7 changed files with 148 additions and 120 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/nginx-1.16.1.tar.gz
+SOURCES/nginx-1.14.1.tar.gz
 SOURCES/poweredby.png
--- a/.nginx.metadata
+++ b/.nginx.metadata
@ -1,2 +1,2 @@
-77ce4d26481b62f7a9d83e399454df0912f01a4b SOURCES/nginx-1.16.1.tar.gz
+a9dc8c5b055a3f0021d09c112d27422f45dd439c SOURCES/nginx-1.14.1.tar.gz
 2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png
--- a/SOURCES/0001-unix-ngx_user-Apply-fix-for-really-old-bug-in-glibc-.patch
+++ b/SOURCES/0001-unix-ngx_user-Apply-fix-for-really-old-bug-in-glibc-.patch
@ -0,0 +1,30 @@
 From f446736d4f4c5f7ae81bb8bf84fda7ce3c9d49a0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
 Date: Wed, 24 Jan 2018 12:37:48 +0100
 Subject: [PATCH] unix/ngx_user: Apply fix for really old bug in glibc libcrypt
 if needed
 ---
 src/os/unix/ngx_user.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/src/os/unix/ngx_user.c b/src/os/unix/ngx_user.c
 index 7ebe2b57..d0fe9238 100644
 --- a/src/os/unix/ngx_user.c
 +++ b/src/os/unix/ngx_user.c
@@ -21,8 +21,10 @@ ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
     struct crypt_data   cd;
     cd.initialized = 0;
 -#ifdef __GLIBC__
 -    /* work around the glibc bug */
 +#if (defined(__GLIBC__) && __GLIBC__ == 2) && \
 +    (defined(__GLIBC_MINOR__) && __GLIBC_MINOR__ >= 2 && __GLIBC_MINOR__ < 4)
 +    /* work around glibc-2.2.5 bug,
 +     * has been fixed at some time in glibc-2.3.X */
     cd.current_salt[0] = ~salt[0];
 #endif
 -- 
 2.16.1
--- a/SOURCES/nginx-1.14.0-pkcs11.patch
+++ b/SOURCES/nginx-1.14.0-pkcs11.patch
@ -0,0 +1,42 @@
 # HG changeset patch
 # User Anderson Sasaki <ansasaki@redhat.com>
 # Date 1533742801 -7200
 #      Wed Aug 08 17:40:01 2018 +0200
 # Node ID ae457c9b2967da1b05aefcf1e81c099e9375c0d7
 # Parent  ba971deb4b447662e3c47fcc860b34d43469162a
 SSL: added ENGINE_init() call before loading key.
 It is necessary to call ENGINE_init() before using an OpenSSL engine
 to get the engine functional reference.  Without this, when
 ENGINE_load_private_key() is called, the engine is still uninitialized.
 diff -r ba971deb4b44 -r ae457c9b2967 src/event/ngx_event_openssl.c
 --- a/src/event/ngx_event_openssl.c	Tue Aug 07 02:16:07 2018 +0300
 +++ b/src/event/ngx_event_openssl.c	Wed Aug 08 17:40:01 2018 +0200
@@ -533,6 +533,13 @@
             return NGX_ERROR;
         }
 +        if (!ENGINE_init(engine)) {
 +            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
 +                          "ENGINE_init(\"%s\") failed", p);
 +            ENGINE_free(engine);
 +            return NGX_ERROR;
 +        }
 +
         *last++ = ':';
         pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
@@ -540,10 +547,12 @@
         if (pkey == NULL) {
             ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                           "ENGINE_load_private_key(\"%s\") failed", last);
 +            ENGINE_finish(engine);
             ENGINE_free(engine);
             return NGX_ERROR;
         }
 +        ENGINE_finish(engine);
         ENGINE_free(engine);
         if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
--- a/SOURCES/nginx-1.14.1-enable-tls1v3-by-default.patch
+++ b/SOURCES/nginx-1.14.1-enable-tls1v3-by-default.patch
@ -1,8 +1,8 @@
 diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
-index 345914f..d23967f 100644
+index 570abd7..ac37936 100644
 --- a/src/event/ngx_event_openssl.c
 +++ b/src/event/ngx_event_openssl.c
-@@ -252,6 +252,8 @@ ngx_ssl_init(ngx_log_t *log)
+@@ -232,6 +232,8 @@ ngx_ssl_init(ngx_log_t *log)
 ngx_int_t
 ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
 {
@ -11,16 +11,34 @@ index 345914f..d23967f 100644
