rpms/nginx
6
0
Fork 1
Code Issues Pull Requests Releases Activity

Debrand for AlmaLinux

Browse Source
This commit is contained in:
Eduard Abdullin 2025-03-11 07:51:07 +00:00 committed by root
commit df858a5768
5 changed files with 80 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
SOURCES/404.html
View File

@ -111,7 +111,7 @@
alt="[ Powered by nginx ]" alt="[ Powered by nginx ]"
width="121" height="32" /></a> width="121" height="32" /></a>
<a href="http://www.almalinux.org/"><img <a href="http://www.almalinux.org/"><img
src="poweredby.png" src="/icons/poweredby.png
alt="[ Powered by AlmaLinux ]" alt="[ Powered by AlmaLinux ]"
width="124" height="32" /></a> width="124" height="32" /></a>
</div> </div>

6
SOURCES/50x.html
View File

@ -15,10 +15,10 @@
padding: 0; padding: 0;
} }
:link { :link {
color: #0B2335; color: #c00;
} }
:visited { :visited {
color: #0B2335; color: #c00;
} }
a:hover { a:hover {
color: #0069DA; color: #0069DA;
@ -111,7 +111,7 @@
alt="[ Powered by nginx ]" alt="[ Powered by nginx ]"
width="121" height="32" /></a> width="121" height="32" /></a>
<a href="http://www.almalinux.org/"><img <a href="http://www.almalinux.org/"><img
src="poweredby.png" src="/icons/poweredby.png
alt="[ Powered by AlmaLinux ]" alt="[ Powered by AlmaLinux ]"
width="124" height="32" /></a> width="124" height="32" /></a>
</div> </div>

45
SOURCES/nginx-1.20.1-CVE-2025-23419.patch Normal file
View File

@ -0,0 +1,45 @@
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 684fabd..404aa77 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -921,6 +921,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
goto done;
}
+ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
+
+#if (defined TLS1_3_VERSION \
+ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
+
+ /*
+ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
+ * but servername being negotiated in every TLSv1.3 handshake
+ * is only returned in OpenSSL 1.1.1+ as well
+ */
+
+ if (sscf->verify) {
+ const char *hostname;
+
+ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
+
+ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
+ c->ssl->handshake_rejected = 1;
+ *ad = SSL_AD_ACCESS_DENIED;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+ }
+
+#endif
+
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
if (hc->ssl_servername == NULL) {
goto error;
@@ -934,8 +959,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
ngx_set_connection_log(c, clcf->error_log);
- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
-
c->ssl->buffer_size = sscf->buffer_size;
if (sscf->ssl.ctx) {

3
SOURCES/nginx.sysusers Normal file
View File

@ -0,0 +1,3 @@
#Type Name ID GECOS Home directory Shell
g nginx -
u nginx - "Nginx web server" /var/lib/nginx /sbin/nologin

