Re: security update www/nginx to 1.22.1

[Robert Nagy]

On 15/11/22 14:56 +, Sergey A. Osokin wrote:
> Hi,
> 
> On Thu, Oct 27, 2022 at 01:58:01PM +, Sergey A. Osokin wrote:
> > 
> > [...]
> 
> Could you please provide an update.
> Thank you.
> 
> -- 
> Sergey A. Osokin

Hi

I've looked into your diff and there are a lot of issues that needs
to be fixed, so please address these first:

- this is not freebsd, there is no PORTREVISION, so why did you add it?

- you do an update but you forgot to remove REVISION-main

- rearringing variables in an alphabetical order is nice, but
  completely useless in this case and it also makes the diff
  harder to read

- the distfile for the njs module is added, some variables are configured
  for it but then you don't actually enable the module, so it never get
  built (this module also has to be dynamic)

- missing plist and descr for the new module

Thanks 

-- 
Regards,
Robert Nagy

Re: security update www/nginx to 1.22.1

[Sergey A. Osokin]

Hi,

On Thu, Oct 27, 2022 at 01:58:01PM +, Sergey A. Osokin wrote:
> 
> [...]

Could you please provide an update.
Thank you.

-- 
Sergey A. Osokin


signature.asc
Description: PGP signature

Re: security update www/nginx to 1.22.1

[Sergey A. Osokin]

On Thu, Oct 20, 2022 at 04:43:56PM +, Sergey A. Osokin wrote:
> On Thu, Oct 20, 2022 at 08:47:13AM +0200, Robert Nagy wrote:
> > On 19/10/22 18:23 +0100, Stuart Henderson wrote:
> > > On 2022/10/19 16:30, Sergey A. Osokin wrote:
> > > > Hi,
> > > > 
> > > > could you please review the following changes for the security
> > > > update www/nginx to the recent stable version, 1.22.1.
> > > 
> > > adding maintainer to CC, it's usually helpful ..
> > 
> > that release and cve only affects the ngx_http_mp4_module which
> > we do not enable
> 
> Not a problem, here's another patch to add njs module I posted earlier
> and to update other third-party modules.

[...]

Could you please provide an update.
Thank you.

-- 
Sergey A. Osokin


signature.asc
Description: PGP signature

Re: security update www/nginx to 1.22.1

[Sergey A. Osokin]

On Thu, Oct 20, 2022 at 08:47:13AM +0200, Robert Nagy wrote:
> On 19/10/22 18:23 +0100, Stuart Henderson wrote:
> > On 2022/10/19 16:30, Sergey A. Osokin wrote:
> > > Hi,
> > > 
> > > could you please review the following changes for the security
> > > update www/nginx to the recent stable version, 1.22.1.
> > 
> > adding maintainer to CC, it's usually helpful ..
> 
> that release and cve only affects the ngx_http_mp4_module which
> we do not enable

Not a problem, here's another patch to add njs module I posted earlier
and to update other third-party modules.

Thanks you.

-- 
Sergey A. Osokin
Index: Makefile
===
RCS file: /cvs/ports/www/nginx/Makefile,v
retrieving revision 1.164
diff -u -p -r1.164 Makefile
--- Makefile	29 Aug 2022 19:15:18 -	1.164
+++ Makefile	20 Oct 2022 16:40:26 -
@@ -7,6 +7,7 @@ COMMENT-xslt=		nginx XSLT filter module
 COMMENT-mailproxy=	nginx mail proxy module
 COMMENT-stream=		nginx TCP/UDP proxy module
 COMMENT-naxsi=		nginx web application firewall module
+COMMENT-njs=		nginx JavaScript module
 COMMENT-ldap_auth=	nginx LDAP authentication module
 COMMENT-lua=		nginx lua scripting module
 COMMENT-headers_more=	nginx module for setting/adding/clearing headers
@@ -15,26 +16,28 @@ COMMENT-passenger=	nginx passenger (ruby
 COMMENT-rtmp=		nginx module for RTMP streaming
 COMMENT-securelink=	nginx HMAC secure link module
 
-VERSION=	1.22.0
+VERSION=	1.22.1
 DISTNAME=	nginx-${VERSION}
 CATEGORIES=	www
 
-VERSION-rtmp=	1.2.1
+PORTREVISION=	0
+
+VERSION-rtmp=	1.2.2
 
 PKGNAME-main=		${DISTNAME}
-PKGNAME-image_filter=	nginx-image_filter-${VERSION}
 PKGNAME-geoip2=		nginx-geoip2-${VERSION}
-PKGNAME-xslt=		nginx-xslt-${VERSION}
+PKGNAME-headers_more=	nginx-headers-more-${VERSION}
+PKGNAME-image_filter=	nginx-image_filter-${VERSION}
 PKGNAME-mailproxy=	nginx-mailproxy-${VERSION}
-PKGNAME-stream=		nginx-stream-${VERSION}
-PKGNAME-naxsi=		nginx-naxsi-${VERSION}
 PKGNAME-ldap_auth=	nginx-ldap_auth-${VERSION}
 PKGNAME-lua=		nginx-lua-${VERSION}
-PKGNAME-headers_more=	nginx-headers-more-${VERSION}
-PKGNAME-perl=		nginx-perl-${VERSION}
+PKGNAME-naxsi=		nginx-naxsi-${VERSION}
 PKGNAME-passenger=	nginx-passenger-${VERSION}
+PKGNAME-perl=		nginx-perl-${VERSION}
 PKGNAME-rtmp=		nginx-rtmp-${VERSION}
 PKGNAME-securelink=	nginx-securelink-${VERSION}
+PKGNAME-stream=		nginx-stream-${VERSION}
+PKGNAME-xslt=		nginx-xslt-${VERSION}
 
