mirror of
https://github.com/openresty/openresty.git
synced 2024-10-13 00:29:41 +00:00
Compare commits
1 Commits
cve
...
ngx-http-r
| Author | SHA1 | Date | |
|---|---|---|---|
| d0ada893fe |
@ -113,14 +113,17 @@ env:
|
||||
- OPENSSL_INC=$OPENSSL_PREFIX/include
|
||||
- OPENRESTY_PREFIX=/opt/openresty
|
||||
jobs:
|
||||
- OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f ENABLE_HTTP3_OPTION=--with-http_v3_module
|
||||
- OPENSSL_VER=1.1.0l OPENSSL_PATCH_VER=1.1.0d
|
||||
- OPENSSL_VER=1.1.1s OPENSSL_PATCH_VER=1.1.1f ENABLE_HTTP3_OPTION=--with-http_v3_module
|
||||
|
||||
jobs:
|
||||
include:
|
||||
- <<: *linux-s390x
|
||||
env: OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f ENABLE_HTTP3_OPTION=--with-http_v3_module
|
||||
env: OPENSSL_VER=1.1.0l OPENSSL_PATCH_VER=1.1.0d
|
||||
- <<: *linux-s390x
|
||||
env: OPENSSL_VER=1.1.1l OPENSSL_PATCH_VER=1.1.1f ENABLE_HTTP3_OPTION=--with-http_v3_module
|
||||
- <<: *linux-ppc64le
|
||||
env: OPENSSL_VER=1.1.1w OPENSSL_PATCH_VER=1.1.1f ENABLE_HTTP3_OPTION=--with-http_v3_module
|
||||
env: OPENSSL_VER=1.1.1s OPENSSL_PATCH_VER=1.1.1f ENABLE_HTTP3_OPTION=--with-http_v3_module
|
||||
|
||||
install:
|
||||
- cpanm --sudo --notest Test::Nginx IPC::Run3 > build.log 2>&1 || (cat build.log && exit 1)
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@ -1,36 +0,0 @@
|
||||
commit 5902baf680609f884a1e11ff2b82a0bffb3724cc
|
||||
Author: Sergey Kandaurov <pluknet@nginx.com>
|
||||
Date: Wed Feb 14 15:55:34 2024 +0400
|
||||
|
||||
QUIC: trial packet decryption in response to invalid key update.
|
||||
|
||||
Inspired by RFC 9001, Section 6.3, trial packet decryption with the current
|
||||
keys is now used to avoid a timing side-channel signal. Further, this fixes
|
||||
segfault while accessing missing next keys (ticket #2585).
|
||||
|
||||
diff --git a/src/event/quic/ngx_event_quic_protection.c b/src/event/quic/ngx_event_quic_protection.c
|
||||
index 88e6954cf..8223626b6 100644
|
||||
--- a/src/event/quic/ngx_event_quic_protection.c
|
||||
+++ b/src/event/quic/ngx_event_quic_protection.c
|
||||
@@ -1144,8 +1144,19 @@ ngx_quic_decrypt(ngx_quic_header_t *pkt, uint64_t *largest_pn)
|
||||
key_phase = (pkt->flags & NGX_QUIC_PKT_KPHASE) != 0;
|
||||
|
||||
if (key_phase != pkt->key_phase) {
|
||||
- secret = &pkt->keys->next_key.client;
|
||||
- pkt->key_update = 1;
|
||||
+ if (pkt->keys->next_key.client.ctx != NULL) {
|
||||
+ secret = &pkt->keys->next_key.client;
|
||||
+ pkt->key_update = 1;
|
||||
+
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * RFC 9001, 6.3. Timing of Receive Key Generation.
|
||||
+ *
|
||||
+ * Trial decryption to avoid timing side-channel.
|
||||
+ */
|
||||
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, pkt->log, 0,
|
||||
+ "quic next key missing");
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,27 +0,0 @@
|
||||
commit 5818f8a6693b3c0d95021f2ee58b69dcf848911c
|
||||
Author: Roman Arutyunyan <arut@nginx.com>
|
||||
Date: Wed Feb 14 15:55:37 2024 +0400
|
||||
|
||||
QUIC: fixed stream cleanup (ticket #2586).
|
||||
|
||||
Stream connection cleanup handler ngx_quic_stream_cleanup_handler() calls
|
||||
ngx_quic_shutdown_stream() after which it resets the pointer from quic stream
|
||||
to the connection (sc->connection = NULL). Previously if this call failed,
|
||||
sc->connection retained the old value, while the connection was freed by the
|
||||
application code. This resulted later in a second attempt to close the freed
|
||||
connection, which lead to allocator double free error.
|
||||
|
||||
The fix is to reset the sc->connection pointer in case of error.
