Merge branch 'openresty:master' into master

Dockerfile

@@ -0,0 +1,45 @@
+#By GarfieldWTF
+# Use an official Alpine Linux as the parent image
+FROM alpine:latest
+
+# Set environment variables for OpenResty and NGINX versions
+ENV OPENRESTY_VERSION 1.21.4.2
+ENV NGINX_VERSION 1.25.3
+
+# Install required packages and build dependencies
+RUN apk update && apk upgrade && apk add --no-cache \
+    build-base \
+    pcre-dev \
+    openssl-dev \
+    zlib-dev \
+    wget \
+    perl-dev \
+    libxslt-dev \
+    gd-dev \
+    geoip-dev
+
+# Download and extract the source code for OpenResty and NGINX
+RUN wget https://openresty.org/download/openresty-$OPENRESTY_VERSION.tar.gz -O openresty.tar.gz \
+    && wget https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz -O nginx.tar.gz \
+    && tar -xzvf openresty.tar.gz \
+    && tar -xzvf nginx.tar.gz
+
+# Build OpenResty and NGINX with OpenResty modules
+RUN cd openresty-$OPENRESTY_VERSION \
+    && ./configure --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-cc-opt="-O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2" --with-ld-opt="-Wl,-z,relro -Wl,--as-needed" --prefix=/usr/local/openresty \
+    && make \
+    && make install
+
+# Cleanup
+RUN rm -rf openresty-$OPENRESTY_VERSION nginx-$NGINX_VERSION \
+    && rm openresty.tar.gz nginx.tar.gz
+
+# Add OpenResty to the system PATH
+ENV PATH="/usr/local/openresty/bin:${PATH}"
+
+# Expose ports if needed
+EXPOSE 80
+EXPOSE 443
+
+# Optional: Set a default CMD to start OpenResty when the container runs
+CMD ["nginx", "-g", "daemon off;"]

patches/nginx-CVE-2024-24989.patch

@@ -1,36 +0,0 @@
-commit 5902baf680609f884a1e11ff2b82a0bffb3724cc
-Author: Sergey Kandaurov <pluknet@nginx.com>
-Date:   Wed Feb 14 15:55:34 2024 +0400
-
-    QUIC: trial packet decryption in response to invalid key update.
-    
-    Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
-    keys is now used to avoid a timing side-channel signal.  Further, this fixes
-    segfault while accessing missing next keys (ticket #2585).
-
-diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
-index 88e6954cf..8223626b6 100644
---- a/src/event/quic/ngx_event_quic_protection.c
-+++ b/src/event/quic/ngx_event_quic_protection.c
-@@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
-         key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0;
- 
-         if (key_phase != pkt->key_phase) {
--            secret = &pkt->keys->next_key.client;
--            pkt->key_update = 1;
-+            if (pkt->keys->next_key.client.ctx != NULL) {
-+                secret = &pkt->keys->next_key.client;
-+                pkt->key_update = 1;
-+
-+            } else {
-+                /*
-+                 * RFC 9001,  6.3. Timing of Receive Key Generation.
-+                 *
-+                 * Trial decryption to avoid timing side-channel.
-+                 */
-+                ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
-+                               "quic next key missing");
-+            }
-         }
-     }
- 

patches/nginx-CVE-2024-24990.patch

@@ -1,27 +0,0 @@
-commit 5818f8a6693b3c0d95021f2ee58b69dcf848911c
-Author: Roman Arutyunyan <arut@nginx.com>
-Date:   Wed Feb 14 15:55:37 2024 +0400
-
-    QUIC: fixed stream cleanup (ticket #2586).
-    
-    Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
-    ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
-    to the connection (sc->connection = NULL).  Previously if this call failed,
-    sc->connection retained the old value, while the connection was freed by the
-    application code.  This resulted later in a second attempt to close the freed
-    connection, which lead to allocator double free error.
-    
-    The fix is to reset the sc->connection pointer in case of error.
-
-diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c
-index df04d0f07..178b805e4 100644
---- a/src/event/quic/ngx_event_quic_streams.c
-+++ b/src/event/quic/ngx_event_quic_streams.c
-@@ -1097,6 +1097,7 @@ ngx_quic_stream_cleanup_handler(void *data)
-                    "quic stream id:0x%xL cleanup", qs->id);
- 
-     if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) {
-+        qs->connection = NULL;
-         goto failed;
-     }
- 

util/mirror-tarballs

@@ -513,18 +513,6 @@ if [ "$answer" = "Y" ]; then
     fi
 fi
 
-answer=`$root/util/ver-ge "$main_ver" 1.25.3`
-if [ "$answer" = "Y" ]; then
-    answer=`$root/util/ver-ge "$main_ver" 1.25.4`
-    if [ "$answer" = "N" ]; then
-        echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24989)"
-        patch -p1 < $root/patches/nginx-CVE-2024-24989.patch || exit 1
-        echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24990)"
-        patch -p1 < $root/patches/nginx-CVE-2024-24990.patch || exit 1
-    fi
-fi
-
-
 echo "$info_txt applying the upstream_timeout_fields patch for nginx"
 patch -p1 < $root/patches/nginx-$main_ver-upstream_timeout_fields.patch || exit 1
 echo