import UBI nginx-1.20.1-28.el9_8.4

This commit is contained in:
AlmaLinux RelEng Bot 2026-07-07 16:29:01 -04:00
parent 73a06fa612
commit b5814189a3
4 changed files with 391 additions and 128 deletions

View File

@ -1,126 +0,0 @@
From edb82a3e2388938f6230731e1f50e98fbde5f83f Mon Sep 17 00:00:00 2001
From: Maxim Dounin <mdounin@mdounin.ru>
Date: Fri, 24 May 2024 00:20:01 +0300
Subject: [PATCH] Added max_headers directive.
The directive limits the number of request headers accepted from clients.
While the total amount of headers is believed to be sufficiently limited
by the existing buffer size limits (client_header_buffer_size and
large_client_header_buffers), the additional limit on the number of headers
might be beneficial to better protect backend servers.
Requested by Maksim Yevmenkin.
Signed-off-by: Elijah Zupancic <e.zupancic@f5.com>
Origin: <https://freenginx.org/hg/nginx/rev/199dc0d6b05be814b5c811876c20af58cd361fea>
---
src/http/ngx_http_core_module.c | 10 ++++++++++
src/http/ngx_http_core_module.h | 2 ++
src/http/ngx_http_request.c | 9 +++++++++
src/http/ngx_http_request.h | 1 +
src/http/v2/ngx_http_v2.c | 9 +++++++++
5 files changed, 31 insertions(+)
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index 6664fa6..2516331 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -252,6 +252,13 @@ static ngx_command_t ngx_http_core_commands[] = {
offsetof(ngx_http_core_srv_conf_t, large_client_header_buffers),
NULL },
+ { ngx_string("max_headers"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_num_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_core_srv_conf_t, max_headers),
+ NULL },
+
{ ngx_string("ignore_invalid_headers"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
@@ -3370,6 +3377,7 @@ ngx_http_core_create_srv_conf(ngx_conf_t *cf)
cscf->request_pool_size = NGX_CONF_UNSET_SIZE;
cscf->client_header_timeout = NGX_CONF_UNSET_MSEC;
cscf->client_header_buffer_size = NGX_CONF_UNSET_SIZE;
+ cscf->max_headers = NGX_CONF_UNSET_UINT;
cscf->ignore_invalid_headers = NGX_CONF_UNSET;
cscf->merge_slashes = NGX_CONF_UNSET;
cscf->underscores_in_headers = NGX_CONF_UNSET;
@@ -3411,6 +3419,8 @@ ngx_http_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR;
}
+ ngx_conf_merge_uint_value(conf->max_headers, prev->max_headers, 1000);
+
ngx_conf_merge_value(conf->ignore_invalid_headers,
prev->ignore_invalid_headers, 1);
diff --git a/src/http/ngx_http_core_module.h b/src/http/ngx_http_core_module.h
index 2341fd4..2e787e2 100644
--- a/src/http/ngx_http_core_module.h
+++ b/src/http/ngx_http_core_module.h
@@ -196,6 +196,8 @@ typedef struct {
ngx_msec_t client_header_timeout;
+ ngx_uint_t max_headers;
+
ngx_flag_t ignore_invalid_headers;
ngx_flag_t merge_slashes;
ngx_flag_t underscores_in_headers;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 404aa77..dccc9de 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1468,6 +1468,15 @@ ngx_http_process_request_headers(ngx_event_t *rev)
/* a header line has been parsed successfully */
+ if (r->headers_in.count++ >= cscf->max_headers) {
+ r->lingering_close = 1;
+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
+ "client sent too many header lines");
+ ngx_http_finalize_request(r,
+ NGX_HTTP_REQUEST_HEADER_TOO_LARGE);
+ break;
+ }
+
h = ngx_list_push(&r->headers_in.headers);
if (h == NULL) {
ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
diff --git a/src/http/ngx_http_request.h b/src/http/ngx_http_request.h
index 6dfb4a4..3b46c41 100644
--- a/src/http/ngx_http_request.h
+++ b/src/http/ngx_http_request.h
@@ -180,6 +180,7 @@ typedef struct {
typedef struct {
ngx_list_t headers;
+ ngx_uint_t count;
ngx_table_elt_t *host;
ngx_table_elt_t *connection;
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 291677a..7812ddc 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -1860,6 +1860,15 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
}
} else {
+ cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
+
+ if (r->headers_in.count++ >= cscf->max_headers) {
+ ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+ "client sent too many header lines");
+ ngx_http_finalize_request(r, NGX_HTTP_REQUEST_HEADER_TOO_LARGE);
+ goto error;
+ }
+
h = ngx_list_push(&r->headers_in.headers);
if (h == NULL) {
return ngx_http_v2_connection_error(h2c,
--
2.44.0