36
SPECS/nginx.spec
View File

@ -41,7 +41,7 @@
Name: nginx Name: nginx
Epoch: 2 Epoch: 2
Version: 1.20.1 Version: 1.20.1
Release: 20%{?dist}.alma.1 Release: 22%{?dist}.alma.1
Summary: A high performance web server and reverse proxy server Summary: A high performance web server and reverse proxy server
# BSD License (two clause) # BSD License (two clause)
@ -62,6 +62,7 @@ Source13: nginx-upgrade
Source14: nginx-upgrade.8 Source14: nginx-upgrade.8
Source15: macros.nginxmods.in Source15: macros.nginxmods.in
Source16: nginxmods.attr Source16: nginxmods.attr
Source17: nginx.sysusers
Source102: nginx-logo.png Source102: nginx-logo.png
Source103: 404.html Source103: 404.html
Source104: 50x.html Source104: 50x.html
@ -100,6 +101,9 @@ Patch8: 0009-defer-ENGINE_finish-calls-to-a-cleanup.patch
# upstream patch - https://issues.redhat.com/browse/RHEL-40075 # upstream patch - https://issues.redhat.com/browse/RHEL-40075
Patch9: 0010-Optimized-chain-link-usage.patch Patch9: 0010-Optimized-chain-link-usage.patch
# upstream patch - https://issues.redhat.com/browse/RHEL-78236
Patch10: nginx-1.20.1-CVE-2025-23419.patch
BuildRequires: make BuildRequires: make
BuildRequires: gcc BuildRequires: gcc
BuildRequires: gnupg2 BuildRequires: gnupg2
@ -134,9 +138,9 @@ Recommends: logrotate
Requires: %{name}-core = %{epoch}:%{version}-%{release} Requires: %{name}-core = %{epoch}:%{version}-%{release}
BuildRequires: systemd BuildRequires: systemd
Requires(post): systemd BuildRequires: systemd-rpm-macros
Requires(preun): systemd %{?systemd_requires}
Requires(postun): systemd
# For external nginx modules # For external nginx modules
Provides: nginx(abi) = %{nginx_abiversion} Provides: nginx(abi) = %{nginx_abiversion}
@ -176,7 +180,7 @@ Meta package that installs all available nginx modules.
%package filesystem %package filesystem
Summary: The basic directory layout for the Nginx server Summary: The basic directory layout for the Nginx server
BuildArch: noarch BuildArch: noarch
Requires(pre): shadow-utils %{?sysusers_requires_compat}
%description filesystem %description filesystem
The nginx-filesystem package contains the basic directory layout The nginx-filesystem package contains the basic directory layout
@ -466,14 +470,11 @@ sed -e "s|@@NGINX_ABIVERSION@@|%{nginx_abiversion}|g" \
## Install dependency generator ## Install dependency generator
install -Dpm0644 -t %{buildroot}%{_fileattrsdir} %{SOURCE16} install -Dpm0644 -t %{buildroot}%{_fileattrsdir} %{SOURCE16}
# install sysusers file
install -p -D -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/nginx.conf
%pre filesystem %pre filesystem
getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user} %sysusers_create_compat %{SOURCE17}
getent passwd %{nginx_user} > /dev/null || \
useradd -r -d %{_localstatedir}/lib/nginx -g %{nginx_user} \
-s /sbin/nologin -c "Nginx web server" %{nginx_user}
exit 0
%post %post
%systemd_post nginx.service %systemd_post nginx.service
@ -574,6 +575,7 @@ fi
%dir %{_sysconfdir}/nginx/default.d %dir %{_sysconfdir}/nginx/default.d
%dir %{_sysconfdir}/systemd/system/nginx.service.d %dir %{_sysconfdir}/systemd/system/nginx.service.d
%dir %{_unitdir}/nginx.service.d %dir %{_unitdir}/nginx.service.d
%{_sysusersdir}/nginx.conf
%if %{with geoip} %if %{with geoip}
%files mod-http-geoip %files mod-http-geoip
@ -611,11 +613,19 @@ fi
%changelog %changelog
* Mon Sep 30 2024 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-20.alma.1 * Tue Mar 11 2025 Eduard Abdullin <eabdullin@almalinux.org> - 2:1.20.1-22.alma.1
- Debrand for AlmaLinux - Debrand for AlmaLinux
* Thu Feb 13 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-22
- Resolves: RHEL-78236 - nginx: TLS Session Resumption
Vulnerability (CVE-2025-23419)
* Wed Feb 05 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-21
- Resolves: RHEL-77486 - [RFE] nginx use systemd-sysusers
* Mon Jul 15 2024 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-20 * Mon Jul 15 2024 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-20
- Resolves: RHEL-40075 - nginx worker processes memory leak - Resolves: RHEL-40075 - nginx worker processes memory leak
* Mon Jun 10 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-19 * Mon Jun 10 2024 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-19
- Resolves: RHEL-40371- openssl 3.2 ENGINE regression - Resolves: RHEL-40371- openssl 3.2 ENGINE regression
@ -630,8 +640,10 @@ fi
* Thu Nov 24 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-14 * Thu Nov 24 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-14
- Resolves: #2086527 - Fix logrotate config and nginx log dir permissions - Resolves: #2086527 - Fix logrotate config and nginx log dir permissions
* Wed Jun 22 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-13 * Wed Jun 22 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-13
- Resolves: #2099752 - nginx minimisation for ubi-micro - Resolves: #2099752 - nginx minimisation for ubi-micro
* Tue Jun 21 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-11 * Tue Jun 21 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-11
- Resolves: #2028781 - Protocol : TLSv1.3 missing in rhel9 - Resolves: #2028781 - Protocol : TLSv1.3 missing in rhel9