rpms
/
nginx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' into epel7

This commit is contained in:
Jamie Nguyen 2016-07-02 19:13:29 +01:00
parent fc810867b3 f9c3fc84f1
commit 02037aa84e
13 changed files with 465 additions and 872 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.fedora Normal file
View File

@ -0,0 +1,20 @@
###############
Dynamic modules
###############
Dynamic modules are loaded using the "load_modules" directive. The RPM package
for each module has a '.conf' file in the /usr/share/nginx/modules directory.
The '.conf' file contains a single "load_modules" directive.
This means that whenever a new dynamic module is installed, it will
automatically be enabled and Nginx will be reloaded.
--------------------------------------------------------
Prevent dynamic modules from being enabled automatically
--------------------------------------------------------
You may want to avoid dynamic modules being enabled automatically. Simply
remove this line from the top of /etc/nginx/nginx.conf:
include /usr/lib64/nginx/modules/*.conf;

89
UPGRADE-NOTES-1.6-to-1.10 Normal file
View File

@ -0,0 +1,89 @@
#############
Upgrade notes
#############
To resolve numerous security flaws, the nginx package was updated to 1.10.x.
You should review your configuration files in /etc/nginx to determine if there
are any incompatibilities.
Please see upstream release notes for a complete list of new features,
bug fixes, and changes: http://nginx.org/en/CHANGES-1.10
Below is a summary of the main changes. If you have not modified any files in
/etc/nginx directory, the update will work seamlessly. However, if you are
using any nginx directives that have changed or been removed then you should
amend your configuration.
Nginx gained support for dynamic modules. Some modules have been split into
subpackages, which for the time being are hard dependencies to aid the upgrade
path. The new subpackages are:
- nginx-mod-http-geoip
- nginx-mod-http-image-filter
- nginx-mod-http-perl
- nginx-mod-http-xslt-filter
- nginx-mod-mail
- nginx-mod-stream
Changes with nginx 1.10.x
*) Change: non-idempotent requests (POST, LOCK, PATCH) are no longer
passed to the next server by default if a request has been sent to a
backend; the "non_idempotent" parameter of the "proxy_next_upstream"
directive explicitly allows retrying such requests.
*) Change: now the "output_buffers" directive uses two buffers by
default.
*) Change: now nginx limits subrequests recursion, not simultaneous
subrequests.
*) Change: now nginx checks the whole cache key when returning a
response from cache.
Thanks to Gena Makhomed and Sergey Brester.
*) Change: the "proxy_downstream_buffer" and "proxy_upstream_buffer"
directives of the stream module are replaced with the
"proxy_buffer_size" directive.
*) Change: duplicate "http", "mail", and "stream" blocks are now
disallowed.
*) Change: now SSLv3 protocol is disabled by default.
*) Change: some long deprecated directives are not supported anymore.
*) Change: obsolete aio and rtsig event methods have been removed.
Changes with nginx 1.8.x
*) Change: the "sendfile" parameter of the "aio" directive is
deprecated; now nginx automatically uses AIO to pre-load data for
sendfile if both "aio" and "sendfile" directives are used.
*) Change: now the "If-Modified-Since", "If-Range", etc. client request
header lines are passed to a backend while caching if nginx knows in
advance that the response will not be cached (e.g., when using
proxy_cache_min_uses).
*) Change: now after proxy_cache_lock_timeout nginx sends a request to a
backend with caching disabled; the new directives
"proxy_cache_lock_age", "fastcgi_cache_lock_age",
"scgi_cache_lock_age", and "uwsgi_cache_lock_age" specify a time
after which the lock will be released and another attempt to cache a
response will be made.
*) Change: the "log_format" directive can now be used only at http
level.
*) Change: now nginx takes into account the "Vary" header line in a
backend response while caching.
*) Change: the deprecated "limit_zone" directive is not supported
anymore.
*) Change: now the "stub_status" directive does not require a parameter.
*) Change: URI escaping now uses uppercase hexadecimal digits.
Thanks to Piotr Sikora.

