import nginx-1.14.1-9.module+el8.0.0+4108+af250afe
This commit is contained in:
parent
dbeb73551d
commit
b6a39d9141
70
SOURCES/nginx-1.14.1-CVE-2019-9511.patch
Normal file
70
SOURCES/nginx-1.14.1-CVE-2019-9511.patch
Normal file
@ -0,0 +1,70 @@
|
||||
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
|
||||
index 12214e1..3b7f892 100644
|
||||
--- a/src/http/v2/ngx_http_v2.c
|
||||
+++ b/src/http/v2/ngx_http_v2.c
|
||||
@@ -4335,6 +4335,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc)
|
||||
*/
|
||||
pool = stream->pool;
|
||||
|
||||
+ h2c->frames -= stream->frames;
|
||||
+
|
||||
ngx_http_free_request(stream->request, rc);
|
||||
|
||||
if (pool != h2c->state.pool) {
|
||||
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
|
||||
index bec2216..715b7d3 100644
|
||||
--- a/src/http/v2/ngx_http_v2.h
|
||||
+++ b/src/http/v2/ngx_http_v2.h
|
||||
@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s {
|
||||
|
||||
ngx_buf_t *preread;
|
||||
|
||||
+ ngx_uint_t frames;
|
||||
+
|
||||
ngx_http_v2_out_frame_t *free_frames;
|
||||
ngx_chain_t *free_frame_headers;
|
||||
ngx_chain_t *free_bufs;
|
||||
diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c
|
||||
index 029e8ec..c7ee553 100644
|
||||
--- a/src/http/v2/ngx_http_v2_filter_module.c
|
||||
+++ b/src/http/v2/ngx_http_v2_filter_module.c
|
||||
@@ -1661,22 +1661,34 @@ static ngx_http_v2_out_frame_t *
|
||||
ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream,
|
||||
size_t len, ngx_chain_t *first, ngx_chain_t *last)
|
||||
{
|
||||
- u_char flags;
|
||||
- ngx_buf_t *buf;
|
||||
- ngx_chain_t *cl;
|
||||
- ngx_http_v2_out_frame_t *frame;
|
||||
+ u_char flags;
|
||||
+ ngx_buf_t *buf;
|
||||
+ ngx_chain_t *cl;
|
||||
+ ngx_http_v2_out_frame_t *frame;
|
||||
+ ngx_http_v2_connection_t *h2c;
|
||||
|
||||
frame = stream->free_frames;
|
||||
+ h2c = stream->connection;
|
||||
|
||||
if (frame) {
|
||||
stream->free_frames = frame->next;
|
||||
|
||||
- } else {
|
||||
+ } else if (h2c->frames < 10000) {
|
||||
frame = ngx_palloc(stream->request->pool,
|
||||
sizeof(ngx_http_v2_out_frame_t));
|
||||
if (frame == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
+
|
||||
+ stream->frames++;
|
||||
+ h2c->frames++;
|
||||
+
|
||||
+ } else {
|
||||
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
|
||||
+ "http2 flood detected");
|
||||
+
|
||||
+ h2c->connection->error = 1;
|
||||
+ return NULL;
|
||||
}
|
||||
|
||||
flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0;
|
47
SOURCES/nginx-1.14.1-CVE-2019-9513.patch
Normal file
47
SOURCES/nginx-1.14.1-CVE-2019-9513.patch
Normal file
@ -0,0 +1,47 @@
|
||||
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
|
||||
index 3b7f892..0aaea47 100644
|
||||
--- a/src/http/v2/ngx_http_v2.c
|
||||
+++ b/src/http/v2/ngx_http_v2.c
|
||||
@@ -275,6 +275,7 @@ ngx_http_v2_init(ngx_event_t *rev)
|
||||
h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module);
|
||||
|
||||
h2c->concurrent_pushes = h2scf->concurrent_pushes;
|
||||
+ h2c->priority_limit = h2scf->concurrent_streams;
|
||||
|
||||
h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);
|
||||
if (h2c->pool == NULL) {
|
||||
@@ -1798,6 +1799,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos,
|
||||
return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR);
|
||||
}
|
||||
|
||||
+ if (--h2c->priority_limit == 0) {
|
||||
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
|
||||
+ "client sent too many PRIORITY frames");
|
||||
+
|
||||
+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM);
|
||||
+ }
|
||||
+
|
||||
if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) {
|
||||
return ngx_http_v2_state_save(h2c, pos, end,
|
||||
ngx_http_v2_state_priority);
|
||||
