diff options
Diffstat (limited to 'meta-openembedded/meta-webserver/recipes-httpd/nginx')
6 files changed, 134 insertions, 24 deletions
diff --git a/meta-openembedded/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch b/meta-openembedded/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch new file mode 100644 index 000000000..be42a1ed5 --- /dev/null +++ b/meta-openembedded/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch @@ -0,0 +1,107 @@ +From 6dafcdebde58577f4fcb190be46a0eb910cf1b96 Mon Sep 17 00:00:00 2001 +From: Maxim Dounin <mdounin@mdounin.ru> +Date: Wed, 19 May 2021 03:13:31 +0300 +Subject: [PATCH 1/1] Mail: max_errors directive. + +Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands +in Exim, specifies the number of errors after which the connection is closed. +--- end of original header --- + +CVE: CVE-2021-3618 + +Upstream-Status: Backport + https://github.com/nginx/nginx.git + commit 173f16f736c10eae46cd15dd861b04b82d91a37a + +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + src/mail/ngx_mail.h | 3 +++ + src/mail/ngx_mail_core_module.c | 10 ++++++++++ + src/mail/ngx_mail_handler.c | 15 ++++++++++++++- + 3 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h +index b865a3b9..76cae37a 100644 +--- a/src/mail/ngx_mail.h ++++ b/src/mail/ngx_mail.h +@@ -115,6 +115,8 @@ typedef struct { + ngx_msec_t timeout; + ngx_msec_t resolver_timeout; + ++ ngx_uint_t max_errors; ++ + ngx_str_t server_name; + + u_char *file_name; +@@ -231,6 +233,7 @@ typedef struct { + ngx_uint_t command; + ngx_array_t args; + ++ ngx_uint_t errors; + ngx_uint_t login_attempt; + + /* used to parse POP3/IMAP/SMTP command */ +diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c +index 40831242..115671ca 100644 +--- a/src/mail/ngx_mail_core_module.c ++++ b/src/mail/ngx_mail_core_module.c +@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_commands[] = { + offsetof(ngx_mail_core_srv_conf_t, resolver_timeout), + NULL }, + ++ { ngx_string("max_errors"), ++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_num_slot, ++ NGX_MAIL_SRV_CONF_OFFSET, ++ offsetof(ngx_mail_core_srv_conf_t, max_errors), ++ NULL }, ++ + ngx_null_command + }; + +@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t *cf) + cscf->timeout = NGX_CONF_UNSET_MSEC; + cscf->resolver_timeout = NGX_CONF_UNSET_MSEC; + ++ cscf->max_errors = NGX_CONF_UNSET_UINT; ++ + cscf->resolver = NGX_CONF_UNSET_PTR; + + cscf->file_name = cf->conf_file->file.name.data; +@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) + ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout, + 30000); + ++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5); + + ngx_conf_merge_str_value(conf->server_name, prev->server_name, ""); + +diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c +index 0aaa0e78..71b81512 100644 +--- a/src/mail/ngx_mail_handler.c ++++ b/src/mail/ngx_mail_handler.c +@@ -871,7 +871,20 @@ ngx_mail_read_command(ngx_mail_session_t *s, ngx_connection_t *c) + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ ++ s->errors++; ++ ++ if (s->errors >= cscf->max_errors) { ++ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ "client sent too many invalid commands"); ++ s->quit = 1; ++ } ++ ++ return rc; ++ } ++ ++ if (rc == NGX_IMAP_NEXT) { + return rc; + } + +-- +2.25.1 + diff --git a/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx.inc index de080a2b0..7637002f2 100644 --- a/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx.inc @@ -26,10 +26,10 @@ SRC_URI = " \ inherit siteinfo update-rc.d useradd systemd -SYSTEMD_SERVICE_${PN} = "nginx.service" +SYSTEMD_SERVICE:${PN} = "nginx.service" -CFLAGS_append = " -fPIE -pie" -CXXFLAGS_append = " -fPIE -pie" +CFLAGS:append = " -fPIE -pie" +CXXFLAGS:append = " -fPIE -pie" NGINX_WWWDIR ?