Debrand for AlmaLinux

2026-05-20 01:49:05 +00:00 · 2026-05-20 01:49:05 +00:00 · 5fbb99cee3
commit 5fbb99cee3
parent 9fe288829e c59f11a339
9 changed files with 86 additions and 23 deletions
--- a/SOURCES/0014-Clarify-binding-behavior-of-t-option.patch
+++ b/SOURCES/0014-Clarify-binding-behavior-of-t-option.patch
@ -0,0 +1,37 @@
+From dc847f7aedf0b4f8bbf9d7f9ba983541c6ca88c9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
+Date: Tue, 20 Jan 2026 19:27:05 +0100
+Subject: [PATCH] Clarify binding behavior of -t option.
+
+Configuration testing includes binding to configured listen addresses
+when opening referenced files.
+---
+ man/nginx.8 | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/man/nginx.8 b/man/nginx.8
+index 10db3e6..64d9ae7 100644
+--- a/man/nginx.8
+++ b/man/nginx.8
+@@ -25,7 +25,7 @@
+ .\" SUCH DAMAGE.
+ .\"
+ .\"
+-.Dd November 5, 2020
+.Dd January 21, 2026
+ .Dt NGINX 8
+ .Os
+ .Sh NAME
+@@ -98,7 +98,8 @@ but additionally dump configuration files to standard output.
+ Do not run, just test the configuration file.
+ .Nm
+ checks the configuration file syntax and then tries to open files
+-referenced in the configuration file.
+referenced in the configuration file, including binding to configured
+listen addresses.
+ .It Fl V
+ Print the
+ .Nm
+-- 
+2.44.0
+
--- a/SOURCES/0015-Upstream-detect-premature-plain-text-response-from-S.patch
+++ b/SOURCES/0015-Upstream-detect-premature-plain-text-response-from-S.patch
--- a/SOURCES/0016-Dav-destination-length-validation-for-COPY-and-MOVE.patch
+++ b/SOURCES/0016-Dav-destination-length-validation-for-COPY-and-MOVE.patch
--- a/SOURCES/0017-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch
+++ b/SOURCES/0017-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch
--- a/SOURCES/0018-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
+++ b/SOURCES/0018-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
--- a/SOURCES/0019-Mp4-avoid-zero-size-buffers-in-output.patch
+++ b/SOURCES/0019-Mp4-avoid-zero-size-buffers-in-output.patch
--- a/SOURCES/0020-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch
+++ b/SOURCES/0020-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch
@ -1,4 +1,4 @@
-From 63301166f15b8e696e25a63e3b8fc1984f5e630e Mon Sep 17 00:00:00 2001
+From 3a743478999c0e2a021855f1685caedfa8b7ace6 Mon Sep 17 00:00:00 2001
 From: Roman Arutyunyan <arut@nginx.com>
 Date: Wed, 22 Apr 2026 09:39:31 +0400
 Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun
--- a/SOURCES/nginx.tmpfiles
+++ b/SOURCES/nginx.tmpfiles
@ -0,0 +1,4 @@
+d /var/lib/nginx     770 nginx root -
+d /var/lib/nginx/tmp 770 nginx root -
+d /var/log/nginx     711 root  root -
+
--- a/SPECS/nginx.spec
+++ b/SPECS/nginx.spec
@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             2
 Version:           1.20.1
-Release:           24%{?dist}.3.alma.1
+Release:           28%{?dist}.2.alma.1

 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@ -63,6 +63,7 @@ Source14:          nginx-upgrade.8
 Source15:          macros.nginxmods.in
 Source16:          nginxmods.attr
 Source17:          nginx.sysusers
+Source18:          nginx.tmpfiles
 Source102:         nginx-logo.png
 Source103:         404.html
 Source104:         50x.html
@ -114,30 +115,34 @@ Patch12:           0012-CVE-2022-41741-and-CVE-2022-41742-fix.patch
 # upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=2304966
 Patch13:           0013-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch

+# https://issues.redhat.com/browse/RHEL-113229
+# upstream patch - https://github.com/nginx/nginx/pull/1089
+Patch14:           0014-Clarify-binding-behavior-of-t-option.patch
+
 # https://issues.redhat.com/browse/RHEL-146516
 # upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e
-Patch14:           0014-Upstream-detect-premature-plain-text-response-from-S.patch
+Patch15:           0015-Upstream-detect-premature-plain-text-response-from-S.patch

-# https://redhat.atlassian.net/browse/RHEL-159557
+# https://redhat.atlassian.net/browse/RHEL-159560
 # upstream patch - https://github.com/nginx/nginx/commit/a1d18284e0a17
 # whitespace were removed from the patch
-Patch15:           0015-Dav-destination-length-validation-for-COPY-and-MOVE.patch
+Patch16:           0016-Dav-destination-length-validation-for-COPY-and-MOVE.patch

