diff --git a/.gitignore b/.gitignore index 667c131..33486f0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ -SOURCES/nginx-1.6.1.tar.gz +SOURCES/nginx-1.6.2.tar.gz +SOURCES/passenger-4.0.50.tar.gz SOURCES/poweredby.png diff --git a/.nginx16-nginx.metadata b/.nginx16-nginx.metadata index 0b67669..f0cc099 100644 --- a/.nginx16-nginx.metadata +++ b/.nginx16-nginx.metadata @@ -1,2 +1,3 @@ -e58c865f67b580541ed4eadf69d1676762bf50ab SOURCES/nginx-1.6.1.tar.gz +1a5458bc15acf90eea16353a1dd17285cf97ec35 SOURCES/nginx-1.6.2.tar.gz +f85204d0f21147e8ca2e2313b5bddaebd6ca0b21 SOURCES/passenger-4.0.50.tar.gz 2ec82988cd0d9b1304c95a16b28eff70f0f69abc SOURCES/poweredby.png diff --git a/SOURCES/nginx-1.6.1-CVE-2014-3616.patch b/SOURCES/nginx-1.6.1-CVE-2014-3616.patch deleted file mode 100644 index fb45514..0000000 --- a/SOURCES/nginx-1.6.1-CVE-2014-3616.patch +++ /dev/null @@ -1,121 +0,0 @@ -Index: src/event/ngx_event_openssl.c -=================================================================== ---- a/src/event/ngx_event_openssl.c (revision 5640) -+++ b/src/event/ngx_event_openssl.c (revision 5841) -@@ -28,4 +28,6 @@ - static void ngx_ssl_clear_error(ngx_log_t *log); - -+static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl, -+ ngx_str_t *sess_ctx); - ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); - static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, -@@ -1730,10 +1732,12 @@ - SSL_CTX_set_timeout(ssl->ctx, (long) timeout); - -+ if (ngx_ssl_session_id_context(ssl, sess_ctx) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ - if (builtin_session_cache == NGX_SSL_NO_SCACHE) { - SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF); - return NGX_OK; - } -- -- SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len); - - if (builtin_session_cache == NGX_SSL_NONE_SCACHE) { -@@ -1790,4 +1794,94 @@ - - return NGX_OK; -+} -+ -+ -+static ngx_int_t -+ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx) -+{ -+ int n, i; -+ X509 *cert; -+ X509_NAME *name; -+ EVP_MD_CTX md; -+ unsigned int len; -+ STACK_OF(X509_NAME) *list; -+ u_char buf[EVP_MAX_MD_SIZE]; -+ -+ /* -+ * Session ID context is set based on the string provided, -+ * the server certificate, and the client CA list. -+ */ -+ -+ EVP_MD_CTX_init(&md); -+ -+ if (EVP_DigestInit_ex(&md, EVP_sha1(), NULL) == 0) { -+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, -+ "EVP_DigestInit_ex() failed"); -+ goto failed; -+ } -+ -+ if (EVP_DigestUpdate(&md, sess_ctx->data, sess_ctx->len) == 0) { -+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, -+ "EVP_DigestUpdate() failed"); -+ goto failed; -+ } -+ -+ cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); -+ -+ if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) { -+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, -+ "X509_digest() failed"); -+ goto failed; -+ } -+ -+ if (EVP_DigestUpdate(&md, buf, len) == 0) { -+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, -+ "EVP_DigestUpdate() failed"); -+ goto failed; -+ } -+ -+ list = SSL_CTX_get_client_CA_list(ssl->ctx); -+ -+ if (list != NULL) { -+ n = sk_X509_NAME_num(list); -+ -+ for (i = 0; i < n; i++) { -+ name = sk_X509_NAME_value(list, i); -+ -+ if (X509_NAME_digest(name, EVP_sha1(), buf, &len) == 0) { -+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, -+ "X509_NAME_digest() failed"); -+ goto failed; -+ } -+ -+ if (EVP_DigestUpdate(&md, buf, len) == 0) { -+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, -+ "EVP_DigestUpdate() failed"); -+ goto failed; -+ } -+ } -+ } -+ -+ if (EVP_DigestFinal_ex(&md, buf, &len) == 0) { -+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, -+ "EVP_DigestUpdate() failed"); -+ goto failed; -+ } -+ -+ EVP_MD_CTX_cleanup(&md); -+ -+ if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) { -+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, -+ "SSL_CTX_set_session_id_context() failed"); -+ return NGX_ERROR; -+ } -+ -+ return NGX_OK; -+ -+failed: -+ -+ EVP_MD_CTX_cleanup(&md); -+ -+ return NGX_ERROR; - } - diff --git a/SOURCES/passenger-4.0.38-libeio.patch b/SOURCES/passenger-4.0.38-libeio.patch new file mode 100644 index 0000000..69f0779 --- /dev/null +++ b/SOURCES/passenger-4.0.38-libeio.patch @@ -0,0 +1,26 @@ +diff --git a/build/common_library.rb b/build/common_library.rb +index 4348be5..ba13306 100644 +--- a/build/common_library.rb ++++ b/build/common_library.rb +@@ -151,8 +151,8 @@ if USE_VENDORED_LIBEV + + task :clean => 'libev:clean' + else +- LIBEV_CFLAGS = string_option('LIBEV_CFLAGS', '-I/usr/include/libev') +- LIBEV_LIBS = string_option('LIBEV_LIBS', '-lev') ++ LIBEV_CFLAGS = string_option('LIBEV_CFLAGS', '-I/opt/rh/rh-passenger40/root/usr/include/') ++ LIBEV_LIBS = string_option('LIBEV_LIBS', '-L/opt/rh/rh-passenger40/root/usr/lib64 -lev') + LIBEV_TARGET = nil + task :libev # do nothing + end +@@ -202,8 +202,8 @@ if USE_VENDORED_LIBEIO + end + end + else +- LIBEIO_CFLAGS = string_option('LIBEIO_CFLAGS', '-I/usr/include/libeio') +- LIBEIO_LIBS = string_option('LIBEIO_LIBS', '-leio') ++ LIBEIO_CFLAGS = string_option('LIBEIO_CFLAGS', '-I/opt/rh/rh-passenger40/root/usr/include/') ++ LIBEIO_LIBS = string_option('LIBEIO_LIBS', '-L/opt/rh/rh-passenger40/root/usr/lib64 -lev-eio') + LIBEIO_TARGET = nil + task :libeio # do nothing + end diff --git a/SPECS/nginx.spec b/SPECS/nginx.spec index 28a3d49..742099b 100644 --- a/SPECS/nginx.spec +++ b/SPECS/nginx.spec @@ -1,9 +1,16 @@ %{?scl:%scl_package nginx} +%if 0%{?rhel} > 6 %define use_systemd 1 +%else +%define use_systemd 0 +%endif + %define use_geoip 0 %define use_perl 0 %global with_gperftools 0 +%global with_passenger 1 +%global passenger_version 4.0.50 %global _hardened_build 1 %global nginx_user nginx @@ -15,10 +22,12 @@ %global nginx_logdir %{_root_localstatedir}/log/nginx16 %global nginx_webroot %{nginx_datadir}/html +%global service_name %{?scl_prefix}nginx + Name: %{?scl:%scl_prefix}nginx Epoch: 1 -Version: 1.6.1 -Release: 2%{?dist} +Version: 1.6.2 +Release: 3%{?dist} Summary: A high performance web server and reverse proxy server Group: System Environment/Daemons @@ -28,6 +37,7 @@ License: BSD URL: http://nginx.org/ Source0: http://nginx.org/download/nginx-%{version}.tar.gz +Source1: http://s3.amazonaws.com/phusion-passenger/releases/passenger-%{passenger_version}.tar.gz Source10: nginx.service Source11: nginx.logrotate Source12: nginx.conf @@ -43,8 +53,26 @@ Source104: 50x.html # removes -Werror in upstream build scripts. -Werror conflicts with # -D_FORTIFY_SOURCE=2 causing warnings to turn into errors. Patch0: nginx-auto-cc-gcc.patch - -Patch1: nginx-1.6.1-CVE-2014-3616.patch +# Build Passenger against Fedora's (renamed) libeio +Patch200: passenger-4.0.38-libeio.patch + +%if 0%{?with_passenger} +BuildRequires: %{?scl:rh-passenger40-}libeio-devel +BuildRequires: %{?scl:rh-passenger40-}libev-devel >= 4.0.0 +BuildRequires: %{?scl:rh-passenger40-}rubygem(mizuho) +BuildRequires: %{?scl:ruby193-}ruby +BuildRequires: %{?scl:ruby193-}ruby-devel +BuildRequires: %{?scl:ruby193-}rubygems +BuildRequires: %{?scl:ruby193-}rubygems-devel +BuildRequires: %{?scl:ruby193-}rubygem(rake) >= 0.8.1 +BuildRequires: %{?scl:ruby193-}rubygem(rack) +BuildRequires: %{?scl:ruby193-}rubygem(rspec) +BuildRequires: %{?scl:ruby193-}rubygem(mime-types) +BuildRequires: libcurl-devel +BuildRequires: zlib-devel +BuildRequires: pcre-devel +BuildRequires: openssl-devel +%endif # BuildRequires: GeoIP-devel BuildRequires: gd-devel @@ -91,10 +119,43 @@ memory usage. %prep %setup -q -n nginx-%{version} %patch0 -p0 -%patch1 -p1 -b .CVE20143616 +%if 0%{?with_passenger} +tar -xf %{SOURCE1} +pushd passenger-%{passenger_version} +%patch200 -p1 -b .uselibeio +popd +%endif %build +%if 0%{?with_passenger} +%{?scl:scl enable ruby193 rh-passenger40 - << \EOF} +pushd passenger-%{passenger_version} +export USE_VENDORED_LIBEV=false +export USE_VENDORED_LIBEIO=false +CFLAGS="${CFLAGS:-%optflags}" ; export CFLAGS ; +CXXFLAGS="${CXXFLAGS:-%optflags}" ; export CXXFLAGS ; +FFLAGS="${FFLAGS:-%optflags}" ; export FFLAGS ; + +export LANG=en_US.UTF-8 +export LANGUAGE=en_US.UTF-8 +export LC_ALL=en_US.UTF-8 + +rake nginx \ + NATIVE_PACKAGING_METHOD=rpm \ + EXTRA_CFLAGS="-fPIC" \ + EXTRA_CXXFLAGS="-fPIC" \ + FS_PREFIX=%{_prefix} \ + FS_BINDIR=%{_bindir} \ + FS_SBINDIR=%{_sbindir} \ + FS_DATADIR=%{_datadir} \ + FS_LIBDIR=%{_libdir} \ + FS_DOCDIR=%{_docdir} \ + RUBYLIBDIR=%{_datadir}/passenger/ + RUBYARCHDIR=%{_libdir}/passenger/ +popd +%endif + # nginx does not utilize a standard configure script. It has its own # and the standard configure options cause the nginx configure script # to error out. This is is also the reason for the DESTDIR environment @@ -145,12 +206,18 @@ export DESTDIR=%{buildroot} %if 0%{?with_gperftools} --with-google_perftools_module \ %endif +%if 0%{?with_passenger} + --add-module="./passenger-%{passenger_version}/ext/nginx" \ +%endif --with-debug \ --with-cc-opt="%{optflags} $(pcre-config --cflags)" \ --with-ld-opt="$RPM_LD_FLAGS -Wl,-E" # so the perl module finds its symbols make %{?_smp_mflags} +%if 0%{?with_passenger} +%{?scl:EOF} +%endif %install make install DESTDIR=%{buildroot} INSTALLDIRS=vendor @@ -271,11 +338,14 @@ getent passwd %{nginx_user} > /dev/null || \ exit 0 %post +restorecon -R %{_scl_root} >/dev/null 2>&1 || : semanage fcontext -a -e /var/log/nginx %{nginx_logdir} >/dev/null 2>&1 || : restorecon -R %{nginx_logdir} >/dev/null 2>&1 || : %if %{use_systemd} -%systemd_post %{?scl:%scl_prefix}nginx.service +%systemd_post %{service_name}.service %else +semanage fcontext -a -e /etc/rc.d/init.d/nginx /etc/rc.d/init.d/%{?scl:%scl_prefix}nginx >/dev/null 2>&1 || : +restorecon -R /etc/rc.d/init.d/%{?scl:%scl_prefix}nginx >/dev/null 2>&1 || : if [ $1 -eq 1 ]; then /sbin/chkconfig --add %{name} fi @@ -289,7 +359,7 @@ fi %preun %if %{use_systemd} -%systemd_preun %{?scl:%scl_prefix}nginx.service +%systemd_preun %{service_name}.service %else if [ $1 -eq 0 ]; then /sbin/service %{name} stop >/dev/null 2>&1 @@ -299,7 +369,7 @@ fi %postun %if %{use_systemd} -%systemd_postun %{?scl:%scl_prefix}nginx.service +%systemd_postun %{service_name}.service %else if [ $1 -eq 2 ]; then /sbin/service %{name} upgrade || : @@ -315,7 +385,7 @@ fi %endif %{_mandir}/man8/nginx.8* %if %{use_systemd} -%{_unitdir}/%{?scl:%scl_prefix}nginx.service +%{_unitdir}/%{service_name}.service %dir %{_root_libexecdir}/initscripts/legacy-actions/%{?scl:%scl_prefix}nginx %{_root_libexecdir}/initscripts/legacy-actions/%{?scl:%scl_prefix}nginx/* %else @@ -351,6 +421,16 @@ fi %attr(700,%{nginx_user},%{nginx_group}) %dir %{_localstatedir}/run/nginx %changelog +* Wed Jan 21 2015 Jan Kaluza - 1:1.6.2-3 +- set use_systemd only on RHEL7 + +* Mon Jan 19 2015 Jan Kaluza - 1:1.6.2-2 +- add support for Phusion Passenger + +* Tue Jan 06 2015 Jan Kaluza - 1:1.6.2-1 +- update to version 1.6.2 +- do not use conditionals in systemd macros (#1152514) + * Wed Sep 17 2014 Jan Kaluza - 1:1.6.1-2 - prevent SSL session reuse in unrelated server{} blocks (CVE-2014-3616)