View File

@ -0,0 +1,279 @@
From 96c96ff41ad3d3ead3288ea5ba990d9649f30541 Mon Sep 17 00:00:00 2001
From: Maxim Dounin <mdounin@mdounin.ru>
Date: Tue, 10 Oct 2023 15:13:39 +0300
Subject: [PATCH] HTTP/2: per-iteration stream handling limit.
The directive limits the number of request headers accepted from clients.
While the total amount of headers is believed to be sufficiently limited
by the existing buffer size limits (client_header_buffer_size and
large_client_header_buffers), the additional limit on the number of headers
might be beneficial to better protect backend servers.
Requested by Maksim Yevmenkin.
The original patch was modified so that the header count and the limit are
stored in a separate module, ngx_http_header_count_module, instead of the
core module. This allows to avoid changing the size of existing structures
and thus avoid potential ABI breakage and keep all the 3rd party modules
compatible with the new version of nginx without recompilation.
Signed-off-by: Elijah Zupancic <e.zupancic@f5.com>
Origin: <https://freenginx.org/hg/nginx/rev/199dc0d6b05be814b5c811876c20af58cd361fea>
---
auto/modules | 1 +
src/http/ngx_http_core_module.c | 73 +++++++++++++++++++++++++++++++
src/http/ngx_http_header_count.hh | 14 ++++++
src/http/ngx_http_request.c | 24 ++++++++++
src/http/v2/ngx_http_v2.c | 14 ++++++
5 files changed, 126 insertions(+)
create mode 100644 src/http/ngx_http_header_count.hh
diff --git a/auto/modules b/auto/modules
index f5a4597..837d894 100644
--- a/auto/modules
+++ b/auto/modules
@@ -67,6 +67,7 @@ if [ $HTTP = YES ]; then
ngx_module_name="ngx_http_module \
ngx_http_core_module \
ngx_http_log_module \
+ ngx_http_header_count_module \
ngx_http_upstream_module"
ngx_module_incs="src/http src/http/modules"
ngx_module_deps="src/http/ngx_http.h \
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index 6664fa6..620cc35 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -8,6 +8,7 @@
#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_http.h>
+#include <ngx_http_header_count.hh>
typedef struct {
@@ -39,6 +40,10 @@ static void *ngx_http_core_create_loc_conf(ngx_conf_t *cf);
static char *ngx_http_core_merge_loc_conf(ngx_conf_t *cf,
void *parent, void *child);
+static void *ngx_http_header_count_create_srv_conf(ngx_conf_t *cf);
+static char *ngx_http_header_count_merge_srv_conf(ngx_conf_t *cf,
+ void *parent, void *child);
+
static char *ngx_http_core_server(ngx_conf_t *cf, ngx_command_t *cmd,
void *dummy);
static char *ngx_http_core_location(ngx_conf_t *cf, ngx_command_t *cmd,
@@ -812,6 +817,48 @@ ngx_module_t ngx_http_core_module = {
NGX_MODULE_V1_PADDING
};
+static ngx_command_t ngx_http_header_count_commands[] = {
+
+ { ngx_string("max_headers"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_num_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_header_count_conf_t, max_headers),
