rpms/nginx
6
0
Fork 1
Code Issues Pull Requests Releases Activity

New version 1.26.3

Browse Source 
Resolves: RHEL-78233 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability
This commit is contained in:
Luboš Uhliarik 2025-02-06 21:31:00 +01:00
parent 3ac52f1966
commit 90d4dba563
3 changed files with 4 additions and 285 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

276
1.26.2-zlib-ng.patch
View File

@ -1,276 +0,0 @@
diff -ru nginx-1.26.2/auto/lib/zlib/conf nginx-1.26.2-zlib-ng/auto/lib/zlib/conf
--- nginx-1.26.2/auto/lib/zlib/conf 2024-08-12 16:28:31.000000000 +0200
+++ nginx-1.26.2-zlib-ng/auto/lib/zlib/conf 2024-10-18 13:59:33.218699818 +0200
@@ -33,8 +33,8 @@
*)
have=NGX_ZLIB . auto/have
- LINK_DEPS="$LINK_DEPS $ZLIB/libz.a"
- CORE_LIBS="$CORE_LIBS $ZLIB/libz.a"
+ LINK_DEPS="$LINK_DEPS $ZLIB/libz-ng.a"
+ CORE_LIBS="$CORE_LIBS $ZLIB/libz-ng.a"
#CORE_LIBS="$CORE_LIBS -L $ZLIB -lz"
;;
@@ -50,10 +50,10 @@
ngx_feature="zlib library"
ngx_feature_name="NGX_ZLIB"
ngx_feature_run=no
- ngx_feature_incs="#include <zlib.h>"
+ ngx_feature_incs="#include <zlib-ng.h>"
ngx_feature_path=
- ngx_feature_libs="-lz"
- ngx_feature_test="z_stream z; deflate(&z, Z_NO_FLUSH)"
+ ngx_feature_libs="-lz-ng"
+ ngx_feature_test="zng_stream z; zng_deflate(&z, Z_NO_FLUSH)"
. auto/feature
diff -ru nginx-1.26.2/src/core/ngx_config.h nginx-1.26.2-zlib-ng/src/core/ngx_config.h
--- nginx-1.26.2/src/core/ngx_config.h 2024-08-12 16:28:31.000000000 +0200
+++ nginx-1.26.2-zlib-ng/src/core/ngx_config.h 2024-10-18 14:26:37.446504000 +0200
@@ -141,5 +141,9 @@
#endif
+/* Force enable ZLIB-NG */
+#ifndef NGX_ZLIB_NG
+#define NGX_ZLIB_NG 1
+#endif
#endif /* _NGX_CONFIG_H_INCLUDED_ */
diff -ru nginx-1.26.2/src/http/modules/ngx_http_gunzip_filter_module.c nginx-1.26.2-zlib-ng/src/http/modules/ngx_http_gunzip_filter_module.c
--- nginx-1.26.2/src/http/modules/ngx_http_gunzip_filter_module.c 2024-08-12 16:28:31.000000000 +0200
+++ nginx-1.26.2-zlib-ng/src/http/modules/ngx_http_gunzip_filter_module.c 2024-10-18 13:59:33.218699818 +0200
@@ -10,7 +10,14 @@
#include <ngx_core.h>
#include <ngx_http.h>
-#include <zlib.h>
+#if defined(NGX_ZLIB_NG)
+# include <zlib-ng.h>
+# define ZPREFIX(x) zng_ ## x
+# define z_stream zng_stream
+#elif defined(NGX_ZLIB)
+# include <zlib.h>
+# define ZPREFIX(x) x
+#endif
typedef struct {
@@ -312,7 +319,7 @@
ctx->zstream.opaque = ctx;
/* windowBits +16 to decode gzip, zlib 1.2.0.4+ */
- rc = inflateInit2(&ctx->zstream, MAX_WBITS + 16);
+ rc = ZPREFIX(inflateInit2)(&ctx->zstream, MAX_WBITS + 16);
if (rc != Z_OK) {
ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
@@ -435,7 +442,7 @@
ctx->zstream.avail_in, ctx->zstream.avail_out,
ctx->flush, ctx->redo);
- rc = inflate(&ctx->zstream, ctx->flush);
+ rc = ZPREFIX(inflate)(&ctx->zstream, ctx->flush);
if (rc != Z_OK && rc != Z_STREAM_END && rc != Z_BUF_ERROR) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
@@ -533,7 +540,7 @@
if (rc == Z_STREAM_END && ctx->zstream.avail_in > 0) {
- rc = inflateReset(&ctx->zstream);
+ rc = ZPREFIX(inflateReset)(&ctx->zstream);
if (rc != Z_OK) {
ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
@@ -584,7 +591,7 @@
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"gunzip inflate end");
- rc = inflateEnd(&ctx->zstream);
+ rc = ZPREFIX(inflateEnd)(&ctx->zstream);
if (rc != Z_OK) {
ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
diff -ru nginx-1.26.2/src/http/modules/ngx_http_gzip_filter_module.c nginx-1.26.2-zlib-ng/src/http/modules/ngx_http_gzip_filter_module.c
--- nginx-1.26.2/src/http/modules/ngx_http_gzip_filter_module.c 2024-08-12 16:28:31.000000000 +0200
+++ nginx-1.26.2-zlib-ng/src/http/modules/ngx_http_gzip_filter_module.c 2024-10-18 14:55:07.499545547 +0200
@@ -9,7 +9,14 @@
#include <ngx_core.h>
#include <ngx_http.h>
-#include <zlib.h>
+#if defined(NGX_ZLIB_NG)
+# include <zlib-ng.h>
+# define ZPREFIX(x) zng_ ## x
+# define z_stream zng_stream
+#elif defined(NGX_ZLIB)
+# include <zlib.h>
+# define ZPREFIX(x) x
+#endif
typedef struct {
@@ -454,7 +461,7 @@
ctx->done = 1;
if (ctx->preallocated) {
- deflateEnd(&ctx->zstream);
+ ZPREFIX(deflateEnd)(&ctx->zstream);
ngx_pfree(r->pool, ctx->preallocated);
}
@@ -515,20 +522,20 @@
} else {
/*
* Another zlib variant, https://github.com/zlib-ng/zlib-ng.