|
||||
|
||||
diff --git a/src/event/quic/ngx_event_quic_streams.c b/src/event/quic/ngx_event_quic_streams.c
|
||||
index df04d0f07..178b805e4 100644
|
||||
--- a/src/event/quic/ngx_event_quic_streams.c
|
||||
+++ b/src/event/quic/ngx_event_quic_streams.c
|
||||
@@ -1097,6 +1097,7 @@ ngx_quic_stream_cleanup_handler(void *data)
|
||||
"quic stream id:0x%xL cleanup", qs->id);
|
||||
|
||||
if (ngx_quic_shutdown_stream(c, NGX_RDWR_SHUTDOWN) != NGX_OK) {
|
||||
+ qs->connection = NULL;
|
||||
goto failed;
|
||||
}
|
||||
|
||||
2745
t/000-sanity.t
2745
t/000-sanity.t
File diff suppressed because it is too large
Load Diff
@ -1,13 +1,13 @@
|
||||
#!/bin/bash
|
||||
|
||||
PCRE=pcre-8.45
|
||||
ZLIB=zlib-1.3
|
||||
OPENSSL=openssl-1.1.1w
|
||||
ZLIB=zlib-1.2.13
|
||||
OPENSSL=openssl-1.1.1t
|
||||
JOBS=12
|
||||
|
||||
# wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz
|
||||
# wget http://zlib.net/zlib-1.3.tar.gz
|
||||
# wget https://ftp.pcre.org/pub/pcre/pcre-8.45.tar.gz
|
||||
# wget https://www.openssl.org/source/openssl-1.1.1p.tar.gz
|
||||
# wget http://zlib.net/zlib-1.2.12.tar.gz
|
||||
# wget https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.gz
|
||||
|
||||
rm -rf objs || exit 1
|
||||
mkdir -p objs/lib || exit 1
|
||||
|
||||
32
util/configure
vendored
32
util/configure
vendored
@ -554,6 +554,9 @@ _END_
|
||||
"\n";
|
||||
}
|
||||
|
||||
# disable pcre2 by default
|
||||
push @ngx_opts, '--without-pcre2';
|
||||
|
||||
if (!$opts->{no_stream}
|
||||
&& ! $opts->{no_stream_ssl}
|
||||
&& ! $opts->{stream_ssl})
|
||||
@ -776,8 +779,8 @@ _END_
|
||||
}
|
||||
|
||||
if ($on_solaris) {
|
||||
$extra_opts .= " INSTALL_X='\$(INSTALL) -m 0755' " .
|
||||
"INSTALL_F='\$(INSTALL) -m 0644'";
|
||||
$extra_opts .= " INSTALL_X='$root_dir/build/install -m 0755' " .
|
||||
"INSTALL_F='$root_dir/build/install -m 0644'";
|
||||
}
|
||||
|
||||
if (defined $cc) {
|
||||
@ -950,7 +953,7 @@ _EOC_
|
||||
}
|
||||
|
||||
if ($on_solaris) {
|
||||
#$extra_opts .= " INSTALL='\$(INSTALL)'";
|
||||
#$extra_opts .= " INSTALL=$root_dir/build/install";
|
||||
if ($opts->{debug}) {
|
||||
$extra_opts .=
|
||||
" CJSON_CFLAGS=\"-g -O -fpic -DUSE_INTERNAL_ISINF\"";
|
||||
@ -994,7 +997,7 @@ _EOC_
|
||||
"LUA_LIB_DIR=$lualib_prefix";
|
||||
|
||||
if ($on_solaris) {
|
||||
$extra_opts .= " INSTALL='\$(INSTALL)'";
|
||||
$extra_opts .= " INSTALL=$root_dir/build/install";
|
||||
}
|
||||
|
||||
if ($opts->{debug}) {
|
||||
@ -1047,7 +1050,7 @@ _EOC_
|
||||
}
|
||||
|
||||
if ($on_solaris) {
|
||||
$extra_opts .= " INSTALL='\$(INSTALL)'";
|
||||
$extra_opts .= " INSTALL=$root_dir/build/install";
|
||||
if ($opts->{debug}) {
|
||||
$extra_opts .= " CFLAGS=\"-g -O -Wall\"";
|
||||
}
|
||||
@ -1098,7 +1101,7 @@ _EOC_
|
||||
}
|
||||
|
||||
if ($on_solaris) {
|
||||
$extra_opts .= " INSTALL='\$(INSTALL)'";
|
||||
$extra_opts .= " INSTALL=$root_dir/build/install";
|
||||
if ($opts->{debug}) {
|
||||
$extra_opts .= " CFLAGS=\"-g -O -Wall\"";
|
||||
|
||||
@ -1146,10 +1149,8 @@ _EOC_
|
||||
} else {
|
||||
$target_dir = "\$(DESTDIR)$prefix/bin/";
|
||||
}
|
||||
push @make_install_cmds,
|
||||
"mkdir '$target_dir'",
|
||||
"cd $root_dir/build/$opm_dir && "
|
||||
. "\$(INSTALL) bin/* '$target_dir'";
|
||||
push @make_install_cmds, "cd $root_dir/build/$opm_dir && "
