AlmaLinux changes
This commit is contained in:
commit
28e6f57f44
96
SOURCES/0006-Fix-ALPACA-security-issue.patch
Normal file
96
SOURCES/0006-Fix-ALPACA-security-issue.patch
Normal file
@ -0,0 +1,96 @@
|
||||
From ee8ea4f1c88a0393206769cd30a545dc3375f868 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
|
||||
Date: Wed, 2 Feb 2022 20:14:55 +0100
|
||||
Subject: [PATCH] Fix ALPACA security issue
|
||||
|
||||
---
|
||||
src/mail/ngx_mail.h | 3 +++
|
||||
src/mail/ngx_mail_core_module.c | 10 ++++++++++
|
||||
src/mail/ngx_mail_handler.c | 15 ++++++++++++++-
|
||||
3 files changed, 27 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
|
||||
index b865a3b..76cae37 100644
|
||||
--- a/src/mail/ngx_mail.h
|
||||
+++ b/src/mail/ngx_mail.h
|
||||
@@ -115,6 +115,8 @@ typedef struct {
|
||||
ngx_msec_t timeout;
|
||||
ngx_msec_t resolver_timeout;
|
||||
|
||||
+ ngx_uint_t max_errors;
|
||||
+
|
||||
ngx_str_t server_name;
|
||||
|
||||
u_char *file_name;
|
||||
@@ -231,6 +233,7 @@ typedef struct {
|
||||
ngx_uint_t command;
|
||||
ngx_array_t args;
|
||||
|
||||
+ ngx_uint_t errors;
|
||||
ngx_uint_t login_attempt;
|
||||
|
||||
/* used to parse POP3/IMAP/SMTP command */
|
||||
diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c
|
||||
index 4083124..115671c 100644
|
||||
--- a/src/mail/ngx_mail_core_module.c
|
||||
+++ b/src/mail/ngx_mail_core_module.c
|
||||
@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_commands[] = {
|
||||
offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
|
||||
NULL },
|
||||
|
||||
+ { ngx_string("max_errors"),
|
||||
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
|
||||
+ ngx_conf_set_num_slot,
|
||||
+ NGX_MAIL_SRV_CONF_OFFSET,
|
||||
+ offsetof(ngx_mail_core_srv_conf_t, max_errors),
|
||||
+ NULL },
|
||||
+
|
||||
ngx_null_command
|
||||
};
|
||||
|
||||
@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t *cf)
|
||||
cscf->timeout = NGX_CONF_UNSET_MSEC;
|
||||
cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
|
||||
|
||||
+ cscf->max_errors = NGX_CONF_UNSET_UINT;
|
||||
+
|
||||
cscf->resolver = NGX_CONF_UNSET_PTR;
|
||||
|
||||
cscf->file_name = cf->conf_file->file.name.data;
|
||||
@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
|
||||
30000);
|
||||
|
||||
+ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
|
||||
|
||||
ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
|
||||
|
||||
diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
|
||||
index 0aaa0e7..71b8151 100644
|
||||
--- a/src/mail/ngx_mail_handler.c
|
||||
+++ b/src/mail/ngx_mail_handler.c
|
||||
@@ -871,7 +871,20 @@ ngx_mail_read_command(ngx_mail_session_t *s, ngx_connection_t *c)
|
||||
return NGX_MAIL_PARSE_INVALID_COMMAND;
|
||||
}
|
||||
|
||||
- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
|
||||
+ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
|
||||
+
|
||||
+ s->errors++;
|
||||
+
|
||||
+ if (s->errors >= cscf->max_errors) {
|
||||
+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
|
||||
+ "client sent too many invalid commands");
|
||||
+ s->quit = 1;
|
||||
+ }
|
||||
+
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
+ if (rc == NGX_IMAP_NEXT) {
|
||||
return rc;
|
||||
}
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -41,7 +41,7 @@
|
||||
Name: nginx
|
||||
Epoch: 1
|
||||
Version: 1.20.1
|
||||
Release: 9%{?dist}.alma
|
||||
Release: 10%{?dist}.alma
|
||||
|
||||
Summary: A high performance web server and reverse proxy server
|
||||
# BSD License (two clause)
|
||||
@ -85,6 +85,9 @@ Patch3: 0004-Set-proper-compiler-optimalization-level-O2-for-perl.pat
|
||||
# downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006420
|
||||
Patch4: 0005-Init-openssl-engine-properly.patch
|
||||
|
||||
# upstream patch - fixing ALPACA(CVE-2021-3618) security issue - https://bugzilla.redhat.com/show_bug.cgi?id=1975623
|
||||
Patch5: 0006-Fix-ALPACA-security-issue.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gnupg2
|
||||
@ -584,9 +587,13 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Jan 18 2022 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.20.1-9.alma
|
||||
* Tue Jan 18 2022 Eduard Abdullin <eabdullin@almalinux.org> - 1:1.20.1-10.alma
|
||||
- Debrand for AlmaLinux
|
||||
|
||||
* Wed Feb 02 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-10
|
||||
- Resolves: #1975747 - CVE-2021-3618 nginx: ALPACA: Application Layer Protocol
|
||||
Confusion - Analyzing and Mitigating Cracks in TLS Authentication
|
||||
|
||||
* Thu Dec 2 2021 Joe Orton <jorton@redhat.com> - 1:1.20.1-9
|
||||
- add delaycompress to logrotate config (#2015250)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user