From 27eccfbbc85eaf6fe8a3be40b89df87115424f15 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 01 2022 11:26:33 +0000 Subject: import nginx-1.20.1-10.el9 --- diff --git a/SOURCES/0006-Fix-ALPACA-security-issue.patch b/SOURCES/0006-Fix-ALPACA-security-issue.patch new file mode 100644 index 0000000..754e8cc --- /dev/null +++ b/SOURCES/0006-Fix-ALPACA-security-issue.patch @@ -0,0 +1,96 @@ +From ee8ea4f1c88a0393206769cd30a545dc3375f868 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= +Date: Wed, 2 Feb 2022 20:14:55 +0100 +Subject: [PATCH] Fix ALPACA security issue + +--- + src/mail/ngx_mail.h | 3 +++ + src/mail/ngx_mail_core_module.c | 10 ++++++++++ + src/mail/ngx_mail_handler.c | 15 ++++++++++++++- + 3 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h +index b865a3b..76cae37 100644 +--- a/src/mail/ngx_mail.h ++++ b/src/mail/ngx_mail.h +@@ -115,6 +115,8 @@ typedef struct { + ngx_msec_t timeout; + ngx_msec_t resolver_timeout; + ++ ngx_uint_t max_errors; ++ + ngx_str_t server_name; + + u_char *file_name; +@@ -231,6 +233,7 @@ typedef struct { + ngx_uint_t command; + ngx_array_t args; + ++ ngx_uint_t errors; + ngx_uint_t login_attempt; + + /* used to parse POP3/IMAP/SMTP command */ +diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c +index 4083124..115671c 100644 +--- a/src/mail/ngx_mail_core_module.c ++++ b/src/mail/ngx_mail_core_module.c +@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_commands[] = { + offsetof(ngx_mail_core_srv_conf_t, resolver_timeout), + NULL }, + ++ { ngx_string("max_errors"), ++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_num_slot, ++ NGX_MAIL_SRV_CONF_OFFSET, ++ offsetof(ngx_mail_core_srv_conf_t, max_errors), ++ NULL }, ++ + ngx_null_command + }; + +@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t *cf) + cscf->timeout = NGX_CONF_UNSET_MSEC; + cscf->resolver_timeout = NGX_CONF_UNSET_MSEC; + ++ cscf->max_errors = NGX_CONF_UNSET_UINT; ++ + cscf->resolver = NGX_CONF_UNSET_PTR; + + cscf->file_name = cf->conf_file->file.name.data; +@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) + ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout, + 30000); + ++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5); + + ngx_conf_merge_str_value(conf->server_name, prev->server_name, ""); + +diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c +index 0aaa0e7..71b8151 100644 +--- a/src/mail/ngx_mail_handler.c ++++ b/src/mail/ngx_mail_handler.c +@@ -871,7 +871,20 @@ ngx_mail_read_command(ngx_mail_session_t *s, ngx_connection_t *c) + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ ++ s->errors++; ++ ++ if (s->errors >= cscf->max_errors) { ++ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ "client sent too many invalid commands"); ++ s->quit = 1; ++ } ++ ++ return rc; ++ } ++ ++ if (rc == NGX_IMAP_NEXT) { + return rc; + } + +-- +2.31.1 + diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index 0d369a0..a9093bd 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -41,7 +41,7 @@ Name: nginx Epoch: 1 Version: 1.20.1 -Release: 9%{?dist} +Release: 10%{?dist} Summary: A high performance web server and reverse proxy server # BSD License (two clause) @@ -85,6 +85,9 @@ Patch3: 0004-Set-proper-compiler-optimalization-level-O2-for-perl.pat # downstream patch for RHEL - https://bugzilla.redhat.com/show_bug.cgi?id=2006420 Patch4: 0005-Init-openssl-engine-properly.patch +# upstream patch - fixing ALPACA(CVE-2021-3618) security issue - https://bugzilla.redhat.com/show_bug.cgi?id=1975623 +Patch5: 0006-Fix-ALPACA-security-issue.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 @@ -584,6 +587,10 @@ fi %changelog +* Wed Feb 02 2022 Luboš Uhliarik - 1:1.20.1-10 +- Resolves: #1975747 - CVE-2021-3618 nginx: ALPACA: Application Layer Protocol + Confusion - Analyzing and Mitigating Cracks in TLS Authentication + * Thu Dec 2 2021 Joe Orton - 1:1.20.1-9 - add delaycompress to logrotate config (#2015250)