Hello community, here is the log from the commit of package nginx for openSUSE:Factory checked in at 2019-08-15 12:29:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nginx (Old) and /work/SRC/openSUSE:Factory/.nginx.new.9556 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nginx" Thu Aug 15 12:29:44 2019 rev:39 rq:723397 version:1.17.3 Changes: -------- --- /work/SRC/openSUSE:Factory/nginx/nginx.changes 2019-07-24 20:35:03.850577187 +0200 +++ /work/SRC/openSUSE:Factory/.nginx.new.9556/nginx.changes 2019-08-15 12:29:45.550472422 +0200 @@ -1,0 +2,12 @@ +Wed Aug 14 23:21:27 UTC 2019 - Marcus Rueckert <[email protected]> + +- update to 1.17.3 + - Security: when using HTTP/2 a client might cause excessive + memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, + CVE-2019-9516). + - Bugfix: "zero size buf" alerts might appear in logs when using + gzipping; the bug had appeared in 1.17.2. + - Bugfix: a segmentation fault might occur in a worker process if + the "resolver" directive was used in SMTP proxy. + +------------------------------------------------------------------- Old: ---- nginx-1.17.2.tar.gz nginx-1.17.2.tar.gz.asc New: ---- nginx-1.17.3.tar.gz nginx-1.17.3.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nginx.spec ++++++ --- /var/tmp/diff_new_pack.1NWxcd/_old 2019-08-15 12:29:46.986471089 +0200 +++ /var/tmp/diff_new_pack.1NWxcd/_new 2019-08-15 12:29:46.990471086 +0200 @@ -70,7 +70,7 @@ %define ngx_doc_dir %{_datadir}/doc/packages/%{name} # Name: nginx -Version: 1.17.2 +Version: 1.17.3 Release: 0 %define ngx_fancyindex_version 0.4.2 %define ngx_fancyindex_module_path ngx-fancyindex-%{ngx_fancyindex_version} ++++++ nginx-1.17.2.tar.gz -> nginx-1.17.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.17.2/CHANGES new/nginx-1.17.3/CHANGES --- old/nginx-1.17.2/CHANGES 2019-07-23 14:01:51.000000000 +0200 +++ new/nginx-1.17.3/CHANGES 2019-08-13 14:46:01.000000000 +0200 @@ -1,4 +1,17 @@ +Changes with nginx 1.17.3 13 Aug 2019 + + *) Security: when using HTTP/2 a client might cause excessive memory + consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, + CVE-2019-9516). + + *) Bugfix: "zero size buf" alerts might appear in logs when using + gzipping; the bug had appeared in 1.17.2. + + *) Bugfix: a segmentation fault might occur in a worker process if the + "resolver" directive was used in SMTP proxy. + + Changes with nginx 1.17.2 23 Jul 2019 *) Change: minimum supported zlib version is 1.2.0.4. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.17.2/CHANGES.ru new/nginx-1.17.3/CHANGES.ru --- old/nginx-1.17.2/CHANGES.ru 2019-07-23 14:01:50.000000000 +0200 +++ new/nginx-1.17.3/CHANGES.ru 2019-08-13 14:46:00.000000000 +0200 @@ -1,4 +1,17 @@ +Изменения в nginx 1.17.3 13.08.2019 + + *) Безопасность: при использовании HTTP/2 клиент мог вызвать чрезмерное + потребление памяти и ресурсов процессора (CVE-2019-9511, + CVE-2019-9513, CVE-2019-9516). + + *) Исправление: при использовании сжатия в логах могли появляться + сообщения "zero size buf"; ошибка появилась в 1.17.2. + + *) Исправление: при использовании директивы resolver в SMTP + прокси-сервере в рабочем процессе мог произойти segmentation fault. + + Изменения в nginx 1.17.2 23.07.2019 *) Изменение: минимальная поддерживаемая версия zlib - 1.2.0.4. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.17.2/src/core/nginx.h new/nginx-1.17.3/src/core/nginx.h --- old/nginx-1.17.2/src/core/nginx.h 2019-07-23 14:01:47.000000000 +0200 +++ new/nginx-1.17.3/src/core/nginx.h 2019-08-13 14:45:57.000000000 +0200 @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1017002 -#define NGINX_VERSION "1.17.2" +#define nginx_version 1017003 +#define NGINX_VERSION "1.17.3" #define NGINX_VER "nginx/" NGINX_VERSION #ifdef NGX_BUILD diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.17.2/src/http/modules/ngx_http_gzip_filter_module.c new/nginx-1.17.3/src/http/modules/ngx_http_gzip_filter_module.c --- old/nginx-1.17.2/src/http/modules/ngx_http_gzip_filter_module.c 2019-07-23 14:01:47.000000000 +0200 +++ new/nginx-1.17.3/src/http/modules/ngx_http_gzip_filter_module.c 2019-08-13 14:45:57.000000000 +0200 @@ -778,7 +778,7 @@ ctx->out_buf->last = ctx->zstream.next_out; - if (ctx->zstream.avail_out == 0) { + if (ctx->zstream.avail_out == 0 && rc != Z_STREAM_END) { /* zlib wants to output some more gzipped data */ @@ -868,6 +868,7 @@ ngx_http_gzip_ctx_t *ctx) { int rc; + ngx_buf_t *b; ngx_chain_t *cl; ctx->zin = ctx->zstream.total_in; @@ -888,13 +889,19 @@ return NGX_ERROR; } - cl->buf = ctx->out_buf; + b = ctx->out_buf; + + if (ngx_buf_size(b) == 0) { + b->temporary = 0; + } + + b->last_buf = 1; + + cl->buf = b; cl->next = NULL; *ctx->last_out = cl; ctx->last_out = &cl->next; - ctx->out_buf->last_buf = 1; - ctx->zstream.avail_in = 0; ctx->zstream.avail_out = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.17.2/src/http/v2/ngx_http_v2.c new/nginx-1.17.3/src/http/v2/ngx_http_v2.c --- old/nginx-1.17.2/src/http/v2/ngx_http_v2.c 2019-07-23 14:01:47.000000000 +0200 +++ new/nginx-1.17.3/src/http/v2/ngx_http_v2.c 2019-08-13 14:45:57.000000000 +0200 @@ -273,6 +273,7 @@ h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); h2c->concurrent_pushes = h2scf->concurrent_pushes; + h2c->priority_limit = h2scf->concurrent_streams; h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); if (h2c->pool == NULL) { @@ -1546,6 +1547,14 @@ header->name.len = h2c->state.field_end - h2c->state.field_start; header->name.data = h2c->state.field_start; + if (header->name.len == 0) { + ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "client sent zero header name length"); + + return ngx_http_v2_connection_error(h2c, + NGX_HTTP_V2_PROTOCOL_ERROR); + } + return ngx_http_v2_state_field_len(h2c, pos, end); } @@ -1796,6 +1805,13 @@ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); } + if (--h2c->priority_limit == 0) { + ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "client sent too many PRIORITY frames"); + + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM); + } + if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) { return ngx_http_v2_state_save(h2c, pos, end, ngx_http_v2_state_priority); @@ -3112,6 +3128,8 @@ h2c->processing++; } + h2c->priority_limit += h2scf->concurrent_streams; + return stream; } @@ -3249,10 +3267,6 @@ ngx_uint_t i; ngx_http_core_srv_conf_t *cscf; - if (header->name.len == 0) { - return NGX_ERROR; - } - r->invalid_header = 0; cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); @@ -4365,6 +4379,8 @@ */ pool = stream->pool; + h2c->frames -= stream->frames; + ngx_http_free_request(stream->request, rc); if (pool != h2c->state.pool) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.17.2/src/http/v2/ngx_http_v2.h new/nginx-1.17.3/src/http/v2/ngx_http_v2.h --- old/nginx-1.17.2/src/http/v2/ngx_http_v2.h 2019-07-23 14:01:47.000000000 +0200 +++ new/nginx-1.17.3/src/http/v2/ngx_http_v2.h 2019-08-13 14:45:57.000000000 +0200 @@ -122,6 +122,7 @@ ngx_uint_t processing; ngx_uint_t frames; ngx_uint_t idle; + ngx_uint_t priority_limit; ngx_uint_t pushing; ngx_uint_t