|
||||
. "$root_dir/build/install bin/* $target_dir";
|
||||
}
|
||||
|
||||
# configure resty-cli:
|
||||
@ -1163,7 +1164,7 @@ _EOC_
|
||||
$target_dir = "\$(DESTDIR)$prefix/bin/";
|
||||
}
|
||||
push @make_install_cmds, "cd $root_dir/build/$resty_cli_dir && "
|
||||
. "\$(INSTALL) bin/* $target_dir";
|
||||
. "$root_dir/build/install bin/* $target_dir";
|
||||
|
||||
if ($platform ne 'msys') {
|
||||
# patch the resty script:
|
||||
@ -1246,7 +1247,7 @@ sub add_lua_lib ($$$) {
|
||||
|
||||
my $extra_opts =
|
||||
" DESTDIR=\$(DESTDIR) LUA_LIB_DIR=$lualib_prefix"
|
||||
." INSTALL='\$(INSTALL)'";
|
||||
." INSTALL=$root_dir/build/install";
|
||||
|
||||
push @make_install_cmds, "cd $root_dir/build/$dir && " .
|
||||
"\$(MAKE) install$extra_opts";
|
||||
@ -1559,12 +1560,7 @@ sub gen_makefile {
|
||||
print $out "DESTDIR ?= $root_dir/\n\n";
|
||||
}
|
||||
|
||||
print $out <<_EOC_;
|
||||
INSTALL := $root_dir/build/install
|
||||
|
||||
.PHONY: all install clean
|
||||
|
||||
_EOC_
|
||||
print $out ".PHONY: all install clean\n\n";
|
||||
|
||||
print $out "all:\n\t" . join("\n\t", @make_cmds) . "\n\n";
|
||||
|
||||
|
||||
@ -513,18 +513,6 @@ if [ "$answer" = "Y" ]; then
|
||||
fi
|
||||
fi
|
||||
|
||||
answer=`$root/util/ver-ge "$main_ver" 1.25.3`
|
||||
if [ "$answer" = "Y" ]; then
|
||||
answer=`$root/util/ver-ge "$main_ver" 1.25.4`
|
||||
if [ "$answer" = "N" ]; then
|
||||
echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24989)"
|
||||
patch -p1 < $root/patches/nginx-CVE-2024-24989.patch || exit 1
|
||||
echo "$info_txt applying the patch for nginx security advisory (CVE-2024-24990)"
|
||||
patch -p1 < $root/patches/nginx-CVE-2024-24990.patch || exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
echo "$info_txt applying the upstream_timeout_fields patch for nginx"
|
||||
patch -p1 < $root/patches/nginx-$main_ver-upstream_timeout_fields.patch || exit 1
|
||||
echo
|
||||
@ -597,7 +585,7 @@ mv openresty-rds-csv-nginx-module-* rds-csv-nginx-module-$ver || exit 1
|
||||
|
||||
#################################
|
||||
|
||||
ver=0.37
|
||||
ver=0.36
|
||||
$root/util/get-tarball "https://github.com/openresty/headers-more-nginx-module/tarball/v$ver" -O headers-more-nginx-module-$ver.tar.gz || exit 1
|
||||
tar -xzf headers-more-nginx-module-$ver.tar.gz || exit 1
|
||||
mv openresty-headers-more-nginx-module-* headers-more-nginx-module-$ver || exit 1
|
||||
@ -611,7 +599,7 @@ mv openresty-drizzle-nginx-module-* drizzle-nginx-module-$ver || exit 1
|
||||
|
||||
#################################
|
||||
|
||||
ver=0.10.26
|
||||
ver=0.10.25
|
||||
$root/util/get-tarball "https://github.com/openresty/lua-nginx-module/archive/v$ver.tar.gz" -O lua-nginx-module-$ver.tar.gz || exit 1
|
||||
tar -xzf lua-nginx-module-$ver.tar.gz || exit 1
|
||||
mv lua-nginx-module-$ver ngx_lua-$ver || exit 1
|
||||
@ -625,7 +613,7 @@ mv openresty-lua-upstream-nginx-module-* ngx_lua_upstream-$ver || exit 1
|
||||
|
||||
#################################
|
||||
|
||||
ver=0.0.14
|
||||
ver=0.0.13
|
||||
$root/util/get-tarball "https://github.com/openresty/stream-lua-nginx-module/tarball/v$ver" -O stream-lua-nginx-module-$ver.tar.gz || exit 1
|
||||
tar -xzf stream-lua-nginx-module-$ver.tar.gz || exit 1