- * It used to force window bits to 13 for fast compression level,
- * uses (64 + sizeof(void*)) additional space on all allocations
- * for alignment, 16-byte padding in one of window-sized buffers,
- * and 128K hash.
*/
-
- if (conf->level == 1) {
- wbits = ngx_max(wbits, 13);
- }
-
- ctx->allocated = 8192 + 16 + (1 << (wbits + 2))
- + 131072 + (1 << (memlevel + 8))
- + 4 * (64 + sizeof(void*));
ctx->zlib_ng = 1;
+ ctx->allocated = 6144 // State
+ + 65536 // Window
+ + 65536 // Prev
+ + 131072 // Head
+ + 163840 // Pending
+ + 56 + 8 // Alloc struct + padding
+#if (defined(__s390__) || defined(__s390x__) || defined(__zarch__))
+ + 4096 // Required to fix allocation alignment
+#else
+ + 64 // Required to fix allocation alignment
+#endif
+ + 256; // Extra to allow for future changes
}
}
@@ -621,7 +628,7 @@
ctx->zstream.zfree = ngx_http_gzip_filter_free;
ctx->zstream.opaque = ctx;
- rc = deflateInit2(&ctx->zstream, (int) conf->level, Z_DEFLATED,
+ rc = ZPREFIX(deflateInit2)(&ctx->zstream, (int) conf->level, Z_DEFLATED,
ctx->wbits + 16, ctx->memlevel, Z_DEFAULT_STRATEGY);
if (rc != Z_OK) {
@@ -756,7 +763,7 @@
ctx->zstream.avail_in, ctx->zstream.avail_out,
ctx->flush, ctx->redo);
- rc = deflate(&ctx->zstream, ctx->flush);
+ rc = ZPREFIX(deflate)(&ctx->zstream, ctx->flush);
if (rc != Z_OK && rc != Z_STREAM_END && rc != Z_BUF_ERROR) {
ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
@@ -880,7 +887,7 @@
ctx->zin = ctx->zstream.total_in;
ctx->zout = ctx->zstream.total_out;
- rc = deflateEnd(&ctx->zstream);
+ rc = ZPREFIX(deflateEnd)(&ctx->zstream);
if (rc != Z_OK) {
ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
diff -ru nginx-1.26.2/src/http/modules/ngx_http_log_module.c nginx-1.26.2-zlib-ng/src/http/modules/ngx_http_log_module.c
--- nginx-1.26.2/src/http/modules/ngx_http_log_module.c 2024-08-12 16:28:31.000000000 +0200
+++ nginx-1.26.2-zlib-ng/src/http/modules/ngx_http_log_module.c 2024-10-18 13:59:33.219699787 +0200
@@ -9,8 +9,13 @@
#include <ngx_core.h>
#include <ngx_http.h>
-#if (NGX_ZLIB)
-#include <zlib.h>
+#if defined(NGX_ZLIB_NG)
+# include <zlib-ng.h>
+# define ZPREFIX(x) zng_ ## x
+# define z_stream zng_stream
+#elif defined(NGX_ZLIB)
+# include <zlib.h>
+# define ZPREFIX(x) x
#endif
@@ -634,7 +639,7 @@
zstream.next_out = out;
zstream.avail_out = size;
- rc = deflateInit2(&zstream, (int) level, Z_DEFLATED, wbits + 16, memlevel,
+ rc = ZPREFIX(deflateInit2)(&zstream, (int) level, Z_DEFLATED, wbits + 16, memlevel,
Z_DEFAULT_STRATEGY);
if (rc != Z_OK) {
@@ -647,7 +652,7 @@
zstream.next_in, zstream.next_out,
zstream.avail_in, zstream.avail_out);
- rc = deflate(&zstream, Z_FINISH);
+ rc = ZPREFIX(deflate)(&zstream, Z_FINISH);
if (rc != Z_STREAM_END) {
ngx_log_error(NGX_LOG_ALERT, log, 0,
@@ -663,7 +668,7 @@
size -= zstream.avail_out;
- rc = deflateEnd(&zstream);
+ rc = ZPREFIX(deflateEnd)(&zstream);
if (rc != Z_OK) {
ngx_log_error(NGX_LOG_ALERT, log, 0, "deflateEnd() failed: %d", rc);
diff -ru nginx-1.26.2/src/stream/ngx_stream_log_module.c nginx-1.26.2-zlib-ng/src/stream/ngx_stream_log_module.c
--- nginx-1.26.2/src/stream/ngx_stream_log_module.c 2024-08-12 16:28:31.000000000 +0200
+++ nginx-1.26.2-zlib-ng/src/stream/ngx_stream_log_module.c 2024-10-18 13:59:33.219699787 +0200
@@ -9,8 +9,13 @@
#include <ngx_core.h>
#include <ngx_stream.h>
-#if (NGX_ZLIB)
-#include <zlib.h>
+#if defined(NGX_ZLIB_NG)
+# include <zlib-ng.h>
+# define ZPREFIX(x) zng_ ## x
+# define z_stream zng_stream
+#elif defined(NGX_ZLIB)
+# include <zlib.h>
+# define ZPREFIX(x) x
#endif
@@ -525,7 +530,7 @@
zstream.next_out = out;
zstream.avail_out = size;
- rc = deflateInit2(&zstream, (int) level, Z_DEFLATED, wbits + 16, memlevel,
+ rc = ZPREFIX(deflateInit2)(&zstream, (int) level, Z_DEFLATED, wbits + 16, memlevel,
Z_DEFAULT_STRATEGY);
if (rc != Z_OK) {
@@ -538,7 +543,7 @@
zstream.next_in, zstream.next_out,
zstream.avail_in, zstream.avail_out);
- rc = deflate(&zstream, Z_FINISH);
+ rc = ZPREFIX(deflate)(&zstream, Z_FINISH);
if (rc != Z_STREAM_END) {
ngx_log_error(NGX_LOG_ALERT, log, 0,
@@ -554,7 +559,7 @@
size -= zstream.avail_out;
- rc = deflateEnd(&zstream);
+ rc = ZPREFIX(deflateEnd)(&zstream);
if (rc != Z_OK) {
ngx_log_error(NGX_LOG_ALERT, log, 0, "deflateEnd() failed: %d", rc);