-# https://redhat.atlassian.net/browse/RHEL-159536
+# https://redhat.atlassian.net/browse/RHEL-159539
 # upstream patch - https://github.com/nginx/nginx/commit/3568812cf98df
-Patch16:           0016-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch
+Patch17:           0017-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.patch

-# https://redhat.atlassian.net/browse/RHEL-159444
+# https://redhat.atlassian.net/browse/RHEL-159447
 # upstream patch - https://github.com/nginx/nginx/commit/9bc13718fe8a59a45
-Patch17:           0017-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
+Patch18:           0018-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch

-# https://redhat.atlassian.net/browse/RHEL-157885
+# https://redhat.atlassian.net/browse/RHEL-157888
 # upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f
-Patch18:           0018-Mp4-avoid-zero-size-buffers-in-output.patch
+Patch19:           0019-Mp4-avoid-zero-size-buffers-in-output.patch

 # https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2026-42945
 # upstream patch - https://github.com/nginx/nginx/commit/524977e7
-Patch19:           0019-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch
+Patch20:           0020-Rewrite-fixed-escaping-and-possible-buffer-overrun.patch

 BuildRequires:     make
 BuildRequires:     gcc
@ -433,6 +438,8 @@ install -p -m 0644 ./nginx.conf \
    %{buildroot}%{_sysconfdir}/nginx

 rm -f %{buildroot}%{_datadir}/nginx/html/index.html
+rm -f %{buildroot}%{_datadir}/nginx/html/50x.html
+
 %if 0%{?el7}
 ln -s ../../doc/HTML/index.html \
      %{buildroot}%{_datadir}/nginx/html/index.html
@ -508,6 +515,10 @@ install -Dpm0644 -t %{buildroot}%{_fileattrsdir} %{SOURCE16}
 # install sysusers file
 install -p -D -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/nginx.conf

+# tmpfiles.d configuration
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 644 -p %{SOURCE18} %{buildroot}%{_tmpfilesdir}/nginx.conf
+
 %pre filesystem
 %sysusers_create_compat %{SOURCE17}

@ -595,6 +606,7 @@ fi
 %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx
 %attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx/tmp
 %attr(711,root,root) %dir %{_localstatedir}/log/nginx
+%{_tmpfilesdir}/nginx.conf
 %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/access.log
 %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/error.log
 %dir %{nginx_moduledir}
@ -648,22 +660,32 @@ fi


 %changelog
-* Mon May 18 2026 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-24.3.alma.1
+* Wed May 20 2026 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-28.2.alma.1
 - Debrand for AlmaLinux

-* Thu May 14 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-24.3
- Resolves: RHEL-176230 - nginx: NGINX: Arbitrary Code Execution
+* Thu May 14 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-28.2
+- Resolves: RHEL-176232 - nginx: NGINX: Arbitrary Code Execution
  Vulnerability (CVE-2026-42945)

-* Tue Mar 31 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:1.20.1-24.2
- Resolves: RHEL-159557 - CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module
- Resolves: RHEL-159536 - CVE-2026-27784 nginx: NGINX: Denial of Service due to memory corruption via crafted MP4 file
- Resolves: RHEL-159444 - CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled
- Resolves: RHEL-157885 - CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files
+* Fri Mar 27 2026 Zdenek Dohnal <zdohnal@redhat.com> - 2:1.20.1-28.1
+- RHEL-159560 CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module
+- RHEL-159539 CVE-2026-27784 nginx: NGINX: Denial of Service due to memory corruption via crafted MP4 file
+- RHEL-159447 CVE-2026-27651 nginx: NGINX: Denial of Service via undisclosed requests when ngx_mail_auth_http_module is enabled
+- RHEL-157888 CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files

-* Thu Feb 19 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-24.1
- Resolves: RHEL-146525 - nginx: NGINX: Data injection via man-in-the-middle
-  attack on TLS proxied connections (CVE-2026-1642)
+* Tue Feb 17 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-28
+- Resolves: RHEL-146528 - CVE-2026-1642 nginx: NGINX: Data injection via
+  man-in-the-middle attack on TLS proxied connection
+
+* Thu Jan 29 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-27
+- Resolves: RHEL-145177 - Clarify binding behavior of -t option
+
+* Thu Nov 20 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-26
+- Resolves: RHEL-102548 - Remove 50x.html for nginx 1.26
+
+* Wed Nov 19 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-25
+- Resolves: RHEL-114935 - Image mode: The dir /var/lib and /var/log
+  is not created when updating system in image mode

 * Wed May 14 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-24
 - Resolves: RHEL-84477 - nginx: specially crafted MP4 file may cause