concurrent_pushes; @@ -192,6 +193,8 @@ ngx_buf_t *preread; + ngx_uint_t frames; + ngx_http_v2_out_frame_t *free_frames; ngx_chain_t *free_frame_headers; ngx_chain_t *free_bufs; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.17.2/src/http/v2/ngx_http_v2_filter_module.c new/nginx-1.17.3/src/http/v2/ngx_http_v2_filter_module.c --- old/nginx-1.17.2/src/http/v2/ngx_http_v2_filter_module.c 2019-07-23 14:01:47.000000000 +0200 +++ new/nginx-1.17.3/src/http/v2/ngx_http_v2_filter_module.c 2019-08-13 14:45:57.000000000 +0200 @@ -1669,22 +1669,34 @@ ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, size_t len, ngx_chain_t *first, ngx_chain_t *last) { - u_char flags; - ngx_buf_t *buf; - ngx_chain_t *cl; - ngx_http_v2_out_frame_t *frame; + u_char flags; + ngx_buf_t *buf; + ngx_chain_t *cl; + ngx_http_v2_out_frame_t *frame; + ngx_http_v2_connection_t *h2c; frame = stream->free_frames; + h2c = stream->connection; if (frame) { stream->free_frames = frame->next; - } else { + } else if (h2c->frames < 10000) { frame = ngx_palloc(stream->request->pool, sizeof(ngx_http_v2_out_frame_t)); if (frame == NULL) { return NULL; } + + stream->frames++; + h2c->frames++; + + } else { + ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "http2 flood detected"); + + h2c->connection->error = 1; + return NULL; } flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.17.2/src/mail/ngx_mail_smtp_handler.c new/nginx-1.17.3/src/mail/ngx_mail_smtp_handler.c --- old/nginx-1.17.2/src/mail/ngx_mail_smtp_handler.c 2019-07-23 14:01:47.000000000 +0200 +++ new/nginx-1.17.3/src/mail/ngx_mail_smtp_handler.c 2019-08-13 14:45:57.000000000 +0200 @@ -15,6 +15,7 @@ static void ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx); static void ngx_mail_smtp_resolve_name(ngx_event_t *rev); static void ngx_mail_smtp_resolve_name_handler(ngx_resolver_ctx_t *ctx); +static void ngx_mail_smtp_block_reading(ngx_event_t *rev); static void ngx_mail_smtp_greeting(ngx_mail_session_t *s, ngx_connection_t *c); static void ngx_mail_smtp_invalid_pipelining(ngx_event_t *rev); static ngx_int_t ngx_mail_smtp_create_buffer(ngx_mail_session_t *s, @@ -88,6 +89,9 @@ ctx->data = s; ctx->timeout = cscf->resolver_timeout; + s->resolver_ctx = ctx; + c->read->handler = ngx_mail_smtp_block_reading; + if (ngx_resolve_addr(ctx) != NGX_OK) { ngx_mail_close_connection(c); } @@ -169,6 +173,9 @@ ctx->data = s; ctx->timeout = cscf->resolver_timeout; + s->resolver_ctx = ctx; + c->read->handler = ngx_mail_smtp_block_reading; + if (ngx_resolve_name(ctx) != NGX_OK) { ngx_mail_close_connection(c); } @@ -239,6 +246,38 @@ static void +ngx_mail_smtp_block_reading(ngx_event_t *rev) +{ + ngx_connection_t *c; + ngx_mail_session_t *s; + ngx_resolver_ctx_t *ctx; + + c = rev->data; + s = c->data; + + ngx_log_debug0(NGX_LOG_DEBUG_MAIL, c->log, 0, "smtp reading blocked"); + + if (ngx_handle_read_event(rev, 0) != NGX_OK) { + + if (s->resolver_ctx) { + ctx = s->resolver_ctx; + + if (ctx->handler == ngx_mail_smtp_resolve_addr_handler) { + ngx_resolve_addr_done(ctx); + + } else if (ctx->handler == ngx_mail_smtp_resolve_name_handler) { + ngx_resolve_name_done(ctx); + } + + s->resolver_ctx = NULL; + } + + ngx_mail_close_connection(c); + } +} + + +static void ngx_mail_smtp_greeting(ngx_mail_session_t *s, ngx_connection_t *c) { ngx_msec_t timeout; @@ -258,6 +297,10 @@ ngx_mail_close_connection(c); } + if (c->read->ready) { + ngx_post_event(c->read, &ngx_posted_events); + } + if (sscf->greeting_delay) { c->read->handler = ngx_mail_smtp_invalid_pipelining; return;
