Debrand for AlmaLinux

2025-06-24 12:11:58 +00:00 · 2025-06-24 12:11:58 +00:00 · c838f0a476
commit c838f0a476
parent 36bcf6e877 ddb418ac3f
2 changed files with 48 additions and 2 deletions
--- a/SOURCES/0013-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch
+++ b/SOURCES/0013-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch
@ -0,0 +1,39 @@
+From 633b8f4026a068f9fe30703469d1cdccdf14269c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
+Date: Thu, 24 Apr 2025 15:10:34 +0200
+Subject: [PATCH] SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
+
+A new behaviour was introduced in OpenSSL 1.1.1e, when a peer does not send
+close_notify before closing the connection.  Previously, it was to return
+SSL_ERROR_SYSCALL with errno 0, known since at least OpenSSL 0.9.7, and is
+handled gracefully in nginx.  Now it returns SSL_ERROR_SSL with a distinct
+reason SSL_R_UNEXPECTED_EOF_WHILE_READING ("unexpected eof while reading").
+This leads to critical errors seen in nginx within various routines such as
+SSL_do_handshake(), SSL_read(), SSL_shutdown().  The behaviour was restored
+in OpenSSL 1.1.1f, but presents in OpenSSL 3.0 by default.
+
+Use of the SSL_OP_IGNORE_UNEXPECTED_EOF option added in OpenSSL 3.0 allows
+to set a compatible behaviour to return SSL_ERROR_ZERO_RETURN:
+https://git.openssl.org/?p=openssl.git;a=commitdiff;h=09b90e0
+---
+ src/event/ngx_event_openssl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index 61ff868..fe6bd08 100644
+--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
+@@ -394,6 +394,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
+     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
+ #endif
+ 
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+    SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+#endif
+
+ #ifdef SSL_MODE_RELEASE_BUFFERS
+     SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
+ #endif
+-- 
+2.44.0
+
--- a/SPECS/nginx.spec
+++ b/SPECS/nginx.spec
@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             2
 Version:           1.20.1
-Release:           22%{?dist}.2.alma.1
+Release:           22%{?dist}.3.alma.1

 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@ -111,6 +111,9 @@ Patch11:           0011-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch
 #                - https://bugzilla.redhat.com/show_bug.cgi?id=2141495
 Patch12:           0012-CVE-2022-41741-and-CVE-2022-41742-fix.patch

+# upstream patch - https://issues.redhat.com/browse/RHEL-6786
+Patch13:           0013-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@ -620,9 +623,13 @@ fi


 %changelog
-* Tue May 13 2025 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-22.2.alma.1
+* Tue Jun 24 2025 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-22.3.alma.1
 - Debrand for AlmaLinux

+* Wed May 14 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-22.3
+- Resolves: RHEL-89991 - SSL-errors 0A000126 / NS_NET_ERROR_PARTIAL_TRANSFER at
+  nginx with reverse-proxy
+
 * Mon Mar 31 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-22.2
 - Resolves: RHEL-85550 - nginx: Memory disclosure in the
  ngx_http_mp4_module (CVE-2022-41742)