9
nginx.spec
View File

@ -61,7 +61,7 @@
Name: nginx
Epoch: 2
Version: 1.26.2
Version: 1.26.3
Release: %autorelease
Summary: A high performance web server and reverse proxy server
@ -109,11 +109,6 @@ Patch3: 0004-Disable-ENGINE-support.patch
# downstream patch - Compile perl module with O2
Patch4: 0005-Compile-perl-module-with-O2.patch
# Fix for "gzip filter failed to use preallocated memory" alerts
# https://github.com/zlib-ng/zlib-ng/issues/811
# https://issues.redhat.com/browse/RHEL-77911
Patch5: https://github.com/zlib-ng/patches/raw/5a036c0a00120c75ee573b27f4f44ade80d82ff2/nginx/1.26.2-zlib-ng.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: gnupg2
@ -122,7 +117,7 @@ BuildRequires: gperftools-devel
%endif
BuildRequires: openssl%{?openssl_pkgversion}-devel
BuildRequires: pcre2-devel
BuildRequires: zlib-ng-devel
BuildRequires: zlib-ng-compat-devel
Requires: nginx-filesystem = %{epoch}:%{version}-%{release}
%if 0%{?el7}

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (nginx-1.26.2.tar.gz) = 470efe9ae5d6150ecbf133979c6c36415679a2156499a3b6820a85eb8f3038a8aa06f7b28ddd834cffb0e982f3ddc89e4b1649d536eba4f84019a72d4cfa3539
SHA512 (nginx-1.26.2.tar.gz.asc) = 1797a695d40908529dd188f5e9c066041dd4e9389d170183f91062b2b3ad46252247393c1457e0b24642966e50d41abad313e03723f67af8342930bebe0a3cab
SHA512 (nginx-1.26.3.tar.gz) = cd780e495796bf7413e54a6730d11d55127b0ca6563acf5c75eb2698f62cddbbf5ba61820c57b2316c0bb789fcfd17f98a27a84b525ed50f304d1b1043ffa05d
SHA512 (nginx-1.26.3.tar.gz.asc) = ab1a23cce1c98833f7a6b9dbd176b12bb8b9dedaa9fea7c321b870b11fc2e8d836e09c8791ce6c12497ab6d40cdd3575112f4309e9afe1f1b5fe092221569615