181
nginx-1.6.3-Resolver-change-ngx_resolver_create-arguments.patch
View File

@ -1,181 +0,0 @@
exporting patch:
# HG changeset patch
# User Roman Arutyunyan <arut@nginx.com>
# Date 1453816008 -10800
# Tue Jan 26 16:46:48 2016 +0300
# Branch stable-1.8
# Node ID 5557bf31e25da68d5cda19dbc91d86f47430df1f
# Parent 838946300825379ccdd3acfb131cf66d6ae3cb85
Resolver: changed the ngx_resolver_create_*_query() arguments.
No functional changes.
This is needed by the following change.
diff -r 838946300825 -r 5557bf31e25d src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c Tue Jan 26 16:46:38 2016 +0300
+++ b/src/core/ngx_resolver.c Tue Jan 26 16:46:48 2016 +0300
@@ -64,10 +64,10 @@
ngx_queue_t *queue);
static ngx_int_t ngx_resolver_send_query(ngx_resolver_t *r,
ngx_resolver_node_t *rn);
-static ngx_int_t ngx_resolver_create_name_query(ngx_resolver_node_t *rn,
- ngx_resolver_ctx_t *ctx);
-static ngx_int_t ngx_resolver_create_addr_query(ngx_resolver_node_t *rn,
- ngx_resolver_ctx_t *ctx);
+static ngx_int_t ngx_resolver_create_name_query(ngx_resolver_t *r,
+ ngx_resolver_node_t *rn, ngx_str_t *name);
+static ngx_int_t ngx_resolver_create_addr_query(ngx_resolver_t *r,
+ ngx_resolver_node_t *rn, ngx_addr_t *addr);
static void ngx_resolver_resend_handler(ngx_event_t *ev);
static time_t ngx_resolver_resend(ngx_resolver_t *r, ngx_rbtree_t *tree,
ngx_queue_t *queue);
@@ -651,7 +651,7 @@
ngx_rbtree_insert(&r->name_rbtree, &rn->node);
}
- rc = ngx_resolver_create_name_query(rn, ctx);
+ rc = ngx_resolver_create_name_query(r, rn, &ctx->name);
if (rc == NGX_ERROR) {
goto failed;
@@ -878,7 +878,7 @@
ngx_rbtree_insert(tree, &rn->node);
}
- if (ngx_resolver_create_addr_query(rn, ctx) != NGX_OK) {
+ if (ngx_resolver_create_addr_query(r, rn, &ctx->addr) != NGX_OK) {
goto failed;
}
@@ -2511,27 +2511,23 @@
static ngx_int_t
-ngx_resolver_create_name_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
+ngx_resolver_create_name_query(ngx_resolver_t *r, ngx_resolver_node_t *rn,
+ ngx_str_t *name)
{
u_char *p, *s;
size_t len, nlen;
ngx_uint_t ident;
-#if (NGX_HAVE_INET6)
- ngx_resolver_t *r;
-#endif
ngx_resolver_qs_t *qs;
ngx_resolver_hdr_t *query;
- nlen = ctx->name.len ? (1 + ctx->name.len + 1) : 1;
+ nlen = name->len ? (1 + name->len + 1) : 1;
len = sizeof(ngx_resolver_hdr_t) + nlen + sizeof(ngx_resolver_qs_t);
#if (NGX_HAVE_INET6)
- r = ctx->resolver;
-
- p = ngx_resolver_alloc(ctx->resolver, r->ipv6 ? len * 2 : len);
+ p = ngx_resolver_alloc(r, r->ipv6 ? len * 2 : len);
#else
- p = ngx_resolver_alloc(ctx->resolver, len);
+ p = ngx_resolver_alloc(r, len);
#endif
if (p == NULL) {
return NGX_ERROR;
@@ -2550,8 +2546,8 @@
ident = ngx_random();
- ngx_log_debug2(NGX_LOG_DEBUG_CORE, ctx->resolver->log, 0,
- "resolve: \"%V\" A %i", &ctx->name, ident & 0xffff);
+ ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0,
+ "resolve: \"%V\" A %i", name, ident & 0xffff);
query->ident_hi = (u_char) ((ident >> 8) & 0xff);
query->ident_lo = (u_char) (ident & 0xff);
@@ -2581,11 +2577,11 @@
p--;
*p-- = '\0';
- if (ctx->name.len == 0) {
+ if (name->len == 0) {
return NGX_DECLINED;
}
- for (s = ctx->name.data + ctx->name.len - 1; s >= ctx->name.data; s--) {
+ for (s = name->data + name->len - 1; s >= name->data; s--) {
if (*s != '.') {
*p = *s;
len++;
@@ -2621,8 +2617,8 @@
ident = ngx_random();
- ngx_log_debug2(NGX_LOG_DEBUG_CORE, ctx->resolver->log, 0,
- "resolve: \"%V\" AAAA %i", &ctx->name, ident & 0xffff);
+ ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0,
+ "resolve: \"%V\" AAAA %i", name, ident & 0xffff);
query->ident_hi = (u_char) ((ident >> 8) & 0xff);
query->ident_lo = (u_char) (ident & 0xff);
@@ -2639,11 +2635,12 @@
static ngx_int_t
-ngx_resolver_create_addr_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
+ngx_resolver_create_addr_query(ngx_resolver_t *r, ngx_resolver_node_t *rn,
+ ngx_addr_t *addr)
{
u_char *p, *d;
size_t len;
- in_addr_t addr;
+ in_addr_t inaddr;
ngx_int_t n;
ngx_uint_t ident;
ngx_resolver_hdr_t *query;
@@ -2652,7 +2649,7 @@
struct sockaddr_in6 *sin6;
#endif
- switch (ctx->addr.sockaddr->sa_family) {
+ switch (addr->sockaddr->sa_family) {
#if (NGX_HAVE_INET6)
case AF_INET6:
@@ -2669,7 +2666,7 @@
+ sizeof(ngx_resolver_qs_t);
}
- p = ngx_resolver_alloc(ctx->resolver, len);
+ p = ngx_resolver_alloc(r, len);
if (p == NULL) {
return NGX_ERROR;
}
@@ -2693,11 +2690,11 @@
p += sizeof(ngx_resolver_hdr_t);
- switch (ctx->addr.sockaddr->sa_family) {
+ switch (addr->sockaddr->sa_family) {
#if (NGX_HAVE_INET6)
case AF_INET6:
- sin6 = (struct sockaddr_in6 *) ctx->addr.sockaddr;
+ sin6 = (struct sockaddr_in6 *) addr->sockaddr;
for (n = 15; n >= 0; n--) {
p = ngx_sprintf(p, "\1%xd\1%xd",
@@ -2712,11 +2709,11 @@
default: /* AF_INET */
- sin = (struct sockaddr_in *) ctx->addr.sockaddr;
- addr = ntohl(sin->sin_addr.s_addr);
+ sin = (struct sockaddr_in *) addr->sockaddr;
+ inaddr = ntohl(sin->sin_addr.s_addr);
for (n = 0; n < 32; n += 8) {
- d = ngx_sprintf(&p[1], "%ud", (addr >> n) & 0xff);
+ d = ngx_sprintf(&p[1], "%ud", (inaddr >> n) & 0xff);
*p = (u_char) (d - &p[1]);
p = d;
}

