
 Patch0:            nginx-auto-cc-gcc.patch
 
-# Apply fix for bug in glibc libcrypt, if needed only.
-# That has been fixed some time in glibc-2.3.X and is
-# not needed with libxcrypt anyways.
-Patch1:            0001-unix-ngx_user-Apply-fix-for-really-old-bug-in-glibc-.patch
-
 # downstream patch - changing logs permissions to 664 instead
 # previous 644
-Patch2:            nginx-1.14.0-logs-perm.patch
+Patch1:            nginx-1.14.0-logs-perm.patch
 
 # PKCS#11 engine fix
-Patch3:            nginx-1.14.0-pkcs11.patch
+Patch2:            nginx-1.16.0-pkcs11.patch
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1655530
-Patch4:            nginx-1.14.1-perl-module-hardening.patch
+Patch3:            nginx-1.14.1-perl-module-hardening.patch
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1643647
-Patch5:            nginx-1.14.1-enable-tls1v3-by-default.patch
+Patch4:            nginx-1.16.0-enable-tls1v3-by-default.patch
-
-# https://bugzilla.redhat.com/show_bug.cgi?id=1741860
-# https://bugzilla.redhat.com/show_bug.cgi?id=1735741
-# https://bugzilla.redhat.com/show_bug.cgi?id=1741864
-Patch200: nginx-1.14.1-CVE-2019-9511.patch
-Patch201: nginx-1.14.1-CVE-2019-9513.patch
-Patch202: nginx-1.14.1-CVE-2019-9516.patch
 
 %if 0%{?with_gperftools}
 BuildRequires:     gperftools-devel
@@ -80,7 +68,7 @@ BuildRequires:     zlib-devel
 
 Requires:          nginx-filesystem = %{epoch}:%{version}-%{release}
 
-%if 0%{?rhel} || 0%{?fedora} < 24
+%if 0%{?rhel} > 0 && 0%{?rhel} < 8
 # Introduced at 1:1.10.0-1 to ease upgrade path. To be removed later.
 Requires:          nginx-all-modules = %{epoch}:%{version}-%{release}
 %endif
@@ -118,15 +106,7 @@ Requires:          nginx-mod-mail = %{epoch}:%{version}-%{release}
 Requires:          nginx-mod-stream = %{epoch}:%{version}-%{release}
 
 %description all-modules
-%{summary}.
+A meta package that installs all available Nginx modules.
-%if 0%{?rhel}
-The main nginx package depends on this to ease the upgrade path. After a grace
-period of several months, modules will become optional.
-%endif
-%if 0%{?fedora} && 0%{?fedora} < 24
-The main nginx package depends on this to ease the upgrade path. Starting from
-Fedora 24, modules are optional.
-%endif
 
 %package filesystem
 Group:             System Environment/Daemons
@@ -209,11 +189,6 @@ Requires:          nginx
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
-%patch5 -p1
-
-%patch200 -p1
-%patch201 -p1
-%patch202 -p1
 
 cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
 
@@ -252,6 +227,7 @@ export DESTDIR=%{buildroot}
     --with-http_ssl_module \
     --with-http_v2_module \
     --with-http_realip_module \
+    --with-stream_ssl_preread_module \
     --with-http_addition_module \
     --with-http_xslt_module=dynamic \
     --with-http_image_filter_module=dynamic \
@@ -485,14 +461,24 @@ fi
 
 
 %changelog
-* Fri Aug 30 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.14.1-9
+* Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.1-1
-- Resolves: #1744811 - CVE-2019-9511 nginx:1.14/nginx: HTTP/2: large amount of
+- update to 1.16.1
-  data request leads to denial of service
+- Resolves: #1745697 - CVE-2019-9511 nginx:1.16/nginx: HTTP/2: large amount
-- Resolves: #1744325 - CVE-2019-9513 nginx:1.14/nginx: HTTP/2: flood using
+  of data request leads to denial of service
+- Resolves: #1745690 - CVE-2019-9513 nginx:1.16/nginx: HTTP/2: flood using
   PRIORITY frames resulting in excessive resource consumption
-- Resolves: #1745094 - CVE-2019-9516 nginx:1.14/nginx: HTTP/2: 0-length
+- Resolves: #1745645 - CVE-2019-9516 nginx:1.16/nginx: HTTP/2: 0-length
   headers leads to denial of service
 
+* Wed Jun 26 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.0-2
+- Resolves: #1718929 - ssl_protocols config option has faulty behavior
+  in nginx:1.16
+
+* Mon May 06 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.0-1
+- new version 1.16.0
+- enable ngx_stream_ssl_preread module
+- main package does NOT require all-modules package
+
 * Wed Dec 12 2018 Lubos Uhliarik <luhliari@redhat.com> - 1:1.14.1-8
 - enable TLS 1.3 by default (#1643647)
 - TLSv1.0 and TLSv1.1 can be enabled now (#1644746)