diff options
| -rw-r--r-- | main/nginx/APKBUILD | 12 | ||||
| -rw-r--r-- | main/nginx/CVE-2018-16843.patch | 62 | ||||
| -rw-r--r-- | main/nginx/CVE-2018-16844.patch | 60 | ||||
| -rw-r--r-- | main/nginx/CVE-2018-16845.patch | 19 |
4 files changed, 152 insertions, 1 deletions
diff --git a/main/nginx/APKBUILD b/main/nginx/APKBUILD index 43637d81ac2..39d2a4ca207 100644 --- a/main/nginx/APKBUILD +++ b/main/nginx/APKBUILD @@ -4,12 +4,16 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # # secfixes: +# 1.12.1-r4: +# - CVE-2018-16843 +# - CVE-2018-16844 +# - CVE-2018-16845 # 1.12.1-r0: # - CVE-2017-7529 # pkgname=nginx pkgver=1.12.2 -pkgrel=3 +pkgrel=4 # Revision of nginx-tests to use for check(). _tests_hgrev=cdd44ff602db pkgdesc="HTTP and reverse proxy server (stable version)" @@ -30,6 +34,9 @@ subpackages="$pkgname-doc $pkgname-vim::noarch" replaces="$pkgname-common $pkgname-initscripts $pkgname-lua $pkgname-rtmp" source="http://nginx.org/download/$pkgname-$pkgver.tar.gz $pkgname-tests-$_tests_hgrev.tar.gz::http://hg.nginx.org/nginx-tests/archive/$_tests_hgrev.tar.gz + CVE-2018-16843.patch + CVE-2018-16844.patch + CVE-2018-16845.patch nginx.conf default.conf $pkgname.logrotate @@ -265,6 +272,9 @@ _module() { sha512sums="3faa2043e237a7e1d15cc5661ac9d002a965220a78c25a863be9f19e01007347e53f776b61c229f6bd3d916cc1ccf92de260811f7b8092ec1b747fba7c0061f7 nginx-1.12.2.tar.gz ca8be839aef71c537d6d3a79e2894f38790834d6310c6d15ad06900c7c2d7cf71a113847ab96ef9be0fbdfff3b7808e74dea427502b275cfd6c909550f9ba9ab nginx-tests-cdd44ff602db.tar.gz +8666c54b894bb21b0bfd9fd223538ff37c34e070c722e866c8ae54dbf13768206d1594011f116622d7a0105439bd84c7b439022938e72b816519212fecba6e22 CVE-2018-16843.patch +54a5093ead82c8625c68a8af714eb3f71fdbecd48aca7e138cdd6c2ca06d5486074659fdd8b19576055c5d0717b5e179339ff1689defcdc4b7cf344375a39b4e CVE-2018-16844.patch +0b64927635048185cb117d403a0a70b4f048a76cd7ef561098b1c5e4cf31ef6594beff4298c3ca444b06b382d153b34b56c19b3c8ba87402c2e7daec1850da6b CVE-2018-16845.patch ac7e3153ab698b4cde077f0d5d7ac0a58897927eb36cf3b58cb01268ca0296f1d589c0a5b4f889b96b5b4a57bef05b17c59be59a9d7c4d7a3d3be58f101f7f41 nginx.conf 0907f69dc2d3dc1bad3a04fb6673f741f1a8be964e22b306ef9ae2f8e736e1f5733a8884bfe54f3553fff5132a0e5336716250f54272c3fec2177d6ba16986f3 default.conf 09b110693e3f4377349ccea3c43cb8199c8579ee351eae34283299be99fdf764b0c1bddd552e13e4d671b194501618b29c822e1ad53b34101a73a63954363dbb nginx.logrotate diff --git a/main/nginx/CVE-2018-16843.patch b/main/nginx/CVE-2018-16843.patch new file mode 100644 index 00000000000..a9b9863a4e2 --- /dev/null +++ b/main/nginx/CVE-2018-16843.patch @@ -0,0 +1,62 @@ +# HG changeset patch +# User Ruslan Ermilov <ru@nginx.com> +# Date 1541510975 -10800 +# Node ID 1c6b6163c03945bcc65c252cc42b0af18744c085 +# Parent fdc19a3289c1138bfe49ddbde310778ddc495729 +HTTP/2: flood detection. + +Fixed uncontrolled memory growth in case peer is flooding us with +some frames (e.g., SETTINGS and PING) and doesn't read data. Fix +is to limit the number of allocated control frames. + +Patch-Source: http://hg.nginx.org/nginx/rev/1c6b6163c039 + +diff -r fdc19a3289c1 -r 1c6b6163c039 src/http/v2/ngx_http_v2.c +--- a/src/http/v2/ngx_http_v2.c Tue Nov 06 16:29:18 2018 +0300 ++++ b/src/http/v2/ngx_http_v2.c Tue Nov 06 16:29:35 2018 +0300 +@@ -664,6 +664,7 @@ + + h2c->pool = NULL; + h2c->free_frames = NULL; ++ h2c->frames = 0; + h2c->free_fake_connections = NULL; + + #if (NGX_HTTP_SSL) +@@ -2895,7 +2896,7 @@ + + frame->blocked = 0; + +- } else { ++ } else if (h2c->frames < 10000) { + pool = h2c->pool ? h2c->pool : h2c->connection->pool; + + frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t)); +@@ -2919,6 +2920,15 @@ + frame->last = frame->first; + + frame->handler = ngx_http_v2_frame_handler; ++ ++ h2c->frames++; ++ ++ } else { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ++ h2c->connection->error = 1; ++ return NULL; + } + + #if (NGX_DEBUG) +diff -r fdc19a3289c1 -r 1c6b6163c039 src/http/v2/ngx_http_v2.h +--- a/src/http/v2/ngx_http_v2.h Tue Nov 06 16:29:18 2018 +0300 ++++ b/src/http/v2/ngx_http_v2.h Tue Nov 06 16:29:35 2018 +0300 +@@ -120,6 +120,7 @@ + ngx_http_connection_t *http_connection; + + ngx_uint_t processing; ++ ngx_uint_t frames; + + ngx_uint_t pushing; + ngx_uint_t concurrent_pushes; + + diff --git a/main/nginx/CVE-2018-16844.patch b/main/nginx/CVE-2018-16844.patch new file mode 100644 index 00000000000..c44930f9b86 --- /dev/null +++ b/main/nginx/CVE-2018-16844.patch @@ -0,0 +1,60 @@ +# HG changeset patch +# User Ruslan Ermilov <ru@nginx.com> +# Date 1541510989 -10800 +# Node ID 9200b41db765fbd6709765ba2d218e78ad8e9860 +# Parent 1c6b6163c03945bcc65c252cc42b0af18744c085 +HTTP/2: limit the number of idle state switches. + +An attack that continuously switches HTTP/2 connection between +idle and active states can result in excessive CPU usage. +This is because when a connection switches to the idle state, +all of its memory pool caches are freed. + +This change limits the maximum allowed number of idle state +switches to 10 * http2_max_requests (i.e., 10000 by default). +This limits possible CPU usage in one connection, and also +imposes a limit on the maximum lifetime of a connection. + +Initially reported by Gal Goldshtein from F5 Networks. + +Patch-Source: http://hg.nginx.org/nginx/rev/9200b41db765 + +diff -r 1c6b6163c039 -r 9200b41db765 src/http/v2/ngx_http_v2.c +--- a/src/http/v2/ngx_http_v2.c Tue Nov 06 16:29:35 2018 +0300 ++++ b/src/http/v2/ngx_http_v2.c Tue Nov 06 16:29:49 2018 +0300 +@@ -4481,12 +4481,19 @@ + + #endif + ++ h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, ++ ngx_http_v2_module); ++ ++ if (h2c->idle++ > 10 * h2scf->max_requests) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "http2 flood detected"); ++ ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_NO_ERROR); ++ return; ++ } ++ + c->destroyed = 0; + ngx_reusable_connection(c, 0); + +- h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, +- ngx_http_v2_module); +- + h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); + if (h2c->pool == NULL) { + ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_INTERNAL_ERROR); +diff -r 1c6b6163c039 -r 9200b41db765 src/http/v2/ngx_http_v2.h +--- a/src/http/v2/ngx_http_v2.h Tue Nov 06 16:29:35 2018 +0300 ++++ b/src/http/v2/ngx_http_v2.h Tue Nov 06 16:29:49 2018 +0300 +@@ -121,6 +121,7 @@ + + ngx_uint_t processing; + ngx_uint_t frames; ++ ngx_uint_t idle; + + ngx_uint_t pushing; + ngx_uint_t concurrent_pushes; + + diff --git a/main/nginx/CVE-2018-16845.patch b/main/nginx/CVE-2018-16845.patch new file mode 100644 index 00000000000..b873ef8aa19 --- /dev/null +++ b/main/nginx/CVE-2018-16845.patch @@ -0,0 +1,19 @@ +Patch-Source: http://nginx.org/download/patch.2018.mp4.txt + +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -942,6 +942,13 @@ ngx_http_mp4_read_atom(ngx_http_mp4_file + atom_size = ngx_mp4_get_64value(atom_header + 8); + atom_header_size = sizeof(ngx_mp4_atom_header64_t); + ++ if (atom_size < sizeof(ngx_mp4_atom_header64_t)) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "\"%s\" mp4 atom is too small:%uL", ++ mp4->file.name.data, atom_size); ++ return NGX_ERROR; ++ } ++ + } else { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 atom is too small:%uL", + |