New version 1.26.3
Resolves: RHEL-78233 - CVE-2025-23419 nginx: TLS Session Resumption Vulnerability
This commit is contained in:
		
							parent
							
								
									3ac52f1966
								
							
						
					
					
						commit
						90d4dba563
					
				| @ -1,276 +0,0 @@ | ||||
| diff -ru nginx-1.26.2/auto/lib/zlib/conf nginx-1.26.2-zlib-ng/auto/lib/zlib/conf
 | ||||
| --- nginx-1.26.2/auto/lib/zlib/conf	2024-08-12 16:28:31.000000000 +0200
 | ||||
| +++ nginx-1.26.2-zlib-ng/auto/lib/zlib/conf	2024-10-18 13:59:33.218699818 +0200
 | ||||
| @@ -33,8 +33,8 @@
 | ||||
|   | ||||
|          *) | ||||
|              have=NGX_ZLIB . auto/have | ||||
| -            LINK_DEPS="$LINK_DEPS $ZLIB/libz.a"
 | ||||
| -            CORE_LIBS="$CORE_LIBS $ZLIB/libz.a"
 | ||||
| +            LINK_DEPS="$LINK_DEPS $ZLIB/libz-ng.a"
 | ||||
| +            CORE_LIBS="$CORE_LIBS $ZLIB/libz-ng.a"
 | ||||
|              #CORE_LIBS="$CORE_LIBS -L $ZLIB -lz" | ||||
|          ;; | ||||
|   | ||||
| @@ -50,10 +50,10 @@
 | ||||
|          ngx_feature="zlib library" | ||||
|          ngx_feature_name="NGX_ZLIB" | ||||
|          ngx_feature_run=no | ||||
| -        ngx_feature_incs="#include <zlib.h>"
 | ||||
| +        ngx_feature_incs="#include <zlib-ng.h>"
 | ||||
|          ngx_feature_path= | ||||
| -        ngx_feature_libs="-lz"
 | ||||
| -        ngx_feature_test="z_stream z; deflate(&z, Z_NO_FLUSH)"
 | ||||
| +        ngx_feature_libs="-lz-ng"
 | ||||
| +        ngx_feature_test="zng_stream z; zng_deflate(&z, Z_NO_FLUSH)"
 | ||||
|          . auto/feature | ||||
|   | ||||
|   | ||||
| diff -ru nginx-1.26.2/src/core/ngx_config.h nginx-1.26.2-zlib-ng/src/core/ngx_config.h
 | ||||
| --- nginx-1.26.2/src/core/ngx_config.h	2024-08-12 16:28:31.000000000 +0200
 | ||||
| +++ nginx-1.26.2-zlib-ng/src/core/ngx_config.h	2024-10-18 14:26:37.446504000 +0200
 | ||||
| @@ -141,5 +141,9 @@
 | ||||
|   | ||||
|  #endif | ||||
|   | ||||
| +/* Force enable ZLIB-NG */
 | ||||
| +#ifndef NGX_ZLIB_NG
 | ||||
| +#define NGX_ZLIB_NG 1
 | ||||
| +#endif
 | ||||
|   | ||||
|  #endif /* _NGX_CONFIG_H_INCLUDED_ */ | ||||
| diff -ru nginx-1.26.2/src/http/modules/ngx_http_gunzip_filter_module.c nginx-1.26.2-zlib-ng/src/http/modules/ngx_http_gunzip_filter_module.c
 | ||||
| --- nginx-1.26.2/src/http/modules/ngx_http_gunzip_filter_module.c	2024-08-12 16:28:31.000000000 +0200
 | ||||
| +++ nginx-1.26.2-zlib-ng/src/http/modules/ngx_http_gunzip_filter_module.c	2024-10-18 13:59:33.218699818 +0200
 | ||||
| @@ -10,7 +10,14 @@
 | ||||
|  #include <ngx_core.h> | ||||
|  #include <ngx_http.h> | ||||
|   | ||||
| -#include <zlib.h>
 | ||||
| +#if defined(NGX_ZLIB_NG)
 | ||||
| +# include <zlib-ng.h>
 | ||||
| +# define ZPREFIX(x) zng_ ## x
 | ||||
| +# define z_stream zng_stream
 | ||||
| +#elif defined(NGX_ZLIB)
 | ||||
| +# include <zlib.h>
 | ||||
| +# define ZPREFIX(x) x
 | ||||
| +#endif
 | ||||
|   | ||||
|   | ||||
|  typedef struct { | ||||
| @@ -312,7 +319,7 @@
 | ||||
|      ctx->zstream.opaque = ctx; | ||||
|   | ||||
|      /* windowBits +16 to decode gzip, zlib 1.2.0.4+ */ | ||||
| -    rc = inflateInit2(&ctx->zstream, MAX_WBITS + 16);
 | ||||
| +    rc = ZPREFIX(inflateInit2)(&ctx->zstream, MAX_WBITS + 16);
 | ||||
|   | ||||
|      if (rc != Z_OK) { | ||||
|          ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, | ||||
| @@ -435,7 +442,7 @@