80
nginx-1.6.3-Resolver-fix-CNAME-processing.patch
View File

@ -1,80 +0,0 @@
exporting patch:
# HG changeset patch
# User Ruslan Ermilov <ru@nginx.com>
# Date 1453815998 -10800
# Tue Jan 26 16:46:38 2016 +0300
# Branch stable-1.8
# Node ID 838946300825379ccdd3acfb131cf66d6ae3cb85
# Parent f63dd04c158062d73fcb6aff59124910fa1fae75
Resolver: fixed CNAME processing for several requests.
When several requests were waiting for a response, then after getting
a CNAME response only the last request was properly processed, while
others were left waiting.
diff -r f63dd04c1580 -r 838946300825 src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c Tue Jan 26 16:46:31 2016 +0300
+++ b/src/core/ngx_resolver.c Tue Jan 26 16:46:38 2016 +0300
@@ -473,7 +473,7 @@
ngx_int_t rc;
ngx_uint_t naddrs;
ngx_addr_t *addrs;
- ngx_resolver_ctx_t *next;
+ ngx_resolver_ctx_t *next, *last;
ngx_resolver_node_t *rn;
ngx_strlow(ctx->name.data, ctx->name.data, ctx->name.len);
@@ -484,6 +484,9 @@
if (rn) {
+ /* ctx can be a list after NGX_RESOLVE_CNAME */
+ for (last = ctx; last->next; last = last->next);
+
if (rn->valid >= ngx_time()) {
ngx_log_debug0(NGX_LOG_DEBUG_CORE, r->log, 0, "resolve cached");
@@ -511,7 +514,7 @@
}
}
- ctx->next = rn->waiting;
+ last->next = rn->waiting;
rn->waiting = NULL;
/* unlock name mutex */
@@ -557,7 +560,7 @@
return ngx_resolve_name_locked(r, ctx);
}
- ctx->next = rn->waiting;
+ last->next = rn->waiting;
rn->waiting = NULL;
/* unlock name mutex */
@@ -590,7 +593,7 @@
ngx_add_timer(ctx->event, ctx->timeout);
}
- ctx->next = rn->waiting;
+ last->next = rn->waiting;
rn->waiting = ctx;
ctx->state = NGX_AGAIN;
@@ -661,8 +664,14 @@
ngx_resolver_free(r, rn->name);
ngx_resolver_free(r, rn);
- ctx->state = NGX_RESOLVE_NXDOMAIN;
- ctx->handler(ctx);
+ do {
+ ctx->state = NGX_RESOLVE_NXDOMAIN;
+ next = ctx->next;
+
+ ctx->handler(ctx);
+
+ ctx = next;
+ } while (ctx);
return NGX_OK;
}

