aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Jirutka <jakub@jirutka.cz>2018-11-21 16:14:41 +0100
committerJakub Jirutka <jakub@jirutka.cz>2018-11-21 16:28:05 +0100
commite86a2a9f72ca3473b25cd7ae7085d79c368615b0 (patch)
treed02e12ba472b356a08aeee0582dd8101608cc046
parent71bdcfe045c8bf7b44a9d80b2c37489dd6e5c5e9 (diff)
downloadaports-e86a2a9f72ca3473b25cd7ae7085d79c368615b0.tar.gz
aports-e86a2a9f72ca3473b25cd7ae7085d79c368615b0.tar.bz2
aports-e86a2a9f72ca3473b25cd7ae7085d79c368615b0.tar.xz
Resolves: #9660 (https://bugs.alpinelinux.org/issues/9660)
-rw-r--r--main/nginx/APKBUILD12
-rw-r--r--main/nginx/CVE-2018-16843.patch62
-rw-r--r--main/nginx/CVE-2018-16844.patch60
-rw-r--r--main/nginx/CVE-2018-16845.patch19
4 files changed, 152 insertions, 1 deletions
diff --git a/main/nginx/APKBUILD b/main/nginx/APKBUILD
index 43637d81ac..39d2a4ca20 100644
--- a/main/nginx/APKBUILD
+++ b/main/nginx/APKBUILD
@@ -4,12 +4,16 @@
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 1.12.1-r4:
+# - CVE-2018-16843
+# - CVE-2018-16844
+# - CVE-2018-16845
# 1.12.1-r0:
# - CVE-2017-7529
#
pkgname=nginx
pkgver=1.12.2
-pkgrel=3
+pkgrel=4
# Revision of nginx-tests to use for check().
_tests_hgrev=cdd44ff602db
pkgdesc="HTTP and reverse proxy server (stable version)"
@@ -30,6 +34,9 @@ subpackages="$pkgname-doc $pkgname-vim::noarch"
replaces="$pkgname-common $pkgname-initscripts $pkgname-lua $pkgname-rtmp"
source="http://nginx.org/download/$pkgname-$pkgver.tar.gz
$pkgname-tests-$_tests_hgrev.tar.gz::http://hg.nginx.org/nginx-tests/archive/$_tests_hgrev.tar.gz
+ CVE-2018-16843.patch
+ CVE-2018-16844.patch
+ CVE-2018-16845.patch
nginx.conf
default.conf
$pkgname.logrotate
@@ -265,6 +272,9 @@ _module() {
sha512sums="3faa2043e237a7e1d15cc5661ac9d002a965220a78c25a863be9f19e01007347e53f776b61c229f6bd3d916cc1ccf92de260811f7b8092ec1b747fba7c0061f7 nginx-1.12.2.tar.gz
ca8be839aef71c537d6d3a79e2894f38790834d6310c6d15ad06900c7c2d7cf71a113847ab96ef9be0fbdfff3b7808e74dea427502b275cfd6c909550f9ba9ab nginx-tests-cdd44ff602db.tar.gz
+8666c54b894bb21b0bfd9fd223538ff37c34e070c722e866c8ae54dbf13768206d1594011f116622d7a0105439bd84c7b439022938e72b816519212fecba6e22 CVE-2018-16843.patch
+54a5093ead82c8625c68a8af714eb3f71fdbecd48aca7e138cdd6c2ca06d5486074659fdd8b19576055c5d0717b5e179339ff1689defcdc4b7cf344375a39b4e CVE-2018-16844.patch
+0b64927635048185cb117d403a0a70b4f048a76cd7ef561098b1c5e4cf31ef6594beff4298c3ca444b06b382d153b34b56c19b3c8ba87402c2e7daec1850da6b CVE-2018-16845.patch
ac7e3153ab698b4cde077f0d5d7ac0a58897927eb36cf3b58cb01268ca0296f1d589c0a5b4f889b96b5b4a57bef05b17c59be59a9d7c4d7a3d3be58f101f7f41 nginx.conf
0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3 default.conf
09b110693e3f4377349ccea3c43cb8199c8579ee351eae34283299be99fdf764b0c1bddd552e13e4d671b194501618b29c822e1ad53b34101a73a63954363dbb nginx.logrotate
diff --git a/main/nginx/CVE-2018-16843.patch b/main/nginx/CVE-2018-16843.patch
new file mode 100644
index 0000000000..a9b9863a4e
--- /dev/null
+++ b/main/nginx/CVE-2018-16843.patch
@@ -0,0 +1,62 @@
+# HG changeset patch
+# User Ruslan Ermilov <ru@nginx.com>
+# Date 1541510975 -10800
+# Node ID 1c6b6163c03945bcc65c252cc42b0af18744c085
+# Parent fdc19a3289c1138bfe49ddbde310778ddc495729
+HTTP/2: flood detection.
+
+Fixed uncontrolled memory growth in case peer is flooding us with
+some frames (e.g., SETTINGS and PING) and doesn't read data. Fix
+is to limit the number of allocated control frames.