 | ||||
|                     ctx->zstream.avail_in, ctx->zstream.avail_out, | ||||
|                     ctx->flush, ctx->redo); | ||||
|   | ||||
| -    rc = inflate(&ctx->zstream, ctx->flush);
 | ||||
| +    rc = ZPREFIX(inflate)(&ctx->zstream, ctx->flush);
 | ||||
|   | ||||
|      if (rc != Z_OK && rc != Z_STREAM_END && rc != Z_BUF_ERROR) { | ||||
|          ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | ||||
| @@ -533,7 +540,7 @@
 | ||||
|   | ||||
|      if (rc == Z_STREAM_END && ctx->zstream.avail_in > 0) { | ||||
|   | ||||
| -        rc = inflateReset(&ctx->zstream);
 | ||||
| +        rc = ZPREFIX(inflateReset)(&ctx->zstream);
 | ||||
|   | ||||
|          if (rc != Z_OK) { | ||||
|              ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, | ||||
| @@ -584,7 +591,7 @@
 | ||||
|      ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, | ||||
|                     "gunzip inflate end"); | ||||
|   | ||||
| -    rc = inflateEnd(&ctx->zstream);
 | ||||
| +    rc = ZPREFIX(inflateEnd)(&ctx->zstream);
 | ||||
|   | ||||
|      if (rc != Z_OK) { | ||||
|          ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, | ||||
| diff -ru nginx-1.26.2/src/http/modules/ngx_http_gzip_filter_module.c nginx-1.26.2-zlib-ng/src/http/modules/ngx_http_gzip_filter_module.c
 | ||||
| --- nginx-1.26.2/src/http/modules/ngx_http_gzip_filter_module.c	2024-08-12 16:28:31.000000000 +0200
 | ||||
| +++ nginx-1.26.2-zlib-ng/src/http/modules/ngx_http_gzip_filter_module.c	2024-10-18 14:55:07.499545547 +0200
 | ||||
| @@ -9,7 +9,14 @@
 | ||||
|  #include <ngx_core.h> | ||||
|  #include <ngx_http.h> | ||||
|   | ||||
| -#include <zlib.h>
 | ||||
| +#if defined(NGX_ZLIB_NG)
 | ||||
| +# include <zlib-ng.h>
 | ||||
| +# define ZPREFIX(x) zng_ ## x
 | ||||
| +# define z_stream zng_stream
 | ||||
| +#elif defined(NGX_ZLIB)
 | ||||
| +# include <zlib.h>
 | ||||
| +# define ZPREFIX(x) x
 | ||||
| +#endif
 | ||||
|   | ||||
|   | ||||
|  typedef struct { | ||||
| @@ -454,7 +461,7 @@
 | ||||
|      ctx->done = 1; | ||||
|   | ||||
|      if (ctx->preallocated) { | ||||
| -        deflateEnd(&ctx->zstream);
 | ||||
| +        ZPREFIX(deflateEnd)(&ctx->zstream);
 | ||||
|   | ||||
|          ngx_pfree(r->pool, ctx->preallocated); | ||||
|      } | ||||
| @@ -515,20 +522,20 @@
 | ||||
|      } else { | ||||
|          /* | ||||
|           * Another zlib variant, https://github.com/zlib-ng/zlib-ng. | ||||
| -         * It used to force window bits to 13 for fast compression level,
 | ||||
| -         * uses (64 + sizeof(void*)) additional space on all allocations
 | ||||
| -         * for alignment, 16-byte padding in one of window-sized buffers,
 | ||||
| -         * and 128K hash.
 | ||||
|           */ | ||||
| -
 | ||||
| -        if (conf->level == 1) {
 | ||||
| -            wbits = ngx_max(wbits, 13);
 | ||||
| -        }
 | ||||
| -
 | ||||
| -        ctx->allocated = 8192 + 16 + (1 << (wbits + 2))
 | ||||
| -                         + 131072 + (1 << (memlevel + 8))
 | ||||
| -                         + 4 * (64 + sizeof(void*));
 | ||||
|          ctx->zlib_ng = 1; | ||||
| +        ctx->allocated = 6144 // State
 | ||||
| +						 + 65536 // Window
 | ||||
| +						 + 65536 // Prev
 | ||||
| +						 + 131072 // Head
 | ||||
| +						 + 163840 // Pending
 | ||||
| +						 + 56 + 8 // Alloc struct + padding