134
nginx-1.6.3-Resolver-fix-crashes-in-timeout-handler.patch
View File

@ -1,134 +0,0 @@
exporting patch:
# HG changeset patch
# User Ruslan Ermilov <ru@nginx.com>
# Date 1453815991 -10800
# Tue Jan 26 16:46:31 2016 +0300
# Branch stable-1.8
# Node ID f63dd04c158062d73fcb6aff59124910fa1fae75
# Parent c36482d0a79fe0f2e1467f80ec2fbcd0a2d682c6
Resolver: fixed crashes in timeout handler.
If one or more requests were waiting for a response, then after
getting a CNAME response, the timeout event on the first request
remained active, pointing to the wrong node with an empty
rn->waiting list, and that could cause either null pointer
dereference or use-after-free memory access if this timeout
expired.
If several requests were waiting for a response, and the first
request terminated (e.g., due to client closing a connection),
other requests were left without a timeout and could potentially
wait indefinitely.
This is fixed by introducing per-request independent timeouts.
This change also reverts 954867a2f0a6 and 5004210e8c78.
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index fe0ce50..7aa88a6 100644
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -417,7 +417,7 @@ ngx_resolve_name_done(ngx_resolver_ctx_t *ctx)
/* lock name mutex */
- if (ctx->state == NGX_AGAIN) {
+ if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
hash = ngx_crc32_short(ctx->name.data, ctx->name.len);
@@ -571,6 +571,20 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
if (rn->waiting) {
+ if (ctx->event == NULL) {
+ ctx->event = ngx_resolver_calloc(r, sizeof(ngx_event_t));
+ if (ctx->event == NULL) {
+ return NGX_ERROR;
+ }
+
+ ctx->event->handler = ngx_resolver_timeout_handler;
+ ctx->event->data = ctx;
+ ctx->event->log = r->log;
+ ctx->ident = -1;
+
+ ngx_add_timer(ctx->event, ctx->timeout);
+ }
+
ctx->next = rn->waiting;
rn->waiting = ctx;
ctx->state = NGX_AGAIN;
@@ -664,7 +678,7 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
}
ctx->event->handler = ngx_resolver_timeout_handler;
- ctx->event->data = rn;
+ ctx->event->data = ctx;
ctx->event->log = r->log;
ctx->ident = -1;
@@ -794,6 +808,18 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx)
if (rn->waiting) {
+ ctx->event = ngx_resolver_calloc(r, sizeof(ngx_event_t));
+ if (ctx->event == NULL) {
+ return NGX_ERROR;
+ }
+
+ ctx->event->handler = ngx_resolver_timeout_handler;
+ ctx->event->data = ctx;
+ ctx->event->log = r->log;
+ ctx->ident = -1;
+
+ ngx_add_timer(ctx->event, ctx->timeout);
+
ctx->next = rn->waiting;
rn->waiting = ctx;
ctx->state = NGX_AGAIN;
@@ -857,7 +883,7 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx)
}
ctx->event->handler = ngx_resolver_timeout_handler;
- ctx->event->data = rn;
+ ctx->event->data = ctx;
ctx->event->log = r->log;
ctx->ident = -1;
@@ -949,7 +975,7 @@ ngx_resolve_addr_done(ngx_resolver_ctx_t *ctx)
/* lock addr mutex */
- if (ctx->state == NGX_AGAIN) {
+ if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
switch (ctx->addr.sockaddr->sa_family) {
@@ -2791,21 +2817,13 @@ done:
static void
ngx_resolver_timeout_handler(ngx_event_t *ev)
{
- ngx_resolver_ctx_t *ctx, *next;
- ngx_resolver_node_t *rn;
+ ngx_resolver_ctx_t *ctx;
- rn = ev->data;
- ctx = rn->waiting;
- rn->waiting = NULL;
+ ctx = ev->data;
- do {
- ctx->state = NGX_RESOLVE_TIMEDOUT;
- next = ctx->next;
-
- ctx->handler(ctx);
+ ctx->state = NGX_RESOLVE_TIMEDOUT;
- ctx = next;
- } while (ctx);
+ ctx->handler(ctx);
}
--
2.5.0

22
nginx-1.6.3-Resolver-fix-possible-segmentation-fault.patch
View File

@ -1,22 +0,0 @@
exporting patch:
# HG changeset patch
# User Roman Arutyunyan <arut@nginx.com>
# Date 1453815978 -10800
# Tue Jan 26 16:46:18 2016 +0300
# Branch stable-1.8
# Node ID c36482d0a79fe0f2e1467f80ec2fbcd0a2d682c6
# Parent e9a4531a2a5dabb9bee93cb8b41f24b8aeeba504
Resolver: fixed possible segmentation fault on DNS format error.
diff -r e9a4531a2a5d -r c36482d0a79f src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c Mon Jan 25 21:58:21 2016 +0300
+++ b/src/core/ngx_resolver.c Tue Jan 26 16:46:18 2016 +0300
@@ -1292,7 +1292,7 @@
times = 0;
for (q = ngx_queue_head(&r->name_resend_queue);
- q != ngx_queue_sentinel(&r->name_resend_queue) || times++ < 100;
+ q != ngx_queue_sentinel(&r->name_resend_queue) && times++ < 100;
q = ngx_queue_next(q))
{
rn = ngx_queue_data(q, ngx_resolver_node_t, queue);

