From d22de4a2b954375cc1bf6728c46615cb042a78c2 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 17 2019 08:46:00 +0000 Subject: import nginx-1.14.1-9.module+el8.0.0+4108+af250afe --- diff --git a/SOURCES/nginx-1.14.1-CVE-2019-9511.patch b/SOURCES/nginx-1.14.1-CVE-2019-9511.patch new file mode 100644 index 0000000..93262a1 --- /dev/null +++ b/SOURCES/nginx-1.14.1-CVE-2019-9511.patch @@ -0,0 +1,70 @@ +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 12214e1..3b7f892 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -4335,6 +4335,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc) + */ + pool = stream->pool; + ++ h2c->frames -= stream->frames; ++ + ngx_http_free_request(stream->request, rc); + + if (pool != h2c->state.pool) { +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index bec2216..715b7d3 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s { + + ngx_buf_t *preread; + ++ ngx_uint_t frames; ++ + ngx_http_v2_out_frame_t *free_frames; + ngx_chain_t *free_frame_headers; + ngx_chain_t *free_bufs; +diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c +index 029e8ec..c7ee553 100644 +--- a/src/http/v2/ngx_http_v2_filter_module.c ++++ b/src/http/v2/ngx_http_v2_filter_module.c +@@ -1661,22 +1661,34 @@ static ngx_http_v2_out_frame_t * + ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, + size_t len, ngx_chain_t *first, ngx_chain_t *last) + { +- u_char flags; +- ngx_buf_t *buf; +- ngx_chain_t *cl; +- ngx_http_v2_out_frame_t *frame; ++ u_char flags; ++ ngx_buf_t *buf; ++ ngx_chain_t *cl; ++ ngx_http_v2_out_frame_t *frame; ++ ngx_http_v2_connection_t *h2c; + + frame = stream->free_frames; ++ h2c = stream->connection; + + if (frame) { + stream->free_frames = frame->next; + +- } else { ++ } else if (h2c->frames < 10000) { + frame = ngx_palloc(stream->request->pool, + sizeof(ngx_http_v2_out_frame_t)); + if (frame == NULL) { + return NULL; + } ++ ++ stream->frames++; ++ h2c->frames++; ++ ++ } else { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ++ h2c->connection->error = 1; ++ return NULL; + } + + flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; diff --git a/SOURCES/nginx-1.14.1-CVE-2019-9513.patch b/SOURCES/nginx-1.14.1-CVE-2019-9513.patch new file mode 100644 index 0000000..9559598 --- /dev/null +++ b/SOURCES/nginx-1.14.1-CVE-2019-9513.patch @@ -0,0 +1,47 @@ +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 3b7f892..0aaea47 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -275,6 +275,7 @@ ngx_http_v2_init(ngx_event_t *rev) + h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); + + h2c->concurrent_pushes = h2scf->concurrent_pushes; ++ h2c->priority_limit = h2scf->concurrent_streams; + + h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); + if (h2c->pool == NULL) { +@@ -1798,6 +1799,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos, + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); + } + ++ if (--h2c->priority_limit == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many PRIORITY frames"); ++ ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM); ++ } ++ + if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) { + return ngx_http_v2_state_save(h2c, pos, end, + ngx_http_v2_state_priority); +@@ -3112,6 +3120,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c, ngx_uint_t push) + h2c->processing++; + } + ++ h2c->priority_limit += h2scf->concurrent_streams; ++ + return stream; + } + +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 715b7d3..69d55d1 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s { + ngx_uint_t processing; + ngx_uint_t frames; + ngx_uint_t idle; ++ ngx_uint_t priority_limit; + + ngx_uint_t pushing; + ngx_uint_t concurrent_pushes; diff --git a/SOURCES/nginx-1.14.1-CVE-2019-9516.patch b/SOURCES/nginx-1.14.1-CVE-2019-9516.patch new file mode 100644 index 0000000..3865174 --- /dev/null +++ b/SOURCES/nginx-1.14.1-CVE-2019-9516.patch @@ -0,0 +1,30 @@ +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 0aaea47..fd6ecb0 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -1549,6 +1549,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos, + header->name.len = h2c->state.field_end - h2c->state.field_start; + header->name.data = h2c->state.field_start; + ++ if (header->name.len == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent zero header name length"); ++ ++ return ngx_http_v2_connection_error(h2c, ++ NGX_HTTP_V2_PROTOCOL_ERROR); ++ } ++ + return ngx_http_v2_state_field_len(h2c, pos, end); + } + +@@ -3259,10 +3267,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header) + ngx_uint_t i; + ngx_http_core_srv_conf_t *cscf; + +- if (header->name.len == 0) { +- return NGX_ERROR; +- } +- + r->invalid_header = 0; + + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index b939fe8..3c4911c 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -19,7 +19,7 @@ Name: nginx Epoch: 1 Version: 1.14.1 -Release: 8%{?dist} +Release: 9%{?dist} Summary: A high performance web server and reverse proxy server Group: System Environment/Daemons @@ -64,6 +64,13 @@ Patch4: nginx-1.14.1-perl-module-hardening.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1643647 Patch5: nginx-1.14.1-enable-tls1v3-by-default.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1741860 +# https://bugzilla.redhat.com/show_bug.cgi?id=1735741 +# https://bugzilla.redhat.com/show_bug.cgi?id=1741864 +Patch200: nginx-1.14.1-CVE-2019-9511.patch +Patch201: nginx-1.14.1-CVE-2019-9513.patch +Patch202: nginx-1.14.1-CVE-2019-9516.patch + %if 0%{?with_gperftools} BuildRequires: gperftools-devel %endif @@ -204,6 +211,10 @@ Requires: nginx %patch4 -p1 %patch5 -p1 +%patch200 -p1 +%patch201 -p1 +%patch202 -p1 + cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} . %if 0%{?rhel} > 0 && 0%{?rhel} < 8 @@ -474,6 +485,14 @@ fi %changelog +* Fri Aug 30 2019 Lubos Uhliarik - 1:1.14.1-9 +- Resolves: #1744811 - CVE-2019-9511 nginx:1.14/nginx: HTTP/2: large amount of + data request leads to denial of service +- Resolves: #1744325 - CVE-2019-9513 nginx:1.14/nginx: HTTP/2: flood using + PRIORITY frames resulting in excessive resource consumption +- Resolves: #1745094 - CVE-2019-9516 nginx:1.14/nginx: HTTP/2: 0-length + headers leads to denial of service + * Wed Dec 12 2018 Lubos Uhliarik - 1:1.14.1-8 - enable TLS 1.3 by default (#1643647) - TLSv1.0 and TLSv1.1 can be enabled now (#1644746)