 | ||||
| +#if (defined(__s390__) || defined(__s390x__) || defined(__zarch__))
 | ||||
| +						 + 4096 // Required to fix allocation alignment
 | ||||
| +#else
 | ||||
| +						 + 64 // Required to fix allocation alignment
 | ||||
| +#endif
 | ||||
| +						 + 256; // Extra to allow for future changes
 | ||||
|      } | ||||
|  } | ||||
|   | ||||
| @@ -621,7 +628,7 @@
 | ||||
|      ctx->zstream.zfree = ngx_http_gzip_filter_free; | ||||
|      ctx->zstream.opaque = ctx; | ||||
|   | ||||
| -    rc = deflateInit2(&ctx->zstream, (int) conf->level, Z_DEFLATED,
 | ||||
| +    rc = ZPREFIX(deflateInit2)(&ctx->zstream, (int) conf->level, Z_DEFLATED,
 | ||||
|                        ctx->wbits + 16, ctx->memlevel, Z_DEFAULT_STRATEGY); | ||||
|   | ||||
|      if (rc != Z_OK) { | ||||
| @@ -756,7 +763,7 @@
 | ||||
|                   ctx->zstream.avail_in, ctx->zstream.avail_out, | ||||
|                   ctx->flush, ctx->redo); | ||||
|   | ||||
| -    rc = deflate(&ctx->zstream, ctx->flush);
 | ||||
| +    rc = ZPREFIX(deflate)(&ctx->zstream, ctx->flush);
 | ||||
|   | ||||
|      if (rc != Z_OK && rc != Z_STREAM_END && rc != Z_BUF_ERROR) { | ||||
|          ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, | ||||
| @@ -880,7 +887,7 @@
 | ||||
|      ctx->zin = ctx->zstream.total_in; | ||||
|      ctx->zout = ctx->zstream.total_out; | ||||
|   | ||||
| -    rc = deflateEnd(&ctx->zstream);
 | ||||
| +    rc = ZPREFIX(deflateEnd)(&ctx->zstream);
 | ||||
|   | ||||
|      if (rc != Z_OK) { | ||||
|          ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, | ||||
| diff -ru nginx-1.26.2/src/http/modules/ngx_http_log_module.c nginx-1.26.2-zlib-ng/src/http/modules/ngx_http_log_module.c
 | ||||
| --- nginx-1.26.2/src/http/modules/ngx_http_log_module.c	2024-08-12 16:28:31.000000000 +0200
 | ||||
| +++ nginx-1.26.2-zlib-ng/src/http/modules/ngx_http_log_module.c	2024-10-18 13:59:33.219699787 +0200
 | ||||
| @@ -9,8 +9,13 @@
 | ||||
|  #include <ngx_core.h> | ||||
|  #include <ngx_http.h> | ||||
|   | ||||
| -#if (NGX_ZLIB)
 | ||||
| -#include <zlib.h>
 | ||||
| +#if defined(NGX_ZLIB_NG)
 | ||||
| +# include <zlib-ng.h>
 | ||||
| +# define ZPREFIX(x) zng_ ## x
 | ||||
| +# define z_stream zng_stream
 | ||||
| +#elif defined(NGX_ZLIB)
 | ||||
| +# include <zlib.h>
 | ||||
| +# define ZPREFIX(x) x
 | ||||
|  #endif | ||||
|   | ||||
|   | ||||
| @@ -634,7 +639,7 @@
 | ||||
|      zstream.next_out = out; | ||||
|      zstream.avail_out = size; | ||||
|   | ||||
| -    rc = deflateInit2(&zstream, (int) level, Z_DEFLATED, wbits + 16, memlevel,
 | ||||
| +    rc = ZPREFIX(deflateInit2)(&zstream, (int) level, Z_DEFLATED, wbits + 16, memlevel,
 | ||||
|                        Z_DEFAULT_STRATEGY); | ||||
|   | ||||
|      if (rc != Z_OK) { | ||||
| @@ -647,7 +652,7 @@
 | ||||
|                     zstream.next_in, zstream.next_out, | ||||
|                     zstream.avail_in, zstream.avail_out); | ||||
|   | ||||
| -    rc = deflate(&zstream, Z_FINISH);
 | ||||
| +    rc = ZPREFIX(deflate)(&zstream, Z_FINISH);
 | ||||
|   | ||||
|      if (rc != Z_STREAM_END) { | ||||
|          ngx_log_error(NGX_LOG_ALERT, log, 0, | ||||
| @@ -663,7 +668,7 @@
 | ||||
|   | ||||
|      size -= zstream.avail_out; | ||||
|   | ||||
| -    rc = deflateEnd(&zstream);
 | ||||
| +    rc = ZPREFIX(deflateEnd)(&zstream);
 | ||||
