Re: security update www/nginx to 1.22.1
On 15/11/22 14:56 +, Sergey A. Osokin wrote: > Hi, > > On Thu, Oct 27, 2022 at 01:58:01PM +, Sergey A. Osokin wrote: > > > > [...] > > Could you please provide an update. > Thank you. > > -- > Sergey A. Osokin Hi I've looked into your diff and there are a lot of issues that needs to be fixed, so please address these first: - this is not freebsd, there is no PORTREVISION, so why did you add it? - you do an update but you forgot to remove REVISION-main - rearringing variables in an alphabetical order is nice, but completely useless in this case and it also makes the diff harder to read - the distfile for the njs module is added, some variables are configured for it but then you don't actually enable the module, so it never get built (this module also has to be dynamic) - missing plist and descr for the new module Thanks -- Regards, Robert Nagy
Re: security update www/nginx to 1.22.1
Hi, On Thu, Oct 27, 2022 at 01:58:01PM +, Sergey A. Osokin wrote: > > [...] Could you please provide an update. Thank you. -- Sergey A. Osokin signature.asc Description: PGP signature
Re: security update www/nginx to 1.22.1
On Thu, Oct 20, 2022 at 04:43:56PM +, Sergey A. Osokin wrote: > On Thu, Oct 20, 2022 at 08:47:13AM +0200, Robert Nagy wrote: > > On 19/10/22 18:23 +0100, Stuart Henderson wrote: > > > On 2022/10/19 16:30, Sergey A. Osokin wrote: > > > > Hi, > > > > > > > > could you please review the following changes for the security > > > > update www/nginx to the recent stable version, 1.22.1. > > > > > > adding maintainer to CC, it's usually helpful .. > > > > that release and cve only affects the ngx_http_mp4_module which > > we do not enable > > Not a problem, here's another patch to add njs module I posted earlier > and to update other third-party modules. [...] Could you please provide an update. Thank you. -- Sergey A. Osokin signature.asc Description: PGP signature
Re: security update www/nginx to 1.22.1
On Thu, Oct 20, 2022 at 08:47:13AM +0200, Robert Nagy wrote: > On 19/10/22 18:23 +0100, Stuart Henderson wrote: > > On 2022/10/19 16:30, Sergey A. Osokin wrote: > > > Hi, > > > > > > could you please review the following changes for the security > > > update www/nginx to the recent stable version, 1.22.1. > > > > adding maintainer to CC, it's usually helpful .. > > that release and cve only affects the ngx_http_mp4_module which > we do not enable Not a problem, here's another patch to add njs module I posted earlier and to update other third-party modules. Thanks you. -- Sergey A. Osokin Index: Makefile === RCS file: /cvs/ports/www/nginx/Makefile,v retrieving revision 1.164 diff -u -p -r1.164 Makefile --- Makefile 29 Aug 2022 19:15:18 - 1.164 +++ Makefile 20 Oct 2022 16:40:26 - @@ -7,6 +7,7 @@ COMMENT-xslt= nginx XSLT filter module COMMENT-mailproxy= nginx mail proxy module COMMENT-stream= nginx TCP/UDP proxy module COMMENT-naxsi= nginx web application firewall module +COMMENT-njs= nginx JavaScript module COMMENT-ldap_auth= nginx LDAP authentication module COMMENT-lua= nginx lua scripting module COMMENT-headers_more= nginx module for setting/adding/clearing headers @@ -15,26 +16,28 @@ COMMENT-passenger= nginx passenger (ruby COMMENT-rtmp= nginx module for RTMP streaming COMMENT-securelink= nginx HMAC secure link module -VERSION= 1.22.0 +VERSION= 1.22.1 DISTNAME= nginx-${VERSION} CATEGORIES= www -VERSION-rtmp= 1.2.1 +PORTREVISION= 0 + +VERSION-rtmp= 1.2.2 PKGNAME-main= ${DISTNAME} -PKGNAME-image_filter= nginx-image_filter-${VERSION} PKGNAME-geoip2= nginx-geoip2-${VERSION} -PKGNAME-xslt= nginx-xslt-${VERSION} +PKGNAME-headers_more= nginx-headers-more-${VERSION} +PKGNAME-image_filter= nginx-image_filter-${VERSION} PKGNAME-mailproxy= nginx-mailproxy-${VERSION} -PKGNAME-stream= nginx-stream-${VERSION} -PKGNAME-naxsi= nginx-naxsi-${VERSION} PKGNAME-ldap_auth= nginx-ldap_auth-${VERSION} PKGNAME-lua= nginx-lua-${VERSION} -PKGNAME-headers_more= nginx-headers-more-${VERSION} -PKGNAME-perl= nginx-perl-${VERSION} +PKGNAME-naxsi= nginx-naxsi-${VERSION} PKGNAME-passenger= nginx-passenger-${VERSION} +PKGNAME-perl= nginx-perl-${VERSION} PKGNAME-rtmp= nginx-rtmp-${VERSION} PKGNAME-securelink= nginx-securelink-${VERSION} +PKGNAME-stream= nginx-stream-${VERSION} +PKGNAME-xslt= nginx-xslt-${VERSION} REVISION-main= 