@@ -3112,6 +3120,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c, ngx_uint_t push)
|
||||
h2c->processing++;
|
||||
}
|
||||
|
||||
+ h2c->priority_limit += h2scf->concurrent_streams;
|
||||
+
|
||||
return stream;
|
||||
}
|
||||
|
||||
diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
|
||||
index 715b7d3..69d55d1 100644
|
||||
--- a/src/http/v2/ngx_http_v2.h
|
||||
+++ b/src/http/v2/ngx_http_v2.h
|
||||
@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s {
|
||||
ngx_uint_t processing;
|
||||
ngx_uint_t frames;
|
||||
ngx_uint_t idle;
|
||||
+ ngx_uint_t priority_limit;
|
||||
|
||||
ngx_uint_t pushing;
|
||||
ngx_uint_t concurrent_pushes;
|
30
SOURCES/nginx-1.14.1-CVE-2019-9516.patch
Normal file
30
SOURCES/nginx-1.14.1-CVE-2019-9516.patch
Normal file
@ -0,0 +1,30 @@
|
||||
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
|
||||
index 0aaea47..fd6ecb0 100644
|
||||
--- a/src/http/v2/ngx_http_v2.c
|
||||
+++ b/src/http/v2/ngx_http_v2.c
|
||||
@@ -1549,6 +1549,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
|
||||
header->name.len = h2c->state.field_end - h2c->state.field_start;
|
||||
header->name.data = h2c->state.field_start;
|
||||
|
||||
+ if (header->name.len == 0) {
|
||||
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
|
||||
+ "client sent zero header name length");
|
||||
+
|
||||
+ return ngx_http_v2_connection_error(h2c,
|
||||
+ NGX_HTTP_V2_PROTOCOL_ERROR);
|
||||
+ }
|
||||
+
|
||||
return ngx_http_v2_state_field_len(h2c, pos, end);
|
||||
}
|
||||
|
||||
@@ -3259,10 +3267,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
|
||||
ngx_uint_t i;
|
||||
ngx_http_core_srv_conf_t *cscf;
|
||||
|
||||
- if (header->name.len == 0) {
|
||||
- return NGX_ERROR;
|
||||
- }
|
||||
-
|
||||
r->invalid_header = 0;
|
||||
|
||||
cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
|
@ -19,7 +19,7 @@
|
||||
Name: nginx
|
||||
Epoch: 1
|
||||
Version: 1.14.1
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
|
||||
Summary: A high performance web server and reverse proxy server
|
||||
Group: System Environment/Daemons
|
||||
@ -64,6 +64,13 @@ Patch4: nginx-1.14.1-perl-module-hardening.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1643647
|
||||
Patch5: nginx-1.14.1-enable-tls1v3-by-default.patch
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1741860
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1735741
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1741864
|
||||
Patch200: nginx-1.14.1-CVE-2019-9511.patch
|
||||
Patch201: nginx-1.14.1-CVE-2019-9513.patch
|
||||
Patch202: nginx-1.14.1-CVE-2019-9516.patch
|
||||
|
||||
%if 0%{?with_gperftools}
|
||||
BuildRequires: gperftools-devel
|
||||
%endif
|
||||
@ -204,6 +211,10 @@ Requires: nginx
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
%patch200 -p1
|
||||
%patch201 -p1
|
||||
%patch202 -p1
|
||||
|
||||
cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
|
||||
|
||||
%if 0%{?rhel} > 0 && 0%{?rhel} < 8
|
||||
@ -474,6 +485,14 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Aug 30 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.14.1-9
|
||||
- Resolves: #1744811 - CVE-2019-9511 nginx:1.14/nginx: HTTP/2: large amount of
|
||||
data request leads to denial of service
|
||||
- Resolves: #1744325 - CVE-2019-9513 nginx:1.14/nginx: HTTP/2: flood using
|
||||
PRIORITY frames resulting in excessive resource consumption
|
||||
- Resolves: #1745094 - CVE-2019-9516 nginx:1.14/nginx: HTTP/2: 0-length
|
||||
headers leads to denial of service
|
||||
|
||||
* Wed Dec 12 2018 Lubos Uhliarik <luhliari@redhat.com> - 1:1.14.1-8
|
||||
- enable TLS 1.3 by default (#1643647)
|
||||
- TLSv1.0 and TLSv1.1 can be enabled now (#1644746)
|
||||
|
Loading…
Reference in New Issue
Block a user