+ NULL },
+
+ ngx_null_command
+};
+
+static ngx_http_module_t ngx_http_header_count_module_ctx = {
+ NULL, /* preconfiguration */
+ NULL, /* postconfiguration */
+
+ NULL, /* create main configuration */
+ NULL, /* init main configuration */
+
+ ngx_http_header_count_create_srv_conf, /* create server configuration */
+ ngx_http_header_count_merge_srv_conf, /* merge server configuration */
+
+ NULL, /* create location configuration */
+ NULL /* merge location configuration */
+};
+
+
+ngx_module_t ngx_http_header_count_module = {
+ NGX_MODULE_V1,
+ &ngx_http_header_count_module_ctx, /* module context */
+ ngx_http_header_count_commands, /* module directives */
+ NGX_HTTP_MODULE, /* module type */
+ NULL, /* init master */
+ NULL, /* init module */
+ NULL, /* init process */
+ NULL, /* init thread */
+ NULL, /* exit thread */
+ NULL, /* exit process */
+ NULL, /* exit master */
+ NGX_MODULE_V1_PADDING
+};
+
ngx_str_t ngx_http_core_get_method = { 3, (u_char *) "GET" };
@@ -3562,6 +3609,32 @@ ngx_http_core_create_loc_conf(ngx_conf_t *cf)
}
+static void *
+ngx_http_header_count_create_srv_conf(ngx_conf_t *cf)
+{
+ ngx_http_header_count_conf_t *hccf;
+
+ hccf = ngx_pcalloc(cf->pool, sizeof(ngx_http_header_count_conf_t));
+ if (hccf == NULL) {
+ return NULL;
+ }
+
+ hccf->max_headers = NGX_CONF_UNSET_UINT;
+ return hccf;
+}
+
+static char *
+ngx_http_header_count_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+{
+ ngx_http_header_count_conf_t *prev = parent;
+ ngx_http_header_count_conf_t *conf = child;
+
+ ngx_conf_merge_uint_value(conf->max_headers, prev->max_headers, 1000);
+
+ return NGX_CONF_OK;
+}
+
+
static ngx_str_t ngx_http_core_text_html_type = ngx_string("text/html");
static ngx_str_t ngx_http_core_image_gif_type = ngx_string("image/gif");
static ngx_str_t ngx_http_core_image_jpeg_type = ngx_string("image/jpeg");
diff --git a/src/http/ngx_http_header_count.hh b/src/http/ngx_http_header_count.hh
new file mode 100644
index 0000000..6a8b86d
--- /dev/null
+++ b/src/http/ngx_http_header_count.hh
@@ -0,0 +1,14 @@
+#ifndef _NGX_HTTP_HEADER_COUNT_H_INCLUDED_
+#define _NGX_HTTP_HEADER_COUNT_H_INCLUDED_
+
+typedef struct {
+ ngx_uint_t count;
+} ngx_http_header_count_t;
+
+typedef struct {
+ ngx_uint_t max_headers;
+} ngx_http_header_count_conf_t;
+
+extern ngx_module_t ngx_http_header_count_module;
+
+#endif /* _NGX_HTTP_HEADER_COUNT_H_INCLUDED_ */
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 404aa77..d6515b6 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -8,6 +8,7 @@
#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_http.h>
+#include <ngx_http_header_count.hh>
static void ngx_http_wait_request_handler(ngx_event_t *ev);
