From ce0040fe250a9ddeed03d87879ba50bf225535fa Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Tue, 11 Mar 2025 07:50:58 +0000
Subject: [PATCH] import CS nginx-1.20.1-22.el9

---
 SOURCES/nginx-1.20.1-CVE-2025-23419.patch | 45 +++++++++++++++++++++++
 SOURCES/nginx.sysusers                    |  3 ++
 SPECS/nginx.spec                          | 31 ++++++++++------
 3 files changed, 68 insertions(+), 11 deletions(-)
 create mode 100644 SOURCES/nginx-1.20.1-CVE-2025-23419.patch
 create mode 100644 SOURCES/nginx.sysusers

diff --git a/SOURCES/nginx-1.20.1-CVE-2025-23419.patch b/SOURCES/nginx-1.20.1-CVE-2025-23419.patch
new file mode 100644
index 0000000..bee1c1c
--- /dev/null
+++ b/SOURCES/nginx-1.20.1-CVE-2025-23419.patch
@@ -0,0 +1,45 @@
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index 684fabd..404aa77 100644
+--- a/src/http/ngx_http_request.c
++++ b/src/http/ngx_http_request.c
+@@ -921,6 +921,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+         goto done;
+     }
+ 
++    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
++
++#if (defined TLS1_3_VERSION                                                   \
++     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
++
++    /*
++     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
++     * but servername being negotiated in every TLSv1.3 handshake
++     * is only returned in OpenSSL 1.1.1+ as well
++     */
++
++    if (sscf->verify) {
++        const char  *hostname;
++
++        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
++
++        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
++            c->ssl->handshake_rejected = 1;
++            *ad = SSL_AD_ACCESS_DENIED;
++            return SSL_TLSEXT_ERR_ALERT_FATAL;
++        }
++    }
++
++#endif
++
+     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
+     if (hc->ssl_servername == NULL) {
+         goto error;
+@@ -934,8 +959,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+ 
+     ngx_set_connection_log(c, clcf->error_log);
+ 
+-    sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+-
+     c->ssl->buffer_size = sscf->buffer_size;
+ 
+     if (sscf->ssl.ctx) {
diff --git a/SOURCES/nginx.sysusers b/SOURCES/nginx.sysusers
new file mode 100644
index 0000000..7f08e39
--- /dev/null
+++ b/SOURCES/nginx.sysusers
@@ -0,0 +1,3 @@
+#Type Name     ID             GECOS                 Home directory Shell
+g nginx -
+u nginx - "Nginx web server" /var/lib/nginx /sbin/nologin
diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec
index 10ff561..7ee9dcb 100644
--- a/SPECS/nginx.spec
+++ b/SPECS/nginx.spec
@@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             2
 Version:           1.20.1
-Release:           20%{?dist}
+Release:           22%{?dist}
 
 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@@ -62,6 +62,7 @@ Source13:          nginx-upgrade
 Source14:          nginx-upgrade.8
 Source15:          macros.nginxmods.in
 Source16:          nginxmods.attr
+Source17:          nginx.sysusers
 Source102:         nginx-logo.png
 Source103:         404.html
 Source104:         50x.html
@@ -100,6 +101,9 @@ Patch8:            0009-defer-ENGINE_finish-calls-to-a-cleanup.patch
 # upstream patch - https://issues.redhat.com/browse/RHEL-40075
 Patch9:            0010-Optimized-chain-link-usage.patch
 
+# upstream patch - https://issues.redhat.com/browse/RHEL-78236
+Patch10:           nginx-1.20.1-CVE-2025-23419.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@@ -134,9 +138,9 @@ Recommends:        logrotate
 Requires:          %{name}-core = %{epoch}:%{version}-%{release}
 
 BuildRequires:     systemd
-Requires(post):    systemd
-Requires(preun):   systemd
-Requires(postun):  systemd
+BuildRequires:     systemd-rpm-macros
+%{?systemd_requires}
+
 # For external nginx modules
 Provides:          nginx(abi) = %{nginx_abiversion}
 
@@ -176,7 +180,7 @@ Meta package that installs all available nginx modules.
 %package filesystem
 Summary:           The basic directory layout for the Nginx server
 BuildArch:         noarch
-Requires(pre):     shadow-utils
+%{?sysusers_requires_compat}
 
 %description filesystem
 The nginx-filesystem package contains the basic directory layout
@@ -466,14 +470,11 @@ sed -e "s|@@NGINX_ABIVERSION@@|%{nginx_abiversion}|g" \
 ## Install dependency generator
 install -Dpm0644 -t %{buildroot}%{_fileattrsdir} %{SOURCE16}
 
-
+# install sysusers file
+install -p -D -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/nginx.conf
 
 %pre filesystem
-getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user}
-getent passwd %{nginx_user} > /dev/null || \
-    useradd -r -d %{_localstatedir}/lib/nginx -g %{nginx_user} \
-    -s /sbin/nologin -c "Nginx web server" %{nginx_user}
-exit 0
+%sysusers_create_compat %{SOURCE17}
 
 %post
 %systemd_post nginx.service
@@ -574,6 +575,7 @@ fi
 %dir %{_sysconfdir}/nginx/default.d
 %dir %{_sysconfdir}/systemd/system/nginx.service.d
 %dir %{_unitdir}/nginx.service.d
+%{_sysusersdir}/nginx.conf
 
 %if %{with geoip}
 %files mod-http-geoip
@@ -611,6 +613,13 @@ fi
 
 
 %changelog
+* Thu Feb 13 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-22
+- Resolves: RHEL-78236 - nginx: TLS Session Resumption
+  Vulnerability (CVE-2025-23419)
+
+* Wed Feb 05 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-21
+- Resolves: RHEL-77486 - [RFE] nginx use systemd-sysusers
+
 * Mon Jul 15 2024 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-20
 - Resolves: RHEL-40075 - nginx worker processes memory leak