diff --git a/.gitignore b/.gitignore index 4307b52..7d5d140 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/nginx-1.16.0.tar.gz +SOURCES/nginx-1.16.1.tar.gz SOURCES/poweredby.png diff --git a/.nginx.metadata b/.nginx.metadata index 32eecea..7195b7f 100644 --- a/.nginx.metadata +++ b/.nginx.metadata @@ -1,2 +1,2 @@ -5e2fe78453ecc983247223d73ad2129509ef2564 SOURCES/nginx-1.16.0.tar.gz +77ce4d26481b62f7a9d83e399454df0912f01a4b SOURCES/nginx-1.16.1.tar.gz 2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png diff --git a/SOURCES/nginx-1.16.0-enable-tls1v3-by-default.patch b/SOURCES/nginx-1.16.0-enable-tls1v3-by-default.patch index 6a2150d..553ea79 100644 --- a/SOURCES/nginx-1.16.0-enable-tls1v3-by-default.patch +++ b/SOURCES/nginx-1.16.0-enable-tls1v3-by-default.patch @@ -1,5 +1,5 @@ diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c -index ab3865a..e6d8bb7 100644 +index 345914f..d23967f 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -252,6 +252,8 @@ ngx_ssl_init(ngx_log_t *log) @@ -11,7 +11,7 @@ index ab3865a..e6d8bb7 100644 ssl->ctx = SSL_CTX_new(SSLv23_method()); if (ssl->ctx == NULL) { -@@ -316,39 +318,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) +@@ -316,49 +318,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); @@ -19,22 +19,47 @@ index ab3865a..e6d8bb7 100644 - /* only in 0.9.8m+ */ - SSL_CTX_clear_options(ssl->ctx, - SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1); +-#endif +- +- if (!(protocols & NGX_SSL_SSLv2)) { +- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); +- } +- if (!(protocols & NGX_SSL_SSLv3)) { +- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); +- } +- if (!(protocols & NGX_SSL_TLSv1)) { +- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); +- } +-#ifdef SSL_OP_NO_TLSv1_1 +- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1); +- if (!(protocols & NGX_SSL_TLSv1_1)) { +- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); +- } + if (protocols){ +#ifdef SSL_OP_NO_TLSv1_3 + if (protocols & NGX_SSL_TLSv1_3) { + prot = TLS1_3_VERSION; + } else -+#endif -+#ifdef SSL_OP_NO_TLSv1_2 + #endif + #ifdef SSL_OP_NO_TLSv1_2 +- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2); +- if (!(protocols & NGX_SSL_TLSv1_2)) { +- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); +- } + if (protocols & NGX_SSL_TLSv1_2) { + prot = TLS1_2_VERSION; + } else -+#endif + #endif +-#ifdef SSL_OP_NO_TLSv1_3 +- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); +- if (!(protocols & NGX_SSL_TLSv1_3)) { +- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); +- } +#ifdef SSL_OP_NO_TLSv1_1 + if (protocols & NGX_SSL_TLSv1_1) { + prot = TLS1_1_VERSION; + } else -+#endif + #endif + if (protocols & NGX_SSL_TLSv1) { + prot = TLS1_VERSION; + } @@ -44,7 +69,10 @@ index ab3865a..e6d8bb7 100644 + "No SSL protocols available [hint: ssl_protocols]"); + return NGX_ERROR; + } -+ + +-#ifdef SSL_CTX_set_min_proto_version +- SSL_CTX_set_min_proto_version(ssl->ctx, 0); +- SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); + SSL_CTX_set_max_proto_version(ssl->ctx, prot); + + /* Now, we have to scan for minimal protocol version, @@ -55,43 +83,24 @@ index ab3865a..e6d8bb7 100644 + } #endif -- if (!(protocols & NGX_SSL_SSLv2)) { -- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); -- } -- if (!(protocols & NGX_SSL_SSLv3)) { -- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); -- } -- if (!(protocols & NGX_SSL_TLSv1)) { -- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); -- } - #ifdef SSL_OP_NO_TLSv1_1 -- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1); -- if (!(protocols & NGX_SSL_TLSv1_1)) { -- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); -- } +-#ifdef TLS1_3_VERSION +- SSL_CTX_set_min_proto_version(ssl->ctx, 0); +- SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); ++#ifdef SSL_OP_NO_TLSv1_1 + if ((prot == TLS1_2_VERSION) && (protocols & NGX_SSL_TLSv1_1)) { + prot = TLS1_1_VERSION; + } - #endif - #ifdef SSL_OP_NO_TLSv1_2 -- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2); -- if (!(protocols & NGX_SSL_TLSv1_2)) { -- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); -- } ++#endif ++#ifdef SSL_OP_NO_TLSv1_2 + if ((prot == TLS1_1_VERSION) && (protocols & NGX_SSL_TLSv1)) { + prot = TLS1_VERSION; + } #endif --#ifdef SSL_OP_NO_TLSv1_3 -- SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); -- if (!(protocols & NGX_SSL_TLSv1_3)) { -- SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); + SSL_CTX_set_min_proto_version(ssl->ctx, prot); - } --#endif ++ } - #ifdef SSL_CTX_set_min_proto_version - SSL_CTX_set_min_proto_version(ssl->ctx, 0); + #ifdef SSL_OP_NO_COMPRESSION + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h index 61da0c5..fa7ac41 100644 --- a/src/event/ngx_event_openssl.h diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index 6ed98df..09a2f5b 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -18,7 +18,7 @@ Name: nginx Epoch: 1 -Version: 1.16.0 +Version: 1.16.1 Release: 1%{?dist} Summary: A high performance web server and reverse proxy server @@ -461,6 +461,19 @@ fi %changelog +* Thu Aug 29 2019 Lubos Uhliarik - 1:1.16.1-1 +- update to 1.16.1 +- Resolves: #1745697 - CVE-2019-9511 nginx:1.16/nginx: HTTP/2: large amount + of data request leads to denial of service +- Resolves: #1745690 - CVE-2019-9513 nginx:1.16/nginx: HTTP/2: flood using + PRIORITY frames resulting in excessive resource consumption +- Resolves: #1745645 - CVE-2019-9516 nginx:1.16/nginx: HTTP/2: 0-length + headers leads to denial of service + +* Wed Jun 26 2019 Lubos Uhliarik - 1:1.16.0-2 +- Resolves: #1718929 - ssl_protocols config option has faulty behavior + in nginx:1.16 + * Mon May 06 2019 Lubos Uhliarik - 1:1.16.0-1 - new version 1.16.0 - enable ngx_stream_ssl_preread module