252
nginx-1.6.3-Resolver-fix-use-after-free-with-CNAME.patch
View File

@ -1,252 +0,0 @@
exporting patch:
# HG changeset patch
# User Roman Arutyunyan <arut@nginx.com>
# Date 1453816019 -10800
# Tue Jan 26 16:46:59 2016 +0300
# Branch stable-1.8
# Node ID dac6eda40475f08b7372159d78dad1e13cd5bc7f
# Parent 5557bf31e25da68d5cda19dbc91d86f47430df1f
Resolver: fixed use-after-free memory accesses with CNAME.
When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name. This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from. When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list. This happened e.g. when the first request was aborted or timed
out before the resolving completed. When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context. The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.
When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname. If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().
The fix is to keep ctx->name unmodified. The name from context
is no longer used by ngx_resolve_name_done(). Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.
diff -r 5557bf31e25d -r dac6eda40475 src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c Tue Jan 26 16:46:48 2016 +0300
+++ b/src/core/ngx_resolver.c Tue Jan 26 16:46:59 2016 +0300
@@ -59,7 +59,7 @@
static void ngx_resolver_cleanup(void *data);
static void ngx_resolver_cleanup_tree(ngx_resolver_t *r, ngx_rbtree_t *tree);
static ngx_int_t ngx_resolve_name_locked(ngx_resolver_t *r,
- ngx_resolver_ctx_t *ctx);
+ ngx_resolver_ctx_t *ctx, ngx_str_t *name);
static void ngx_resolver_expire(ngx_resolver_t *r, ngx_rbtree_t *tree,
ngx_queue_t *queue);
static ngx_int_t ngx_resolver_send_query(ngx_resolver_t *r,
@@ -375,7 +375,7 @@
/* lock name mutex */
- rc = ngx_resolve_name_locked(r, ctx);
+ rc = ngx_resolve_name_locked(r, ctx, &ctx->name);
if (rc == NGX_OK) {
return NGX_OK;
@@ -402,7 +402,6 @@
void
ngx_resolve_name_done(ngx_resolver_ctx_t *ctx)
{
- uint32_t hash;
ngx_resolver_t *r;
ngx_resolver_ctx_t *w, **p;
ngx_resolver_node_t *rn;
@@ -424,9 +423,7 @@
if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
- hash = ngx_crc32_short(ctx->name.data, ctx->name.len);
-
- rn = ngx_resolver_lookup_name(r, &ctx->name, hash);
+ rn = ctx->node;
if (rn) {
p = &rn->waiting;
@@ -467,20 +464,22 @@
static ngx_int_t
-ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
+ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx,
+ ngx_str_t *name)
{
uint32_t hash;
ngx_int_t rc;
+ ngx_str_t cname;
ngx_uint_t naddrs;
ngx_addr_t *addrs;
ngx_resolver_ctx_t *next, *last;
ngx_resolver_node_t *rn;
- ngx_strlow(ctx->name.data, ctx->name.data, ctx->name.len);
-
- hash = ngx_crc32_short(ctx->name.data, ctx->name.len);
-
- rn = ngx_resolver_lookup_name(r, &ctx->name, hash);
+ ngx_strlow(name->data, name->data, name->len);
+
+ hash = ngx_crc32_short(name->data, name->len);
+
+ rn = ngx_resolver_lookup_name(r, name, hash);
if (rn) {
@@ -554,10 +553,10 @@
if (ctx->recursion++ < NGX_RESOLVER_MAX_RECURSION) {
- ctx->name.len = rn->cnlen;
- ctx->name.data = rn->u.cname;
-
- return ngx_resolve_name_locked(r, ctx);
+ cname.len = rn->cnlen;
+ cname.data = rn->u.cname;
+
+ return ngx_resolve_name_locked(r, ctx, &cname);
}
last->next = rn->waiting;
@@ -597,6 +596,11 @@
rn->waiting = ctx;
ctx->state = NGX_AGAIN;
+ do {
+ ctx->node = rn;
+ ctx = ctx->next;
+ } while (ctx);
+
return NGX_AGAIN;
}
@@ -635,14 +639,14 @@
return NGX_ERROR;
}
- rn->name = ngx_resolver_dup(r, ctx->name.data, ctx->name.len);
+ rn->name = ngx_resolver_dup(r, name->data, name->len);
if (rn->name == NULL) {
ngx_resolver_free(r, rn);
return NGX_ERROR;
}
rn->node.key = hash;
- rn->nlen = (u_short) ctx->name.len;
+ rn->nlen = (u_short) name->len;
rn->query = NULL;
#if (NGX_HAVE_INET6)
rn->query6 = NULL;
@@ -651,7 +655,7 @@
ngx_rbtree_insert(&r->name_rbtree, &rn->node);
}
- rc = ngx_resolver_create_name_query(r, rn, &ctx->name);
+ rc = ngx_resolver_create_name_query(r, rn, name);
if (rc == NGX_ERROR) {
goto failed;
@@ -715,6 +719,11 @@
ctx->state = NGX_AGAIN;
+ do {
+ ctx->node = rn;
+ ctx = ctx->next;
+ } while (ctx);
+
return NGX_AGAIN;
failed:
@@ -837,6 +846,7 @@
ctx->next = rn->waiting;
rn->waiting = ctx;
ctx->state = NGX_AGAIN;
+ ctx->node = rn;
/* unlock addr mutex */
@@ -922,6 +932,7 @@
/* unlock addr mutex */
ctx->state = NGX_AGAIN;
+ ctx->node = rn;
return NGX_OK;
@@ -952,17 +963,11 @@
void
ngx_resolve_addr_done(ngx_resolver_ctx_t *ctx)
{
- in_addr_t addr;
ngx_queue_t *expire_queue;
ngx_rbtree_t *tree;
ngx_resolver_t *r;
ngx_resolver_ctx_t *w, **p;
- struct sockaddr_in *sin;
ngx_resolver_node_t *rn;
-#if (NGX_HAVE_INET6)
- uint32_t hash;
- struct sockaddr_in6 *sin6;
-#endif
r = ctx->resolver;
@@ -991,21 +996,7 @@
if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
- switch (ctx->addr.sockaddr->sa_family) {
-
-#if (NGX_HAVE_INET6)
- case AF_INET6:
- sin6 = (struct sockaddr_in6 *) ctx->addr.sockaddr;
- hash = ngx_crc32_short(sin6->sin6_addr.s6_addr, 16);
- rn = ngx_resolver_lookup_addr6(r, &sin6->sin6_addr, hash);
- break;
-#endif
-
- default: /* AF_INET */
- sin = (struct sockaddr_in *) ctx->addr.sockaddr;
- addr = ntohl(sin->sin_addr.s_addr);
- rn = ngx_resolver_lookup_addr(r, addr);
- }
+ rn = ctx->node;
if (rn) {
p = &rn->waiting;
@@ -1994,9 +1985,12 @@
rn->waiting = NULL;
if (ctx) {
- ctx->name = name;
-
- (void) ngx_resolve_name_locked(r, ctx);
+
+ for (next = ctx; next; next = next->next) {
+ next->node = NULL;
+ }
+
+ (void) ngx_resolve_name_locked(r, ctx, &name);
}
ngx_resolver_free(r, rn->query);
diff -r 5557bf31e25d -r dac6eda40475 src/core/ngx_resolver.h
--- a/src/core/ngx_resolver.h Tue Jan 26 16:46:48 2016 +0300
+++ b/src/core/ngx_resolver.h Tue Jan 26 16:46:59 2016 +0300
@@ -161,6 +161,8 @@
ngx_uint_t quick; /* unsigned quick:1; */
ngx_uint_t recursion;
ngx_event_t *event;
+
+ ngx_resolver_node_t *node;
};

