Upgrade to 1.21.5

2022-04-25 10:33:23 +08:00 · 2022-04-25 10:33:23 +08:00 · 93971862c2
commit 93971862c2
parent bd2ee6adc9
6 changed files with 11 additions and 77 deletions
--- a/CVE-2019-20372.patch
+++ b/CVE-2019-20372.patch
@ -1,28 +0,0 @@
-From c1be55f97211d38b69ac0c2027e6812ab8b1b94e Mon Sep 17 00:00:00 2001
-From: Ruslan Ermilov <ru@nginx.com>
-Date: Mon, 23 Dec 2019 15:45:46 +0300
-Subject: [PATCH] Discard request body when redirecting to a URL via
- error_page.
-
-Reported by Bert JW Regeer and Francisco Oca Gonzalez.
---
- src/http/ngx_http_special_response.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c
-index 4ffb2cc8ad..76e6705889 100644
--- a/src/http/ngx_http_special_response.c
-+++ b/src/http/ngx_http_special_response.c
-@@ -606,6 +606,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page)
-         return ngx_http_named_location(r, &uri);
-     }
- 
-+    r->expect_tested = 1;
-+
-+    if (ngx_http_discard_request_body(r) != NGX_OK) {
-+        r->keepalive = 0;
-+    }
-+
-     location = ngx_list_push(&r->headers_out.headers);
- 
-     if (location == NULL) {
--- a/CVE-2021-23017.patch
+++ b/CVE-2021-23017.patch
@ -1,34 +0,0 @@
-From 7199ebc203f74fd9e44595474de6bdc41740c5cf Mon Sep 17 00:00:00 2001
-From: Maxim Dounin <mdounin@mdounin.ru>
-Date: Tue, 25 May 2021 15:17:36 +0300
-Subject: [PATCH] Resolver: fixed off-by-one write in ngx_resolver_copy().
-
-Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH.
---
- src/core/ngx_resolver.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
-index 7939070102..63b26193df 100644
--- a/src/core/ngx_resolver.c
-+++ b/src/core/ngx_resolver.c
-@@ -4008,15 +4008,15 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src,
-             n = *src++;
- 
-         } else {
-+            if (dst != name->data) {
-+                *dst++ = '.';
-+            }
-+
-             ngx_strlow(dst, src, n);
-             dst += n;
-             src += n;
- 
-             n = *src++;
-
-            if (n != 0) {
-                *dst++ = '.';
-            }
-         }
- 
-         if (n == 0) {
--- a/nginx-1.16.1.tar.gz
+++ b/nginx-1.16.1.tar.gz
--- a/nginx-1.21.5.tar.gz
+++ b/nginx-1.21.5.tar.gz
--- a/nginx.conf
+++ b/nginx.conf
@ -25,7 +25,7 @@ http {
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
-    types_hash_max_size 2048;
+    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
@ -36,17 +36,14 @@ http {
    include /etc/nginx/conf.d/*.conf;

    server {
-        listen       80 default_server;
-        listen       [::]:80 default_server;
+        listen       80;
+        listen       [::]:80;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

-        location / {
-        }
-
        error_page 404 /404.html;
            location = /40x.html {
        }
@ -59,8 +56,8 @@ http {
 # Settings for a TLS enabled server.
 #
 #    server {
-#        listen       443 ssl http2 default_server;
-#        listen       [::]:443 ssl http2 default_server;
+#        listen       443 ssl http2;
+#        listen       [::]:443 ssl http2;
 #        server_name  _;
 #        root         /usr/share/nginx/html;
 #
@ -74,9 +71,6 @@ http {
 #        # Load configuration files for the default server block.
 #        include /etc/nginx/default.d/*.conf;
 #
-#        location / {
-#        }
-#
 #        error_page 404 /404.html;
 #            location = /40x.html {
 #        }
--- a/nginx.spec
+++ b/nginx.spec
@ -13,8 +13,8 @@

 Name:              nginx
 Epoch:             1
-Version:           1.16.1
-Release:           11
+Version:           1.21.5
+Release:           1
 Summary:           A HTTP server, reverse proxy and mail proxy server
 License:           BSD
 URL:               http://nginx.org/
@ -33,9 +33,7 @@ Source210:         UPGRADE-NOTES-1.6-to-1.10

 Patch0:            nginx-auto-cc-gcc.patch
 Patch2:            nginx-1.12.1-logs-perm.patch
-Patch3:		   CVE-2019-20372.patch
 Patch4:            nginx-fix-pidfile.patch
-Patch5:            CVE-2021-23017.patch

 BuildRequires:     gcc openssl-devel pcre-devel zlib-devel systemd gperftools-devel
 Requires:          nginx-filesystem = %{epoch}:%{version}-%{release} openssl pcre
@ -347,6 +345,10 @@ fi


 %changelog
+* Mon Apr 25 2022 houyingchao <houyingchao@h-partners.com> - 1:1.21.5-1
+- Upgrade to 1.21.5
+- Fix CVE-2021-3618
+
 * Tue Jun 15 2021 yanglu <yanglu72@huawei.com> - 1:1.16.1-11
 - Fix CVE-2021-23017