     ssl->ctx = SSL_CTX_new(SSLv23_method());
     if (ssl->ctx == NULL) {
-@@ -316,49 +318,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
+@@ -296,39 +298,53 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
     SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
-#if OPENSSL_VERSION_NUMBER >= 0x009080dfL
+-#ifdef SSL_CTRL_CLEAR_OPTIONS
 -    /* only in 0.9.8m+ */
 -    SSL_CTX_clear_options(ssl->ctx,
 -                          SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
-#endif
+    if (protocols){
-
+#ifdef SSL_OP_NO_TLSv1_3
 +        if (protocols & NGX_SSL_TLSv1_3) {
 +            prot = TLS1_3_VERSION;
 +        } else
 +#endif
 +#ifdef SSL_OP_NO_TLSv1_2
 +        if (protocols & NGX_SSL_TLSv1_2) {
 +            prot =  TLS1_2_VERSION;
 +        } else
 +#endif
 +#ifdef SSL_OP_NO_TLSv1_1
 +        if (protocols & NGX_SSL_TLSv1_1) {
 +            prot = TLS1_1_VERSION;
 +        } else
 #endif
 +        if (protocols & NGX_SSL_TLSv1) {
 +            prot = TLS1_VERSION;
 +        }
 -    if (!(protocols & NGX_SSL_SSLv2)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
 -    }
@ -30,49 +48,12 @@ index 345914f..d23967f 100644
 -    if (!(protocols & NGX_SSL_TLSv1)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
 -    }
 -#ifdef SSL_OP_NO_TLSv1_1
 -    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
 -    if (!(protocols & NGX_SSL_TLSv1_1)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
 -    }
 +    if (protocols){
 +#ifdef SSL_OP_NO_TLSv1_3
 +        if (protocols & NGX_SSL_TLSv1_3) {
 +            prot = TLS1_3_VERSION;
 +        } else
 #endif
 #ifdef SSL_OP_NO_TLSv1_2
 -    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
 -    if (!(protocols & NGX_SSL_TLSv1_2)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
 -    }
 +        if (protocols & NGX_SSL_TLSv1_2) {
 +            prot =  TLS1_2_VERSION;
 +        } else
 #endif
 -#ifdef SSL_OP_NO_TLSv1_3
 -    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
 -    if (!(protocols & NGX_SSL_TLSv1_3)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
 -    }
 +#ifdef SSL_OP_NO_TLSv1_1
 +        if (protocols & NGX_SSL_TLSv1_1) {
 +            prot = TLS1_1_VERSION;
 +        } else
 #endif
 +        if (protocols & NGX_SSL_TLSv1) {
 +            prot = TLS1_VERSION;
 +        }
 +
 +        if (prot == NGX_SSL_NO_PROT) {
 +                    ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
 +                      "No SSL protocols available [hint: ssl_protocols]");
 +            return NGX_ERROR;
 +        }
- 
+
 -#ifdef SSL_CTX_set_min_proto_version
 -    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
 -    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
 +        SSL_CTX_set_max_proto_version(ssl->ctx, prot);
 +
 +        /* Now, we have to scan for minimal protocol version,
@ -81,31 +62,40 @@ index 345914f..d23967f 100644
 +        if ((prot == TLS1_3_VERSION) && (protocols & NGX_SSL_TLSv1_2)) {
 +            prot = TLS1_2_VERSION;
 +        }
- #endif
+#endif
- 
+ #ifdef SSL_OP_NO_TLSv1_1
-#ifdef TLS1_3_VERSION
+-    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
-    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
+-    if (!(protocols & NGX_SSL_TLSv1_1)) {
-    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
+-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
-+#ifdef SSL_OP_NO_TLSv1_1
+-    }
 +        if ((prot == TLS1_2_VERSION) && (protocols & NGX_SSL_TLSv1_1)) {
 +            prot = TLS1_1_VERSION;
 +        }
-+#endif
+ #endif
-+#ifdef SSL_OP_NO_TLSv1_2
+ #ifdef SSL_OP_NO_TLSv1_2
 -    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