 REVISION-main=		0
 
@@ -48,14 +51,15 @@ MASTER_SITES1=	https://raw.githubusercon
 DISTFILES=	${DISTNAME}${EXTRACT_SUFX}
 
 _GH_MODS=	\
-	openresty	headers-more-nginx-module	v0.33 \
-	openresty	lua-nginx-module		v0.10.11 \
-	nbs-system	naxsi1.3 \
-	kvspb		nginx-auth-ldap			83c059b73566c2ee9cbda920d91b66657cf120b7 \
 	arut		nginx-rtmp-module		v${VERSION-rtmp} \
-	simpl		ngx_devel_kit			v0.3.0 \
+	kvspb		nginx-auth-ldap			83c059b73566c2ee9cbda920d91b66657cf120b7 \
 	leev		ngx_http_geoip2_module		3.3 \
-	nginx-modules	ngx_http_hmac_secure_link_module 48c4625fbbf51ed5a95bfec23fa444f6c3702e50
+	nbs-system	naxsi1.3 \
+	nginx		njs0.7.7 \
+	nginx-modules	ngx_http_hmac_secure_link_module 8c5449202cd5afd8970f316bd6828d28281dc9bc \
+	openresty	headers-more-nginx-module	v0.33 \
+	openresty	lua-nginx-module		v0.10.11 \
+	vision5		ngx_devel_kit			v0.3.1
 
 .for _a _p _c in ${_GH_MODS}
 DISTFILES+=	${_p}-{${_a}/${_p}/archive/}${_c}.tar.gz:0
@@ -70,9 +74,9 @@ PERMIT_PACKAGE=	Yes
 
 MULTI_PACKAGES =	-main -naxsi -perl ${MODULE_PACKAGES}
 
-MODULE_PACKAGES =	-image_filter -geoip2 -xslt -mailproxy -stream \
-			-passenger -headers_more -ldap_auth -lua -rtmp \
-			-securelink
+MODULE_PACKAGES =	-headers_more -geoip2 -image_filter \
+			-ldap_auth -lua -mailproxy -passenger \
+			-rtmp -securelink -stream -xslt
 
 FLAVOR ?=
 PSEUDO_FLAVORS =	no_lua no_passenger
@@ -82,29 +86,30 @@ COMPILER =		base-clang ports-gcc base-gc
 .include 
 
 WANTLIB-main=		c z pcre ssl crypto
-WANTLIB-mailproxy=
-WANTLIB-stream=
-WANTLIB-image_filter=	gd
+WANTLIB-headers_more=
 WANTLIB-geoip2=		maxminddb
-WANTLIB-rtmp=
-WANTLIB-xslt=		exslt xml2 xslt
-WANTLIB-naxsi=
+WANTLIB-image_filter=	gd
 WANTLIB-ldap_auth=	ldap
+WANTLIB-mailproxy=
+WANTLIB-naxsi=
+WANTLIB-njs=
 WANTLIB-lua=		${MODLUA_WANTLIB} m
-WANTLIB-headers_more=
 WANTLIB-perl=		c m perl
 WANTLIB-passenger=	m pthread ${COMPILER_LIBCXX}
+WANTLIB-rtmp=
 WANTLIB-securelink=	crypto
+WANTLIB-stream=
+WANTLIB-xslt=		exslt xml2 xslt
 
 LIB_DEPENDS-main=	devel/pcre
-LIB_DEPENDS-xslt=	textproc/libxml \
-			textproc/libxslt
-LIB_DEPENDS-image_filter=graphics/gd
 LIB_DEPENDS-geoip2=	net/libmaxminddb
+LIB_DEPENDS-image_filter=graphics/gd
 LIB_DEPENDS-ldap_auth=	databases/openldap
 LIB_DEPENDS-lua=	${MODLUA_LIB_DEPENDS}
 LIB_DEPENDS-rtmp=
 LIB_DEPENDS-securelink=
+LIB_DEPENDS-xslt=	textproc/libxml \
+			textproc/libxslt
 
 MODLUA_RUNDEP=		No
 RUN_DEPENDS=		www/nginx,-main=${VERSION}
@@ -196,7 +201,7 @@ NO_TEST=		Yes
 ALL_TARGET=
 
 pre-patch:
-.for i in headers-more-nginx-module lua-nginx-module 

Re: security update www/nginx to 1.22.1

[Robert Nagy]

On 19/10/22 18:23 +0100, Stuart Henderson wrote:
> On 2022/10/19 16:30, Sergey A. Osokin wrote:
> > Hi,
> > 
> > could you please review the following changes for the security
> > update www/nginx to the recent stable version, 1.22.1.
> 
> adding maintainer to CC, it's usually helpful ..

that release and cve only affects the ngx_http_mp4_module which
we do not enable

Re: security update www/nginx to 1.22.1

[Stuart Henderson]

On 2022/10/19 16:30, Sergey A. Osokin wrote:
> Hi,
> 
> could you please review the following changes for the security
> update www/nginx to the recent stable version, 1.22.1.

adding maintainer to CC, it's usually helpful ..

> Here's the commit message.
> ---
> www/nginx: security update 1.22.0 -> 1.22.1
> 
> 
> 
> *) Security: processing of a specially crafted mp4 file by the
>ngx_http_mp4_module might cause a worker process crash, worker
>process memory disclosure, or might have potential other impact
>(CVE-2022-41741, CVE-2022-41742).

I'm ok with the update however it is a noop for us as we don't build
that module in the port.