0 @@ -48,14 +51,15 @@ MASTER_SITES1= https://raw.githubusercon DISTFILES= ${DISTNAME}${EXTRACT_SUFX} _GH_MODS= \ - openresty headers-more-nginx-module v0.33 \ - openresty lua-nginx-module v0.10.11 \ - nbs-system naxsi1.3 \ - kvspb nginx-auth-ldap 83c059b73566c2ee9cbda920d91b66657cf120b7 \ arut nginx-rtmp-module v${VERSION-rtmp} \ - simpl ngx_devel_kit v0.3.0 \ + kvspb nginx-auth-ldap 83c059b73566c2ee9cbda920d91b66657cf120b7 \ leev ngx_http_geoip2_module 3.3 \ - nginx-modules ngx_http_hmac_secure_link_module 48c4625fbbf51ed5a95bfec23fa444f6c3702e50 + nbs-system naxsi1.3 \ + nginx njs0.7.7 \ + nginx-modules ngx_http_hmac_secure_link_module 8c5449202cd5afd8970f316bd6828d28281dc9bc \ + openresty headers-more-nginx-module v0.33 \ + openresty lua-nginx-module v0.10.11 \ + vision5 ngx_devel_kit v0.3.1 .for _a _p _c in ${_GH_MODS} DISTFILES+= ${_p}-{${_a}/${_p}/archive/}${_c}.tar.gz:0 @@ -70,9 +74,9 @@ PERMIT_PACKAGE= Yes MULTI_PACKAGES = -main -naxsi -perl ${MODULE_PACKAGES} -MODULE_PACKAGES = -image_filter -geoip2 -xslt -mailproxy -stream \ - -passenger -headers_more -ldap_auth -lua -rtmp \ - -securelink +MODULE_PACKAGES = -headers_more -geoip2 -image_filter \ + -ldap_auth -lua -mailproxy -passenger \ + -rtmp -securelink -stream -xslt FLAVOR ?= PSEUDO_FLAVORS = no_lua no_passenger @@ -82,29 +86,30 @@ COMPILER = base-clang ports-gcc base-gc .include WANTLIB-main= c z pcre ssl crypto -WANTLIB-mailproxy= -WANTLIB-stream= -WANTLIB-image_filter= gd +WANTLIB-headers_more= WANTLIB-geoip2= maxminddb -WANTLIB-rtmp= -WANTLIB-xslt= exslt xml2 xslt -WANTLIB-naxsi= +WANTLIB-image_filter= gd WANTLIB-ldap_auth= ldap +WANTLIB-mailproxy= +WANTLIB-naxsi= +WANTLIB-njs= WANTLIB-lua= ${MODLUA_WANTLIB} m -WANTLIB-headers_more= WANTLIB-perl= c m perl WANTLIB-passenger= m pthread ${COMPILER_LIBCXX} +WANTLIB-rtmp= WANTLIB-securelink= crypto +WANTLIB-stream= +WANTLIB-xslt= exslt xml2 xslt LIB_DEPENDS-main= devel/pcre -LIB_DEPENDS-xslt= textproc/libxml \ - textproc/libxslt -LIB_DEPENDS-image_filter=graphics/gd LIB_DEPENDS-geoip2= net/libmaxminddb +LIB_DEPENDS-image_filter=graphics/gd LIB_DEPENDS-ldap_auth= databases/openldap LIB_DEPENDS-lua= ${MODLUA_LIB_DEPENDS} LIB_DEPENDS-rtmp= LIB_DEPENDS-securelink= +LIB_DEPENDS-xslt= textproc/libxml \ + textproc/libxslt MODLUA_RUNDEP= No RUN_DEPENDS= www/nginx,-main=${VERSION} @@ -196,7 +201,7 @@ NO_TEST= Yes ALL_TARGET= pre-patch: -.for i in headers-more-nginx-module lua-nginx-module
Re: security update www/nginx to 1.22.1
On 19/10/22 18:23 +0100, Stuart Henderson wrote: > On 2022/10/19 16:30, Sergey A. Osokin wrote: > > Hi, > > > > could you please review the following changes for the security > > update www/nginx to the recent stable version, 1.22.1. > > adding maintainer to CC, it's usually helpful .. that release and cve only affects the ngx_http_mp4_module which we do not enable
Re: security update www/nginx to 1.22.1
On 2022/10/19 16:30, Sergey A. Osokin wrote: > Hi, > > could you please review the following changes for the security > update www/nginx to the recent stable version, 1.22.1. adding maintainer to CC, it's usually helpful .. > Here's the commit message. > ------- > www/nginx: security update 1.22.0 -> 1.22.1 > > > > *) Security: processing of a specially crafted mp4 file by the >ngx_http_mp4_module might cause a worker process crash, worker >process memory disclosure, or might have potential other impact >(CVE-2022-41741, CVE-2022-41742). I'm ok with the update however it is a noop for us as we don't build that module in the port.