 -    if (!(protocols & NGX_SSL_TLSv1_2)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
 -    }
 +        if ((prot == TLS1_1_VERSION) && (protocols & NGX_SSL_TLSv1)) {
 +            prot = TLS1_VERSION;
 +        }
 #endif
 -#ifdef SSL_OP_NO_TLSv1_3
 -    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
 -    if (!(protocols & NGX_SSL_TLSv1_3)) {
 -        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
 +        SSL_CTX_set_min_proto_version(ssl->ctx, prot);
-+    }
+     }
 -#endif
 #ifdef SSL_OP_NO_COMPRESSION
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
 diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
-index 61da0c5..fa7ac41 100644
+index 623d851..6f3d7ee 100644
 --- a/src/event/ngx_event_openssl.h
 +++ b/src/event/ngx_event_openssl.h
-@@ -145,6 +145,7 @@ typedef struct {
+@@ -132,6 +132,7 @@ typedef struct {
 #endif
@ -114,11 +104,11 @@ index 61da0c5..fa7ac41 100644
 #define NGX_SSL_SSLv3    0x0004
 #define NGX_SSL_TLSv1    0x0008
 diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
-index b3f8f47..8340a12 100644
+index 7d62176..f9ef07d 100644
 --- a/src/http/modules/ngx_http_ssl_module.c
 +++ b/src/http/modules/ngx_http_ssl_module.c
-@@ -613,8 +613,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+@@ -590,8 +588,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
-     ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
+                          prev->prefer_server_ciphers, 0);
     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
 -                         (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
@ -128,10 +118,10 @@ index b3f8f47..8340a12 100644
     ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
                          NGX_SSL_BUFSIZE);
 diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
-index 5544f75..3316a4b 100644
+index aebd179..50c7023 100644
 --- a/src/mail/ngx_mail_ssl_module.c
 +++ b/src/mail/ngx_mail_ssl_module.c
-@@ -291,8 +291,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
+@@ -285,8 +283,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
                          prev->prefer_server_ciphers, 0);
     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
@ -142,10 +132,10 @@ index 5544f75..3316a4b 100644
     ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
 diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
-index ec9524e..37af046 100644
+index 3e5a1f2..c8fce57 100644
 --- a/src/stream/ngx_stream_ssl_module.c
 +++ b/src/stream/ngx_stream_ssl_module.c
-@@ -625,8 +625,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
+@@ -554,8 +552,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
                          prev->prefer_server_ciphers, 0);
     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
--- a/SOURCES/nginx-1.16.0-pkcs11.patch
+++ b/SOURCES/nginx-1.16.0-pkcs11.patch
@ -1,29 +0,0 @@
 diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
 index 7be4fb4..ab3865a 100644
 --- a/src/event/ngx_event_openssl.c
 +++ b/src/event/ngx_event_openssl.c
@@ -727,16 +727,24 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
             return NULL;
         }
 +        if (!ENGINE_init(engine)) {
 +            *err = "ENGINE_init() failed";
 +            ENGINE_free(engine);
 +            return NULL;
 +        }
 +
         *last++ = ':';
         pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
         if (pkey == NULL) {
             *err = "ENGINE_load_private_key() failed";
 +            ENGINE_finish(engine);
             ENGINE_free(engine);
             return NULL;
         }
 +        ENGINE_finish(engine);
         ENGINE_free(engine);
         return pkey;