68
nginx-1.6.3-Resolver-limit-CNAME-recursion.patch
View File

@ -1,68 +0,0 @@
exporting patch:
# HG changeset patch
# User Ruslan Ermilov <ru@nginx.com>
# Date 1453816034 -10800
# Tue Jan 26 16:47:14 2016 +0300
# Branch stable-1.8
# Node ID 93d70d87914c350948ab701cc99569680320e198
# Parent dac6eda40475f08b7372159d78dad1e13cd5bc7f
Resolver: limited CNAME recursion.
Previously, the recursion was only limited for cached responses.
diff -r dac6eda40475 -r 93d70d87914c src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c Tue Jan 26 16:46:59 2016 +0300
+++ b/src/core/ngx_resolver.c Tue Jan 26 16:47:14 2016 +0300
@@ -1981,24 +1981,40 @@
ngx_queue_insert_head(&r->name_expire_queue, &rn->queue);
- ctx = rn->waiting;
- rn->waiting = NULL;
-
- if (ctx) {
-
- for (next = ctx; next; next = next->next) {
- next->node = NULL;
- }
-
- (void) ngx_resolve_name_locked(r, ctx, &name);
- }
-
ngx_resolver_free(r, rn->query);
rn->query = NULL;
#if (NGX_HAVE_INET6)
rn->query6 = NULL;
#endif
+ ctx = rn->waiting;
+ rn->waiting = NULL;
+
+ if (ctx) {
+
+ if (ctx->recursion++ >= NGX_RESOLVER_MAX_RECURSION) {
+
+ /* unlock name mutex */
+
+ do {
+ ctx->state = NGX_RESOLVE_NXDOMAIN;
+ next = ctx->next;
+
+ ctx->handler(ctx);
+
+ ctx = next;
+ } while (ctx);
+
+ return;
+ }
+
+ for (next = ctx; next; next = next->next) {
+ next->node = NULL;
+ }
+
+ (void) ngx_resolve_name_locked(r, ctx, &name);
+ }
+
/* unlock name mutex */
return;

