diff --git a/SOURCES/404.html b/SOURCES/404.html index f98b83d..94c9d15 100644 --- a/SOURCES/404.html +++ b/SOURCES/404.html @@ -107,14 +107,14 @@
[ Powered by nginx ]
- \ No newline at end of file + diff --git a/SOURCES/50x.html b/SOURCES/50x.html index 53e02c2..b2d4adc 100644 --- a/SOURCES/50x.html +++ b/SOURCES/50x.html @@ -15,10 +15,10 @@ padding: 0; } :link { - color: #0B2335; + color: #c00; } :visited { - color: #0B2335; + color: #c00; } a:hover { color: #0069DA; @@ -107,14 +107,14 @@
[ Powered by nginx ]
- \ No newline at end of file + diff --git a/SOURCES/nginx-1.20.1-CVE-2025-23419.patch b/SOURCES/nginx-1.20.1-CVE-2025-23419.patch new file mode 100644 index 0000000..bee1c1c --- /dev/null +++ b/SOURCES/nginx-1.20.1-CVE-2025-23419.patch @@ -0,0 +1,45 @@ +diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c +index 684fabd..404aa77 100644 +--- a/src/http/ngx_http_request.c ++++ b/src/http/ngx_http_request.c +@@ -921,6 +921,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + goto done; + } + ++ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); ++ ++#if (defined TLS1_3_VERSION \ ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ if (sscf->verify) { ++ const char *hostname; ++ ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ c->ssl->handshake_rejected = 1; ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } ++ ++#endif ++ + hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); + if (hc->ssl_servername == NULL) { + goto error; +@@ -934,8 +959,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + + ngx_set_connection_log(c, clcf->error_log); + +- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); +- + c->ssl->buffer_size = sscf->buffer_size; + + if (sscf->ssl.ctx) { diff --git a/SOURCES/nginx.sysusers b/SOURCES/nginx.sysusers new file mode 100644 index 0000000..7f08e39 --- /dev/null +++ b/SOURCES/nginx.sysusers @@ -0,0 +1,3 @@ +#Type Name ID GECOS Home directory Shell +g nginx - +u nginx - "Nginx web server" /var/lib/nginx /sbin/nologin diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index 81e38a8..f634f75 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -41,7 +41,7 @@ Name: nginx Epoch: 2 Version: 1.20.1 -Release: 20%{?dist}.alma.1 +Release: 22%{?dist}.alma.1 Summary: A high performance web server and reverse proxy server # BSD License (two clause) @@ -62,6 +62,7 @@ Source13: nginx-upgrade Source14: nginx-upgrade.8 Source15: macros.nginxmods.in Source16: nginxmods.attr +Source17: nginx.sysusers Source102: nginx-logo.png Source103: 404.html Source104: 50x.html @@ -100,6 +101,9 @@ Patch8: 0009-defer-ENGINE_finish-calls-to-a-cleanup.patch # upstream patch - https://issues.redhat.com/browse/RHEL-40075 Patch9: 0010-Optimized-chain-link-usage.patch +# upstream patch - https://issues.redhat.com/browse/RHEL-78236 +Patch10: nginx-1.20.1-CVE-2025-23419.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 @@ -134,9 +138,9 @@ Recommends: logrotate Requires: %{name}-core = %{epoch}:%{version}-%{release} BuildRequires: systemd -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd +BuildRequires: systemd-rpm-macros +%{?systemd_requires} + # For external nginx modules Provides: nginx(abi) = %{nginx_abiversion} @@ -176,7 +180,7 @@ Meta package that installs all available nginx modules. %package filesystem Summary: The basic directory layout for the Nginx server BuildArch: noarch -Requires(pre): shadow-utils +%{?sysusers_requires_compat} %description filesystem The nginx-filesystem package contains the basic directory layout @@ -466,14 +470,11 @@ sed -e "s|@@NGINX_ABIVERSION@@|%{nginx_abiversion}|g" \ ## Install dependency generator install -Dpm0644 -t %{buildroot}%{_fileattrsdir} %{SOURCE16} - +# install sysusers file +install -p -D -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/nginx.conf %pre filesystem -getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user} -getent passwd %{nginx_user} > /dev/null || \ - useradd -r -d %{_localstatedir}/lib/nginx -g %{nginx_user} \ - -s /sbin/nologin -c "Nginx web server" %{nginx_user} -exit 0 +%sysusers_create_compat %{SOURCE17} %post %systemd_post nginx.service @@ -574,6 +575,7 @@ fi %dir %{_sysconfdir}/nginx/default.d %dir %{_sysconfdir}/systemd/system/nginx.service.d %dir %{_unitdir}/nginx.service.d +%{_sysusersdir}/nginx.conf %if %{with geoip} %files mod-http-geoip @@ -611,11 +613,19 @@ fi %changelog -* Mon Sep 30 2024 Eduard Abdullin - 2:1.20.1-20.alma.1 +* Tue Mar 11 2025 Eduard Abdullin - 2:1.20.1-22.alma.1 - Debrand for AlmaLinux +* Thu Feb 13 2025 Luboš Uhliarik - 2:1.20.1-22 +- Resolves: RHEL-78236 - nginx: TLS Session Resumption + Vulnerability (CVE-2025-23419) + +* Wed Feb 05 2025 Luboš Uhliarik - 2:1.20.1-21 +- Resolves: RHEL-77486 - [RFE] nginx use systemd-sysusers + * Mon Jul 15 2024 Luboš Uhliarik - 2:1.20.1-20 - Resolves: RHEL-40075 - nginx worker processes memory leak + * Mon Jun 10 2024 Luboš Uhliarik - 1:1.20.1-19 - Resolves: RHEL-40371- openssl 3.2 ENGINE regression @@ -630,8 +640,10 @@ fi * Thu Nov 24 2022 Luboš Uhliarik - 1:1.20.1-14 - Resolves: #2086527 - Fix logrotate config and nginx log dir permissions + * Wed Jun 22 2022 Luboš Uhliarik - 1:1.20.1-13 - Resolves: #2099752 - nginx minimisation for ubi-micro + * Tue Jun 21 2022 Luboš Uhliarik - 1:1.20.1-11 - Resolves: #2028781 - Protocol : TLSv1.3 missing in rhel9