= "${localstatedir}/www/localhost" NGINX_USER ?= "www" @@ -65,7 +65,7 @@ do_configure () { --with-ptr-size=${PTRSIZE} \ --with-sig-atomic-t=${PTRSIZE} \ --with-size-t=${PTRSIZE} \ - --with-off-t=${PTRSIZE} \ + --with-off-t=8 \ --with-time-t=${PTRSIZE} \ --with-sys-nerr=132 \ --conf-path=${sysconfdir}/nginx/nginx.conf \ @@ -143,7 +143,7 @@ do_install () { rm -rf ${D}${localstatedir}/log/ } -pkg_postinst_${PN} () { +pkg_postinst:${PN} () { if [ -z "$D" ]; then if type systemd-tmpfiles >/dev/null; then systemd-tmpfiles --create @@ -153,12 +153,12 @@ pkg_postinst_${PN} () { fi } -FILES_${PN} += " \ +FILES:${PN} += " \ ${localstatedir}/ \ ${systemd_unitdir}/system/nginx.service \ " -CONFFILES_${PN} = " \ +CONFFILES:${PN} = " \ ${sysconfdir}/nginx/nginx.conf \ ${sysconfdir}/nginx/fastcgi.conf \ ${sysconfdir}/nginx/fastcgi_params \ @@ -174,7 +174,7 @@ INITSCRIPT_NAME = "nginx" INITSCRIPT_PARAMS = "defaults 92 20" USERADD_PACKAGES = "${PN}" -USERADD_PARAM_${PN} = " \ +USERADD_PARAM:${PN} = " \ --system --no-create-home \ --home ${NGINX_WWWDIR} \ --groups www-data \ diff --git a/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.18.0.bb b/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.18.0.bb deleted file mode 100644 index ac303e47d..000000000 --- a/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.18.0.bb +++ /dev/null @@ -1,6 +0,0 @@ -require nginx.inc - -LIC_FILES_CHKSUM = "file://LICENSE;md5=52e384aaac868b755b93ad5535e2d075" - -SRC_URI[md5sum] = "b2d33d24d89b8b1f87ff5d251aa27eb8" -SRC_URI[sha256sum] = "4c373e7ab5bf91d34a4f11a0c9496561061ba5eee6020db272a17a7228d35f99" diff --git a/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.19.6.bb b/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.19.6.bb deleted file mode 100644 index 16c80cd09..000000000 --- a/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.19.6.bb +++ /dev/null @@ -1,10 +0,0 @@ -require nginx.inc - -# 1.18.x branch is the current stable branch, the recommended default -# 1.19.x is the current mainline branches containing all new features -DEFAULT_PREFERENCE = "-1" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=52e384aaac868b755b93ad5535e2d075" - -SRC_URI[md5sum] = "0be1d90b45b1bdfcf8339f299e74063a" -SRC_URI[sha256sum] = "b11195a02b1d3285ddf2987e02c6b6d28df41bb1b1dd25f33542848ef4fc33b5" diff --git a/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.20.1.bb b/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.20.1.bb new file mode 100644 index 000000000..d686c627f --- /dev/null +++ b/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.20.1.bb @@ -0,0 +1,9 @@ +require nginx.inc + +SRC_URI += "file://CVE-2021-3618.patch" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=206629dc7c7b3e87acb31162363ae505" + +SRC_URI[md5sum] = "8ca6edd5076bdfad30a69c9c9b41cc68" +SRC_URI[sha256sum] = "e462e11533d5c30baa05df7652160ff5979591d291736cfa5edb9fd2edb48c49" + diff --git a/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.21.1.bb b/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.21.1.bb new file mode 100644 index 000000000..b69fd7dab --- /dev/null +++ b/meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.21.1.bb @@ -0,0 +1,10 @@ +require nginx.inc + +# 1.20.x branch is the current stable branch, the recommended default +# 1.21.x is the current mainline branches containing all new features +DEFAULT_PREFERENCE = "-1" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=206629dc7c7b3e87acb31162363ae505" + +SRC_URI[md5sum] = "7dce9e2136ec32dfd823736e871815b1" +SRC_URI[sha256sum] = "68ba0311342115163a0354cad34f90c05a7e8bf689dc498abf07899eda155560" |