15
nginx-1.8.1-null-pointer-deref.patch
View File

@ -1,15 +0,0 @@
--- src/os/unix/ngx_files.c
+++ src/os/unix/ngx_files.c
@@ -183,6 +183,12 @@ ngx_write_chain_to_file(ngx_file_t *file
/* create the iovec and coalesce the neighbouring bufs */
while (cl && vec.nelts < IOV_MAX) {
+
+ if (ngx_buf_special(cl->buf)) {
+ cl = cl->next;
+ continue;
+ }
+
if (prev == cl->buf->pos) {
iov->iov_len += cl->buf->last - cl->buf->pos;

35
nginx.conf
View File

@ -7,6 +7,9 @@ worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.fedora.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
@ -52,4 +55,36 @@ http {
location = /50x.html {
}
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl;
# listen [::]:443 ssl;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers PROFILE=SYSTEM;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}

2
nginx.service
View File

@ -12,9 +12,9 @@ ExecStartPre=/usr/bin/rm -f /run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
KillMode=process
KillSignal=SIGQUIT
TimeoutStopSec=5
KillMode=mixed
PrivateTmp=true
[Install]

435
nginx.spec
View File

@ -1,27 +1,21 @@
%global _hardened_build 1
%global nginx_user nginx
%global nginx_group %{nginx_user}
%global nginx_home %{_localstatedir}/lib/nginx
%global nginx_home_tmp %{nginx_home}/tmp
%global nginx_confdir %{_sysconfdir}/nginx
%global nginx_datadir %{_datadir}/nginx
%global nginx_logdir %{_localstatedir}/log/nginx
%global nginx_webroot %{nginx_datadir}/html
# gperftools exist only on selected arches
%ifarch %{ix86} x86_64 ppc ppc64 %{arm}
%global with_gperftools 1
%ifnarch s390 s390x
%global with_gperftools 1
%endif
# AIO missing on some arches
%ifnarch aarch64
%global with_aio 1
%global with_aio 1
%if 0%{?fedora} > 22
%global with_mailcap_mimetypes 1
%endif
Name: nginx
Epoch: 1
Version: 1.6.3
Release: 9%{?dist}
Version: 1.10.1
Release: 1%{?dist}
Summary: A high performance web server and reverse proxy server
Group: System Environment/Daemons
@ -42,42 +36,33 @@ Source101: poweredby.png
Source102: nginx-logo.png
Source103: 404.html
Source104: 50x.html
Source200: README.fedora
Source210: UPGRADE-NOTES-1.6-to-1.10
# removes -Werror in upstream build scripts. -Werror conflicts with
# -D_FORTIFY_SOURCE=2 causing warnings to turn into errors.
Patch0: nginx-auto-cc-gcc.patch
# CVE-2016-4450
Patch1: nginx-1.8.1-null-pointer-deref.patch
# Patches taken from 1.8.1 release. Only the second patch in this series
# failed to apply and had to be modified.
Patch10: nginx-1.6.3-Resolver-fix-possible-segmentation-fault.patch
Patch11: nginx-1.6.3-Resolver-fix-crashes-in-timeout-handler.patch
Patch12: nginx-1.6.3-Resolver-fix-CNAME-processing.patch
Patch13: nginx-1.6.3-Resolver-change-ngx_resolver_create-arguments.patch
Patch14: nginx-1.6.3-Resolver-fix-use-after-free-with-CNAME.patch
Patch15: nginx-1.6.3-Resolver-limit-CNAME-recursion.patch
BuildRequires: GeoIP-devel
BuildRequires: gd-devel
%if 0%{?with_gperftools}
BuildRequires: gperftools-devel
%endif
BuildRequires: libxslt-devel
BuildRequires: openssl-devel
BuildRequires: pcre-devel
BuildRequires: perl-devel
BuildRequires: perl(ExtUtils::Embed)
BuildRequires: zlib-devel
Requires: nginx-filesystem = %{epoch}:%{version}-%{release}
Requires: GeoIP
Requires: gd
%if 0%{?rhel} || 0%{?fedora} < 24
# Introduced at 1:1.10.0-1 to ease upgrade path. To be removed later.
Requires: nginx-all-modules = %{epoch}:%{version}-%{release}
%endif
Requires: openssl
Requires: pcre
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
Requires(pre): nginx-filesystem
%if 0%{?with_mailcap_mimetypes}
Requires: nginx-mimetypes
%endif
Provides: webserver
BuildRequires: systemd
@ -90,6 +75,29 @@ Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
IMAP protocols, with a strong focus on high concurrency, performance and low
memory usage.
%package all-modules
Group: System Environment/Daemons
Summary: A meta package that installs all available Nginx modules
BuildArch: noarch
Requires: nginx-mod-http-geoip = %{epoch}:%{version}-%{release}
Requires: nginx-mod-http-image-filter = %{epoch}:%{version}-%{release}
Requires: nginx-mod-http-perl = %{epoch}:%{version}-%{release}
Requires: nginx-mod-http-xslt-filter = %{epoch}:%{version}-%{release}