--- a/SPECS/nginx.spec
+++ b/SPECS/nginx.spec
@ -18,8 +18,8 @@
 Name:              nginx
 Epoch:             1
-Version:           1.16.1
+Version:           1.14.1
-Release:           1%{?dist}
+Release:           8%{?dist}
 Summary:           A high performance web server and reverse proxy server
 Group:             System Environment/Daemons
@ -46,18 +46,23 @@ Source210:         UPGRADE-NOTES-1.6-to-1.10
 # -D_FORTIFY_SOURCE=2 causing warnings to turn into errors.
 Patch0:            nginx-auto-cc-gcc.patch
 # Apply fix for bug in glibc libcrypt, if needed only.
 # That has been fixed some time in glibc-2.3.X and is
 # not needed with libxcrypt anyways.
 Patch1:            0001-unix-ngx_user-Apply-fix-for-really-old-bug-in-glibc-.patch
 # downstream patch - changing logs permissions to 664 instead
 # previous 644
-Patch1:            nginx-1.14.0-logs-perm.patch
+Patch2:            nginx-1.14.0-logs-perm.patch
 # PKCS#11 engine fix
-Patch2:            nginx-1.16.0-pkcs11.patch
+Patch3:            nginx-1.14.0-pkcs11.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1655530
-Patch3:            nginx-1.14.1-perl-module-hardening.patch
+Patch4:            nginx-1.14.1-perl-module-hardening.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1643647
-Patch4:            nginx-1.16.0-enable-tls1v3-by-default.patch
+Patch5:            nginx-1.14.1-enable-tls1v3-by-default.patch
 %if 0%{?with_gperftools}
 BuildRequires:     gperftools-devel
@ -68,7 +73,7 @@ BuildRequires:     zlib-devel
 Requires:          nginx-filesystem = %{epoch}:%{version}-%{release}
-%if 0%{?rhel} > 0 && 0%{?rhel} < 8
+%if 0%{?rhel} || 0%{?fedora} < 24
 # Introduced at 1:1.10.0-1 to ease upgrade path. To be removed later.
 Requires:          nginx-all-modules = %{epoch}:%{version}-%{release}
 %endif
@ -106,7 +111,15 @@ Requires:          nginx-mod-mail = %{epoch}:%{version}-%{release}
 Requires:          nginx-mod-stream = %{epoch}:%{version}-%{release}
 %description all-modules
-A meta package that installs all available Nginx modules.
+%{summary}.
 %if 0%{?rhel}
 The main nginx package depends on this to ease the upgrade path. After a grace
 period of several months, modules will become optional.
 %endif
 %if 0%{?fedora} && 0%{?fedora} < 24
 The main nginx package depends on this to ease the upgrade path. Starting from
 Fedora 24, modules are optional.
 %endif
 %package filesystem
 Group:             System Environment/Daemons
@ -189,6 +202,7 @@ Requires:          nginx
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} .
@ -227,7 +241,6 @@ export DESTDIR=%{buildroot}
    --with-http_ssl_module \
    --with-http_v2_module \
    --with-http_realip_module \
    --with-stream_ssl_preread_module \
    --with-http_addition_module \
    --with-http_xslt_module=dynamic \
    --with-http_image_filter_module=dynamic \
@ -461,24 +474,6 @@ fi
 %changelog
 * Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.1-1
 - update to 1.16.1
 - Resolves: #1745697 - CVE-2019-9511 nginx:1.16/nginx: HTTP/2: large amount
  of data request leads to denial of service
 - Resolves: #1745690 - CVE-2019-9513 nginx:1.16/nginx: HTTP/2: flood using
  PRIORITY frames resulting in excessive resource consumption
 - Resolves: #1745645 - CVE-2019-9516 nginx:1.16/nginx: HTTP/2: 0-length
  headers leads to denial of service
 * Wed Jun 26 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.0-2
 - Resolves: #1718929 - ssl_protocols config option has faulty behavior
  in nginx:1.16
 * Mon May 06 2019 Lubos Uhliarik <luhliari@redhat.com> - 1:1.16.0-1
 - new version 1.16.0
 - enable ngx_stream_ssl_preread module
 - main package does NOT require all-modules package
 * Wed Dec 12 2018 Lubos Uhliarik <luhliari@redhat.com> - 1:1.14.1-8
 - enable TLS 1.3 by default (#1643647)
 - TLSv1.0 and TLSv1.1 can be enabled now (#1644746)
`@ -1,2 +1,2 @@`
	`SOURCES/nginx-1.16.1.tar.gz`	`SOURCES/nginx-1.14.1.tar.gz`
	`SOURCES/poweredby.png`	`SOURCES/poweredby.png`
`@ -1,2 +1,2 @@`
	`77ce4d26481b62f7a9d83e399454df0912f01a4b SOURCES/nginx-1.16.1.tar.gz`	`a9dc8c5b055a3f0021d09c112d27422f45dd439c SOURCES/nginx-1.14.1.tar.gz`
	`2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png`	`2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png`