+
+Patch-Source: http://hg.nginx.org/nginx/rev/1c6b6163c039
+
+diff -r fdc19a3289c1 -r 1c6b6163c039 src/http/v2/ngx_http_v2.c
+--- a/src/http/v2/ngx_http_v2.c Tue Nov 06 16:29:18 2018 +0300
++++ b/src/http/v2/ngx_http_v2.c Tue Nov 06 16:29:35 2018 +0300
+@@ -664,6 +664,7 @@
+
+ h2c->pool = NULL;
+ h2c->free_frames = NULL;
++ h2c->frames = 0;
+ h2c->free_fake_connections = NULL;
+
+ #if (NGX_HTTP_SSL)
+@@ -2895,7 +2896,7 @@
+
+ frame->blocked = 0;
+
+- } else {
++ } else if (h2c->frames < 10000) {
+ pool = h2c->pool ? h2c->pool : h2c->connection->pool;
+
+ frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t));
+@@ -2919,6 +2920,15 @@
+ frame->last = frame->first;
+
+ frame->handler = ngx_http_v2_frame_handler;
++
++ h2c->frames++;
++
++ } else {
++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++ "http2 flood detected");
++
++ h2c->connection->error = 1;
++ return NULL;
+ }
+
+ #if (NGX_DEBUG)
+diff -r fdc19a3289c1 -r 1c6b6163c039 src/http/v2/ngx_http_v2.h
+--- a/src/http/v2/ngx_http_v2.h Tue Nov 06 16:29:18 2018 +0300
++++ b/src/http/v2/ngx_http_v2.h Tue Nov 06 16:29:35 2018 +0300
+@@ -120,6 +120,7 @@
+ ngx_http_connection_t *http_connection;
+
+ ngx_uint_t processing;
++ ngx_uint_t frames;
+
+ ngx_uint_t pushing;
+ ngx_uint_t concurrent_pushes;
+
+
diff --git a/main/nginx/CVE-2018-16844.patch b/main/nginx/CVE-2018-16844.patch
new file mode 100644
index 0000000000..c44930f9b8
--- /dev/null
+++ b/main/nginx/CVE-2018-16844.patch
@@ -0,0 +1,60 @@
+# HG changeset patch
+# User Ruslan Ermilov <ru@nginx.com>
+# Date 1541510989 -10800
+# Node ID 9200b41db765fbd6709765ba2d218e78ad8e9860
+# Parent 1c6b6163c03945bcc65c252cc42b0af18744c085
+HTTP/2: limit the number of idle state switches.
+
+An attack that continuously switches HTTP/2 connection between
+idle and active states can result in excessive CPU usage.
+This is because when a connection switches to the idle state,
+all of its memory pool caches are freed.
+
+This change limits the maximum allowed number of idle state
+switches to 10 * http2_max_requests (i.e., 10000 by default).
+This limits possible CPU usage in one connection, and also
+imposes a limit on the maximum lifetime of a connection.
+
+Initially reported by Gal Goldshtein from F5 Networks.
+
+Patch-Source: http://hg.nginx.org/nginx/rev/9200b41db765
+
+diff -r 1c6b6163c039 -r 9200b41db765 src/http/v2/ngx_http_v2.c
+--- a/src/http/v2/ngx_http_v2.c Tue Nov 06 16:29:35 2018 +0300
++++ b/src/http/v2/ngx_http_v2.c Tue Nov 06 16:29:49 2018 +0300
+@@ -4481,12 +4481,19 @@
+
+ #endif
+
++ h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx,
++ ngx_http_v2_module);
++
++ if (h2c->idle++ > 10 * h2scf->max_requests) {
++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++ "http2 flood detected");
++ ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_NO_ERROR);
++ return;
++ }
++
+ c->destroyed = 0;
+ ngx_reusable_connection(c, 0);
+
+- h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx,
+- ngx_http_v2_module);
+-
+ h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);
+ if (h2c->pool == NULL) {
+ ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
+diff -r 1c6b6163c039 -r 9200b41db765 src/http/v2/ngx_http_v2.h
+--- a/src/http/v2/ngx_http_v2.h Tue Nov 06 16:29:35 2018 +0300
++++ b/src/http/v2/ngx_http_v2.h Tue Nov 06 16:29:49 2018 +0300
+@@ -121,6 +121,7 @@
+
+ ngx_uint_t processing;
+ ngx_uint_t frames;
++ ngx_uint_t idle;
+
+ ngx_uint_t pushing;
+ ngx_uint_t concurrent_pushes;
+
+
diff --git a/main/nginx/CVE-2018-16845.patch b/main/nginx/CVE-2018-16845.patch
new file mode 100644
index 0000000000..b873ef8aa1
--- /dev/null
+++ b/main/nginx/CVE-2018-16845.patch
@@ -0,0 +1,19 @@
+Patch-Source: http://nginx.org/download/patch.2018.mp4.txt
+
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -942,6 +942,13 @@ ngx_http_mp4_read_atom(ngx_http_mp4_file
+ atom_size = ngx_mp4_get_64value(atom_header + 8);
+ atom_header_size = sizeof(ngx_mp4_atom_header64_t);
+
++ if (atom_size < sizeof(ngx_mp4_atom_header64_t)) {
++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++ "\"%s\" mp4 atom is too small:%uL",
++ mp4->file.name.data, atom_size);
++ return NGX_ERROR;
++ }
++
+ } else {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "\"%s\" mp4 atom is too small:%uL",
+