@@ -545,6 +546,7 @@ ngx_http_alloc_request(ngx_connection_t *c)
ngx_http_connection_t *hc;
ngx_http_core_srv_conf_t *cscf;
ngx_http_core_main_conf_t *cmcf;
+ ngx_http_header_count_t *hc_ctx;
hc = c->data;
@@ -606,6 +608,13 @@ ngx_http_alloc_request(ngx_connection_t *c)
return NULL;
}
+ hc_ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_header_count_t));
+ if (hc_ctx == NULL) {
+ ngx_destroy_pool(r->pool);
+ return NULL;
+ }
+ ngx_http_set_ctx(r, hc_ctx, ngx_http_header_count_module);
+
#if (NGX_HTTP_SSL)
if (c->ssl) {
r->main_filter_need_in_memory = 1;
@@ -1378,6 +1387,8 @@ ngx_http_process_request_headers(ngx_event_t *rev)
ngx_http_request_t *r;
ngx_http_core_srv_conf_t *cscf;
ngx_http_core_main_conf_t *cmcf;
+ ngx_http_header_count_conf_t *hccf;
+ ngx_http_header_count_t *hc_ctx;
c = rev->data;
r = c->data;
@@ -1451,6 +1462,10 @@ ngx_http_process_request_headers(ngx_event_t *rev)
rc = ngx_http_parse_header_line(r, r->header_in,
cscf->underscores_in_headers);
+
+ hccf = ngx_http_get_module_srv_conf(r, ngx_http_header_count_module);
+ hc_ctx = ngx_http_get_module_ctx(r, ngx_http_header_count_module);
+
if (rc == NGX_OK) {
r->request_length += r->header_in->pos - r->header_name_start;
@@ -1468,6 +1483,15 @@ ngx_http_process_request_headers(ngx_event_t *rev)
/* a header line has been parsed successfully */
+ if (hc_ctx->count++ >= hccf->max_headers) {
+ r->lingering_close = 1;
+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
+ "client sent too many header lines");
+ ngx_http_finalize_request(r,
+ NGX_HTTP_REQUEST_HEADER_TOO_LARGE);
+ break;
+ }
+
h = ngx_list_push(&r->headers_in.headers);
if (h == NULL) {
ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 291677a..0c6ae96 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -9,6 +9,7 @@
#include <ngx_core.h>
#include <ngx_http.h>
#include <ngx_http_v2_module.h>
+#include <ngx_http_header_count.hh>
typedef struct {
@@ -1749,6 +1750,8 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
ngx_http_v2_header_t *header;
ngx_http_core_srv_conf_t *cscf;
ngx_http_core_main_conf_t *cmcf;
+ ngx_http_header_count_conf_t *hccf;
+ ngx_http_header_count_t *hc_ctx;
static ngx_str_t cookie = ngx_string("cookie");
@@ -1860,6 +1863,17 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
}
} else {
+ cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
+ hccf = ngx_http_get_module_srv_conf(r, ngx_http_header_count_module);
+ hc_ctx = ngx_http_get_module_ctx(r, ngx_http_header_count_module);
+
+ if (hc_ctx->count++ >= hccf->max_headers) {
+ ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+ "client sent too many header lines");
+ ngx_http_finalize_request(r, NGX_HTTP_REQUEST_HEADER_TOO_LARGE);
+ goto error;
+ }
+
h = ngx_list_push(&r->headers_in.headers);
if (h == NULL) {
return ngx_http_v2_connection_error(h2c,
--
2.44.0