|
||||
mv openresty-stream-lua-nginx-module-* ngx_stream_lua-$ver || exit 1
|
||||
@ -639,7 +627,7 @@ mv openresty-array-var-nginx-module-* array-var-nginx-module-$ver || exit 1
|
||||
|
||||
#################################
|
||||
|
||||
ver=0.20
|
||||
ver=0.19
|
||||
$root/util/get-tarball "https://github.com/openresty/memc-nginx-module/tarball/v$ver" -O memc-nginx-module-$ver.tar.gz || exit 1
|
||||
tar -xzf memc-nginx-module-$ver.tar.gz || exit 1
|
||||
mv openresty-memc-nginx-module-* memc-nginx-module-$ver || exit 1
|
||||
@ -681,30 +669,10 @@ mv openresty-encrypted-session-nginx-module-* encrypted-session-nginx-module-$ve
|
||||
#mv ngx_http_upstream_keepalive-* upstream-keepalive-nginx-module-$ver || exit 1
|
||||
|
||||
#################################
|
||||
|
||||
ver=0.3.9
|
||||
$root/util/get-tarball "https://people.freebsd.org/~osa/ngx_http_redis-$ver.tar.gz" -O redis-nginx-module-$ver.tar.gz || exit 1
|
||||
tar -xzf redis-nginx-module-$ver.tar.gz || exit 1
|
||||
mv ngx_http_redis-* redis-nginx-module-$ver || exit 1
|
||||
|
||||
cd redis-nginx-module-$ver
|
||||
echo "applying ngx_http_redis-$ver-variables_in_redis_pass.patch"
|
||||
patch -p1 < $root/patches/ngx_http_redis-$ver-variables_in_redis_pass.patch || exit 1
|
||||
|
||||
echo
|
||||
echo "applying ngx_http_redis-$ver-default_port_fix.patch"
|
||||
patch -p1 < $root/patches/ngx_http_redis-$ver-default_port_fix.patch || exit 1
|
||||
echo
|
||||
|
||||
answer=`$root/util/ver-ge "$main_ver" 1.23.0`
|
||||
if [ "$answer" = "Y" ]; then
|
||||
echo
|
||||
echo "applying ngx_http_redis-$ver-remove_content_encoding.patch"
|
||||
patch -p1 < $root/patches/ngx_http_redis-$ver-remove_content_encoding.patch || exit 1
|
||||
echo
|
||||
fi
|
||||
|
||||
cd ..
|
||||
ver=0.4.0.1
|
||||
$root/util/get-tarball "https://github.com/openresty/ngx_http_redis/tarball/v$ver" -O ngx_http_redis-$ver.tar.gz || exit 1
|
||||
tar -xzf ngx_http_redis-$ver.tar.gz || exit 1
|
||||
mv openresty-ngx_http_redis-* ngx_http_redis-$ver || exit 1
|
||||
|
||||
#################################
|
||||
|
||||
@ -737,7 +705,7 @@ resty_cli=resty-cli-$ver
|
||||
|
||||
#################################
|
||||
|
||||
ver=0.0.8
|
||||
ver=0.0.7
|
||||
$root/util/get-tarball "https://github.com/openresty/opm/tarball/v$ver" -O opm-$ver.tar.gz || exit 1
|
||||
tar -xzf opm-$ver.tar.gz || exit 1
|
||||
mv openresty-opm-* opm-$ver || exit 1
|
||||
@ -809,7 +777,7 @@ mv openresty-lua-resty-redis-* lua-resty-redis-$ver || exit 1
|
||||
|
||||
#################################
|
||||
|
||||
ver=0.27
|
||||
ver=0.26
|
||||
$root/util/get-tarball "https://github.com/openresty/lua-resty-mysql/tarball/v$ver" -O "lua-resty-mysql-$ver.tar.gz" || exit 1
|
||||
tar -xzf lua-resty-mysql-$ver.tar.gz || exit 1
|
||||
mv openresty-lua-resty-mysql-* lua-resty-mysql-$ver || exit 1
|
||||
@ -886,7 +854,7 @@ cd ..
|
||||
|
||||
#################################
|
||||
|
||||
ver=0.1.28
|
||||
ver=0.1.27
|
||||
$root/util/get-tarball "https://github.com/openresty/lua-resty-core/tarball/v$ver" -O "lua-resty-core-$ver.tar.gz" || exit 1
|
||||
tar -xzf lua-resty-core-$ver.tar.gz || exit 1
|
||||
mv openresty-lua-resty-core-* lua-resty-core-$ver || exit 1
|
||||
|
||||
Reference in New Issue
Block a user