security update www/nginx to 1.22.1
Hi, could you please review the following changes for the security update www/nginx to the recent stable version, 1.22.1. Here's the commit message. --- www/nginx: security update 1.22.0 -> 1.22.1 *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module might cause a worker process crash, worker process memory disclosure, or might have potential other impact (CVE-2022-41741, CVE-2022-41742). --- Thank you. -- Sergey A. Osokin Index: Makefile === RCS file: /cvs/ports/www/nginx/Makefile,v retrieving revision 1.164 diff -u -p -r1.164 Makefile --- Makefile 29 Aug 2022 19:15:18 - 1.164 +++ Makefile 19 Oct 2022 16:22:00 - @@ -15,7 +15,7 @@ COMMENT-passenger= nginx passenger (ruby COMMENT-rtmp= nginx module for RTMP streaming COMMENT-securelink= nginx HMAC secure link module -VERSION= 1.22.0 +VERSION= 1.22.1 DISTNAME= nginx-${VERSION} CATEGORIES= www Index: distinfo === RCS file: /cvs/ports/www/nginx/distinfo,v retrieving revision 1.79 diff -u -p -r1.79 distinfo --- distinfo 30 May 2022 08:17:34 - 1.79 +++ distinfo 19 Oct 2022 16:22:00 - @@ -2,7 +2,7 @@ SHA256 (headers-more-nginx-module-v0.33. SHA256 (lua-nginx-module-v0.10.11.tar.gz) = wPuR/P0cbn3sNMpkgm74H/66/e9hdNJURnY284BWZiY= SHA256 (naxsi-1.3.tar.gz) = Q5yGdzctJZe0Ngu8wQvIZJDeH8dWlbGTrV3xVKIU1ig= SHA256 (nginx-1.20.1-chroot.patch) = SS1TB0j8N4/dn5pUTGT6WvkN3aAUuKz5+R0Nt+MG0gk= -SHA256 (nginx-1.22.0.tar.gz) = sz1Wmm8RoBQzpXzhfoOTXpU61Nx3zdTUD4lsiKwm61M= +SHA256 (nginx-1.22.1.tar.gz) = nrszOp6CuVKs0+K0rrHU/2QG9ySRurbNn+afDepzfzE= SHA256 (nginx-auth-ldap-83c059b73566c2ee9cbda920d91b66657cf120b7.tar.gz) = aQxOW9sq4ZsP7nXNNW0YATRo20cmFrYJeloLvjRshGQ= SHA256 (nginx-rtmp-module-v1.2.1.tar.gz) = h6pZdACwtaBSdO4tI9jLgiThJoYiegq+MdeDs6ZF6jc= SHA256 (ngx_devel_kit-v0.3.0.tar.gz) = iOBamainQZBm9a51lm+x78QJutRSLRSYbaB0VUrmFhk= @@ -12,7 +12,7 @@ SIZE (headers-more-nginx-module-v0.33.ta SIZE (lua-nginx-module-v0.10.11.tar.gz) = 616653 SIZE (naxsi-1.3.tar.gz) = 235626 SIZE (nginx-1.20.1-chroot.patch) = 8783 -SIZE (nginx-1.22.0.tar.gz) = 1073322 +SIZE (nginx-1.22.1.tar.gz) = 1073948 SIZE (nginx-auth-ldap-83c059b73566c2ee9cbda920d91b66657cf120b7.tar.gz) = 18542 SIZE (nginx-rtmp-module-v1.2.1.tar.gz) = 519919 SIZE (ngx_devel_kit-v0.3.0.tar.gz) = 66455 signature.asc Description: PGP signature