|   | ||||
|      if (rc != Z_OK) { | ||||
|          ngx_log_error(NGX_LOG_ALERT, log, 0, "deflateEnd() failed: %d", rc); | ||||
| diff -ru nginx-1.26.2/src/stream/ngx_stream_log_module.c nginx-1.26.2-zlib-ng/src/stream/ngx_stream_log_module.c
 | ||||
| --- nginx-1.26.2/src/stream/ngx_stream_log_module.c	2024-08-12 16:28:31.000000000 +0200
 | ||||
| +++ nginx-1.26.2-zlib-ng/src/stream/ngx_stream_log_module.c	2024-10-18 13:59:33.219699787 +0200
 | ||||
| @@ -9,8 +9,13 @@
 | ||||
|  #include <ngx_core.h> | ||||
|  #include <ngx_stream.h> | ||||
|   | ||||
| -#if (NGX_ZLIB)
 | ||||
| -#include <zlib.h>
 | ||||
| +#if defined(NGX_ZLIB_NG)
 | ||||
| +# include <zlib-ng.h>
 | ||||
| +# define ZPREFIX(x) zng_ ## x
 | ||||
| +# define z_stream zng_stream
 | ||||
| +#elif defined(NGX_ZLIB)
 | ||||
| +# include <zlib.h>
 | ||||
| +# define ZPREFIX(x) x
 | ||||
|  #endif | ||||
|   | ||||
|   | ||||
| @@ -525,7 +530,7 @@
 | ||||
|      zstream.next_out = out; | ||||
|      zstream.avail_out = size; | ||||
|   | ||||
| -    rc = deflateInit2(&zstream, (int) level, Z_DEFLATED, wbits + 16, memlevel,
 | ||||
| +    rc = ZPREFIX(deflateInit2)(&zstream, (int) level, Z_DEFLATED, wbits + 16, memlevel,
 | ||||
|                        Z_DEFAULT_STRATEGY); | ||||
|   | ||||
|      if (rc != Z_OK) { | ||||
| @@ -538,7 +543,7 @@
 | ||||
|                     zstream.next_in, zstream.next_out, | ||||
|                     zstream.avail_in, zstream.avail_out); | ||||
|   | ||||
| -    rc = deflate(&zstream, Z_FINISH);
 | ||||
| +    rc = ZPREFIX(deflate)(&zstream, Z_FINISH);
 | ||||
|   | ||||
|      if (rc != Z_STREAM_END) { | ||||
|          ngx_log_error(NGX_LOG_ALERT, log, 0, | ||||
| @@ -554,7 +559,7 @@
 | ||||
|   | ||||
|      size -= zstream.avail_out; | ||||
|   | ||||
| -    rc = deflateEnd(&zstream);
 | ||||
| +    rc = ZPREFIX(deflateEnd)(&zstream);
 | ||||
|   | ||||
|      if (rc != Z_OK) { | ||||
|          ngx_log_error(NGX_LOG_ALERT, log, 0, "deflateEnd() failed: %d", rc); | ||||
| @ -61,7 +61,7 @@ | ||||
| 
 | ||||
| Name:              nginx | ||||
| Epoch:             2 | ||||
| Version:           1.26.2 | ||||
| Version:           1.26.3 | ||||
| Release:           %autorelease | ||||
| 
 | ||||
| Summary:           A high performance web server and reverse proxy server | ||||
| @ -109,11 +109,6 @@ Patch3:            0004-Disable-ENGINE-support.patch | ||||
| # downstream patch - Compile perl module with O2 | ||||
| Patch4:            0005-Compile-perl-module-with-O2.patch | ||||
| 
 | ||||
| # Fix for "gzip filter failed to use preallocated memory" alerts | ||||
| # https://github.com/zlib-ng/zlib-ng/issues/811 | ||||
| # https://issues.redhat.com/browse/RHEL-77911 | ||||
| Patch5:            https://github.com/zlib-ng/patches/raw/5a036c0a00120c75ee573b27f4f44ade80d82ff2/nginx/1.26.2-zlib-ng.patch | ||||
| 
 | ||||
| BuildRequires:     make | ||||
| BuildRequires:     gcc | ||||
| BuildRequires:     gnupg2 | ||||
| @ -122,7 +117,7 @@ BuildRequires:     gperftools-devel | ||||
| %endif | ||||
| BuildRequires:     openssl%{?openssl_pkgversion}-devel | ||||
| BuildRequires:     pcre2-devel | ||||
| BuildRequires:     zlib-ng-devel | ||||
| BuildRequires:     zlib-ng-compat-devel | ||||
| 
 | ||||
| Requires:          nginx-filesystem = %{epoch}:%{version}-%{release} | ||||
| %if 0%{?el7} | ||||
|  | ||||
							
