diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-08-20 12:24:33 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-08-20 12:24:47 +0000 |
| commit | 181112be362642a3beea5c67e21985f3364b7b23 (patch) | |
| tree | 5f57f78442f2588c31358a7dc3ae47f8183c6280 /main/nginx | |
| parent | 20dd33ed391e86126662bbb87b9b3d904e12d0b1 (diff) | |
| download | aports-181112be362642a3beea5c67e21985f3364b7b23.tar.bz2 aports-181112be362642a3beea5c67e21985f3364b7b23.tar.xz | |
main/nginx: security fixes
Diffstat (limited to 'main/nginx')
| -rw-r--r-- | main/nginx/APKBUILD | 14 | ||||
| -rw-r--r-- | main/nginx/CVE-2019-9511.patch | 87 | ||||
| -rw-r--r-- | main/nginx/CVE-2019-9513.patch | 62 | ||||
| -rw-r--r-- | main/nginx/CVE-2019-9516.patch | 45 |
4 files changed, 207 insertions, 1 deletions
diff --git a/main/nginx/APKBUILD b/main/nginx/APKBUILD index 2405943d06..179fbc9a45 100644 --- a/main/nginx/APKBUILD +++ b/main/nginx/APKBUILD @@ -4,6 +4,10 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # # secfixes: +# 1.14.1-r1: +# - CVE-2019-9511 +# - CVE-2019-9513 +# - CVE-2019-9516 # 1.14.1-r0: # - CVE-2018-16843 # - CVE-2018-16844 @@ -15,7 +19,7 @@ pkgname=nginx # NOTE: Upgrade only to even-numbered versions (e.g. 1.14.z, 1.16.z)! # Odd-numbered versions are mainline (development) versions. pkgver=1.14.2 -pkgrel=0 +pkgrel=1 # Revision of nginx-tests to use for check(). _tests_hgrev=d6daf03478ad _njs_ver=0.2.0 @@ -38,7 +42,12 @@ replaces="$pkgname-common $pkgname-initscripts $pkgname-lua $pkgname-rtmp" source="http://nginx.org/download/$pkgname-$pkgver.tar.gz $pkgname-tests-$_tests_hgrev.tar.gz::http://hg.nginx.org/nginx-tests/archive/$_tests_hgrev.tar.gz $pkgname-njs-$_njs_ver.tar.gz::https://hg.nginx.org/njs/archive/$_njs_ver.tar.gz + njs~fix-test-exit-code.patch + CVE-2019-9511.patch + CVE-2019-9513.patch + CVE-2019-9516.patch + nginx.conf default.conf $pkgname.logrotate @@ -287,6 +296,9 @@ sha512sums="d8362dbd86435657d6b13156bd6ad1b251d2ab10bc11cdda959b142dd6120b087e4b 775f8fcc55e0e670f7b509974cc9e9cfb56e4bd2a88d1c7716c96b63ad87c14fd6d07f293545639972e798fb20f81414ef6483451d00ae5a4eaa262ccf2cbc98 nginx-tests-d6daf03478ad.tar.gz be07e635f5e0e50a28366b28180344568b5cca9d67c79bc80d0c6758d8d4097ff9428393fb6951ed239c6e9c9e3f84b46f9c92a6e2c313f1f35e677b3662512f nginx-njs-0.2.0.tar.gz cd6983c164383100e0239be85dfeddc7879ab9c29589aecdd9bb4b6772d1f0a5d4cd70bf728d0fb5181765cbed77b7e4c99fd85c0ec59c55826c52e923510017 njs~fix-test-exit-code.patch +8418b905011d429a7183843af7fbbc7ec37d01f33c9f9742a2b2de08a0e036af97577988425254ce6a541db34f05d47c05edfe613d417f3e402a044a3f455d3a CVE-2019-9511.patch +8575dfa2484ef6979b83d6cc51b2492498c4a4b5fbda677c0986db1de32fc80c9bf0bb93f75582d51bee7d226a138a423aa41dd7b3320588bb019e4474e5c558 CVE-2019-9513.patch +949f1fe5c83148f99919384b7117d330bf361a2b7c76807d41017f14349b853ec8f6fdab33d290ca455fbe18150047412bb220838c867708cb56c4e5ec6746fd CVE-2019-9516.patch ac7e3153ab698b4cde077f0d5d7ac0a58897927eb36cf3b58cb01268ca0296f1d589c0a5b4f889b96b5b4a57bef05b17c59be59a9d7c4d7a3d3be58f101f7f41 nginx.conf 0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3 default.conf 09b110693e3f4377349ccea3c43cb8199c8579ee351eae34283299be99fdf764b0c1bddd552e13e4d671b194501618b29c822e1ad53b34101a73a63954363dbb nginx.logrotate diff --git a/main/nginx/CVE-2019-9511.patch b/main/nginx/CVE-2019-9511.patch new file mode 100644 index 0000000000..3b48e0cd7a --- /dev/null +++ b/main/nginx/CVE-2019-9511.patch @@ -0,0 +1,87 @@ +From 3f64486e0c15414dc6368139453dcaca338ddf3e Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov <ru@nginx.com> +Date: Tue, 13 Aug 2019 15:43:36 +0300 +Subject: [PATCH 2/3] HTTP/2: limited number of DATA frames. + +Fixed excessive memory growth and CPU usage if stream windows are +manipulated in a way that results in generating many small DATA frames. +Fix is to limit the number of simultaneously allocated DATA frames. +--- + src/http/v2/ngx_http_v2.c | 2 ++ + src/http/v2/ngx_http_v2.h | 2 ++ + src/http/v2/ngx_http_v2_filter_module.c | 22 +++++++++++++++++----- + 3 files changed, 21 insertions(+), 5 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index be2ef82b..1b01f271 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -4339,6 +4339,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc) + */ + pool = stream->pool; + ++ h2c->frames -= stream->frames; ++ + ngx_http_free_request(stream->request, rc); + + if (pool != h2c->state.pool) { +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index bec22160..715b7d30 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s { + + ngx_buf_t *preread; + ++ ngx_uint_t frames; ++ + ngx_http_v2_out_frame_t *free_frames; + ngx_chain_t *free_frame_headers; + ngx_chain_t *free_bufs; +diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c +index 029e8ece..c7ee5536 100644 +--- a/src/http/v2/ngx_http_v2_filter_module.c ++++ b/src/http/v2/ngx_http_v2_filter_module.c +@@ -1661,22 +1661,34 @@ static ngx_http_v2_out_frame_t * + ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, + size_t len, ngx_chain_t *first, ngx_chain_t *last) + { +- u_char flags; +- ngx_buf_t *buf; +- ngx_chain_t *cl; +- ngx_http_v2_out_frame_t *frame; ++ u_char flags; ++ ngx_buf_t *buf; ++ ngx_chain_t *cl; ++ ngx_http_v2_out_frame_t *frame; ++ ngx_http_v2_connection_t *h2c; + + frame = stream->free_frames; ++ h2c = stream->connection; + + if (frame) { + stream->free_frames = frame->next; + +- } else { ++ } else if (h2c->frames < 10000) { + frame = ngx_palloc(stream->request->pool, + sizeof(ngx_http_v2_out_frame_t)); + if (frame == NULL) { + return NULL; + } ++ ++ stream->frames++; ++ h2c->frames++; ++ ++ } else { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ++ h2c->connection->error = 1; ++ return NULL; + } + + flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; +-- +2.20.1 + diff --git a/main/nginx/CVE-2019-9513.patch b/main/nginx/CVE-2019-9513.patch new file mode 100644 index 0000000000..edc1c2b825 --- /dev/null +++ b/main/nginx/CVE-2019-9513.patch @@ -0,0 +1,62 @@ +From bbdc81631b6d322785d8e92788fd400e25a931e6 Mon Sep 17 00:00:00 2001 +From: Ruslan Ermilov <ru@nginx.com> +Date: Tue, 13 Aug 2019 15:43:40 +0300 +Subject: [PATCH 3/3] HTTP/2: limited number of PRIORITY frames. + +Fixed excessive CPU usage caused by a peer that continuously shuffles +priority of streams. Fix is to limit the number of PRIORITY frames. +--- + src/http/v2/ngx_http_v2.c | 10 ++++++++++ + src/http/v2/ngx_http_v2.h | 1 + + 2 files changed, 11 insertions(+) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 1b01f271..fd6ecb05 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -275,6 +275,7 @@ ngx_http_v2_init(ngx_event_t *rev) + h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); + + h2c->concurrent_pushes = h2scf->concurrent_pushes; ++ h2c->priority_limit = h2scf->concurrent_streams; + + h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); + if (h2c->pool == NULL) { +@@ -1806,6 +1807,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos, + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); + } + ++ if (--h2c->priority_limit == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many PRIORITY frames"); ++ ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM); ++ } ++ + if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) { + return ngx_http_v2_state_save(h2c, pos, end, + ngx_http_v2_state_priority); +@@ -3120,6 +3128,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c, ngx_uint_t push) + h2c->processing++; + } + ++ h2c->priority_limit += h2scf->concurrent_streams; ++ + return stream; + } + +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 715b7d30..69d55d1c 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s { + ngx_uint_t processing; + ngx_uint_t frames; + ngx_uint_t idle; ++ ngx_uint_t priority_limit; + + ngx_uint_t pushing; + ngx_uint_t concurrent_pushes; +-- +2.20.1 + diff --git a/main/nginx/CVE-2019-9516.patch b/main/nginx/CVE-2019-9516.patch new file mode 100644 index 0000000000..0d5ec77459 --- /dev/null +++ b/main/nginx/CVE-2019-9516.patch @@ -0,0 +1,45 @@ +From 840d8a3e2f126384eb4ee3e5dd7ffe875a5634c5 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov <pluknet@nginx.com> +Date: Tue, 13 Aug 2019 15:43:32 +0300 +Subject: [PATCH 1/3] HTTP/2: reject zero length headers with PROTOCOL_ERROR. + +Fixed uncontrolled memory growth if peer sends a stream of +headers with a 0-length header name and 0-length header value. +Fix is to reject headers with zero name length. +--- + src/http/v2/ngx_http_v2.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 12214e15..be2ef82b 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -1548,6 +1548,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos, + header->name.len = h2c->state.field_end - h2c->state.field_start; + header->name.data = h2c->state.field_start; + ++ if (header->name.len == 0) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent zero header name length"); ++ ++ return ngx_http_v2_connection_error(h2c, ++ NGX_HTTP_V2_PROTOCOL_ERROR); ++ } ++ + return ngx_http_v2_state_field_len(h2c, pos, end); + } + +@@ -3249,10 +3257,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header) + ngx_uint_t i; + ngx_http_core_srv_conf_t *cscf; + +- if (header->name.len == 0) { +- return NGX_ERROR; +- } +- + r->invalid_header = 0; + + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); +-- +2.20.1 + |