View File

@ -0,0 +1,99 @@
From 83cc0876c6d8f880b7c943e39d922e2286c94a41 Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Tue, 2 Jun 2026 19:37:17 +0400
Subject: [PATCH] Upstream: limit header length for HTTP/2 and gRPC
The change applies the HTTP/2 header length limits to avoid buffer
overflow. See 58a7bc3406ac for details.
Reported by Mufeed VH of Winfunc Research.
---
src/http/modules/ngx_http_grpc_module.c | 44 +++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
index 9f13089..bb636f3 100644
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -740,6 +740,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
tmp_len = 0;
} else {
+ if (r->method_name.len > NGX_HTTP_V2_MAX_FIELD) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "too long http2 method: \"%V\"", &r->method_name);
+ return NGX_ERROR;
+ }
+
len += 1 + NGX_HTTP_V2_INT_OCTETS + r->method_name.len;
tmp_len = r->method_name.len;
}
@@ -760,6 +766,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
uri_len = r->uri.len + escape + sizeof("?") - 1 + r->args.len;
}
+ if (uri_len > NGX_HTTP_V2_MAX_FIELD) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "too long http2 URI");
+ return NGX_ERROR;
+ }
+
len += 1 + NGX_HTTP_V2_INT_OCTETS + uri_len;
if (tmp_len < uri_len) {
@@ -769,6 +781,12 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
/* :authority header */
if (!glcf->host_set) {
+ if (ctx->host.len > NGX_HTTP_V2_MAX_FIELD) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "too long http2 host: \"%V\"", &ctx->host);
+ return NGX_ERROR;
+ }
+
len += 1 + NGX_HTTP_V2_INT_OCTETS + ctx->host.len;
if (tmp_len < ctx->host.len) {
@@ -799,6 +817,18 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
continue;
}
+ if (key_len > NGX_HTTP_V2_MAX_FIELD) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "too long http2 header name");
+ return NGX_ERROR;
+ }
+
+ if (val_len > NGX_HTTP_V2_MAX_FIELD) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "too long http2 header value");
+ return NGX_ERROR;
+ }
+
len += 1 + NGX_HTTP_V2_INT_OCTETS + key_len
+ NGX_HTTP_V2_INT_OCTETS + val_len;
@@ -833,6 +863,20 @@ ngx_http_grpc_create_request(ngx_http_request_t *r)
continue;
}
+ if (header[i].key.len > NGX_HTTP_V2_MAX_FIELD) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "too long http2 header name: \"%V\"",
+ &header[i].key);
+ return NGX_ERROR;
+ }
+
+ if (header[i].value.len > NGX_HTTP_V2_MAX_FIELD) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "too long http2 header value: \"%V: %V\"",
+ &header[i].key, &header[i].value);
+ return NGX_ERROR;
+ }
+
len += 1 + NGX_HTTP_V2_INT_OCTETS + header[i].key.len
+ NGX_HTTP_V2_INT_OCTETS + header[i].value.len;
--
2.44.0

View File

@ -41,7 +41,7 @@
Name: nginx
Epoch: 2
Version: 1.20.1
Release: 28%{?dist}.3
Release: 28%{?dist}.4
Summary: A high performance web server and reverse proxy server
# BSD License (two clause)
@ -150,7 +150,11 @@ Patch21: 0021-Rewrite-fix-buffer-overflow-with-overlapping-capture.pat
# https://redhat.atlassian.net/browse/RHEL-182544
# upstream patch - https://github.com/nginx/nginx/commit/365694160a85229a7cb006738de9260d49ff5fa2
Patch22: 0022-Added-max_headers-directive.patch
Patch22: 0022-HTTP-2-per-iteration-stream-handling-limit.patch
# https://redhat.atlassian.net/browse/RHEL-188418
# upstream patch - https://github.com/nginx/nginx/commit/26d824ec3a2f819300edce0ab3b055751c9843ff.patch
Patch23: 0023-Upstream-limit-header-length-for-HTTP-2-and-gRPC.patch
BuildRequires: make
BuildRequires: gcc
@ -668,6 +672,13 @@ fi
%changelog
* Fri Jul 03 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-28.4
- Resolves: RHEL-190800 - nginx: "HTTP/2 bomb" nginx fix breaks module ABI
causing crashes
- Resolves: RHEL-188418 - nginx: NGINX: Arbitrary code execution or
Denial of Service via heap-based buffer overflow with crafted HTTP/2
headers (CVE-2026-42055)
* Mon Jun 08 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-28.3
- Resolves: RHEL-178684 - nginx: code execution and denial of
service (CVE-2026-9256)