								
								
									
										4
									
								
								sources
									
									
									
									
									
								
							
							
						
						
									
										4
									
								
								sources
									
									
									
									
									
								
							| @ -1,2 +1,2 @@ | ||||
| SHA512 (nginx-1.26.2.tar.gz) = 470efe9ae5d6150ecbf133979c6c36415679a2156499a3b6820a85eb8f3038a8aa06f7b28ddd834cffb0e982f3ddc89e4b1649d536eba4f84019a72d4cfa3539 | ||||
| SHA512 (nginx-1.26.2.tar.gz.asc) = 1797a695d40908529dd188f5e9c066041dd4e9389d170183f91062b2b3ad46252247393c1457e0b24642966e50d41abad313e03723f67af8342930bebe0a3cab | ||||
| SHA512 (nginx-1.26.3.tar.gz) = cd780e495796bf7413e54a6730d11d55127b0ca6563acf5c75eb2698f62cddbbf5ba61820c57b2316c0bb789fcfd17f98a27a84b525ed50f304d1b1043ffa05d | ||||
| SHA512 (nginx-1.26.3.tar.gz.asc) = ab1a23cce1c98833f7a6b9dbd176b12bb8b9dedaa9fea7c321b870b11fc2e8d836e09c8791ce6c12497ab6d40cdd3575112f4309e9afe1f1b5fe092221569615 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user