Requires: nginx-mod-mail = %{epoch}:%{version}-%{release}
Requires: nginx-mod-stream = %{epoch}:%{version}-%{release}
%description all-modules
%{summary}.
%if 0%{?rhel}
The main nginx package depends on this to ease the upgrade path. After a grace
period of several months, modules will become optional.
%endif
%if 0%{?fedora} && 0%{?fedora} < 24
The main nginx package depends on this to ease the upgrade path. Starting from
Fedora 24, modules are optional.
%endif
%package filesystem
Group: System Environment/Daemons
Summary: The basic directory layout for the Nginx server
@ -101,17 +109,78 @@ The nginx-filesystem package contains the basic directory layout
for the Nginx server including the correct permissions for the
directories.
%package mod-http-geoip
Group: System Environment/Daemons
Summary: Nginx HTTP geoip module
BuildRequires: GeoIP-devel
Requires: nginx
Requires: GeoIP
%description mod-http-geoip
%{summary}.
%package mod-http-image-filter
Group: System Environment/Daemons
Summary: Nginx HTTP image filter module
BuildRequires: gd-devel
Requires: nginx
Requires: gd
%description mod-http-image-filter
%{summary}.
%package mod-http-perl
Group: System Environment/Daemons
Summary: Nginx HTTP perl module
BuildRequires: perl-devel
%if 0%{?fedora} >= 24
BuildRequires: perl-generators
%endif
BuildRequires: perl(ExtUtils::Embed)
Requires: nginx
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
%description mod-http-perl
%{summary}.
%package mod-http-xslt-filter
Group: System Environment/Daemons
Summary: Nginx XSLT module
BuildRequires: libxslt-devel
Requires: nginx
%description mod-http-xslt-filter
%{summary}.
%package mod-mail
Group: System Environment/Daemons
Summary: Nginx mail modules
Requires: nginx
%description mod-mail
%{summary}.
%package mod-stream
Group: System Environment/Daemons
Summary: Nginx stream modules
Requires: nginx
%description mod-stream
%{summary}.
%prep
%setup -q
%patch0 -p0
%patch1 -p0
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
cp %{SOURCE200} .
%if 0%{?rhel} == 7
cp %{SOURCE210} .
%endif
%if 0%{?rhel} < 8
sed -i -e 's#KillMode=.*#KillMode=process#g' %{SOURCE10}
sed -i -e 's#PROFILE=SYSTEM#HIGH:!aNULL:!MD5#' %{SOURCE12}
%endif
%build
@ -121,31 +190,32 @@ directories.
# variable.
export DESTDIR=%{buildroot}
./configure \
--prefix=%{nginx_datadir} \
--prefix=%{_datadir}/nginx \
--sbin-path=%{_sbindir}/nginx \
--conf-path=%{nginx_confdir}/nginx.conf \
--error-log-path=%{nginx_logdir}/error.log \
--http-log-path=%{nginx_logdir}/access.log \
--http-client-body-temp-path=%{nginx_home_tmp}/client_body \
--http-proxy-temp-path=%{nginx_home_tmp}/proxy \
--http-fastcgi-temp-path=%{nginx_home_tmp}/fastcgi \
--http-uwsgi-temp-path=%{nginx_home_tmp}/uwsgi \
--http-scgi-temp-path=%{nginx_home_tmp}/scgi \
--modules-path=%{_libdir}/nginx/modules \
--conf-path=%{_sysconfdir}/nginx/nginx.conf \
--error-log-path=%{_localstatedir}/log/nginx/error.log \
--http-log-path=%{_localstatedir}/log/nginx/access.log \
--http-client-body-temp-path=%{_localstatedir}/lib/nginx/tmp/client_body \
--http-proxy-temp-path=%{_localstatedir}/lib/nginx/tmp/proxy \
--http-fastcgi-temp-path=%{_localstatedir}/lib/nginx/tmp/fastcgi \
--http-uwsgi-temp-path=%{_localstatedir}/lib/nginx/tmp/uwsgi \
--http-scgi-temp-path=%{_localstatedir}/lib/nginx/tmp/scgi \
--pid-path=/run/nginx.pid \
--lock-path=/run/lock/subsys/nginx \
--user=%{nginx_user} \
--group=%{nginx_group} \
--group=%{nginx_user} \
%if 0%{?with_aio}
--with-file-aio \
%endif
--with-ipv6 \
--with-http_ssl_module \
--with-http_spdy_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_addition_module \
--with-http_xslt_module \
--with-http_image_filter_module \
--with-http_geoip_module \
--with-http_xslt_module=dynamic \
--with-http_image_filter_module=dynamic \
--with-http_geoip_module=dynamic \
--with-http_sub_module \
--with-http_dav_module \
--with-http_flv_module \
@ -155,12 +225,15 @@ export DESTDIR=%{buildroot}
--with-http_random_index_module \
--with-http_secure_link_module \
--with-http_degradation_module \
--with-http_slice_module \
--with-http_stub_status_module \
--with-http_perl_module \
--with-mail \
--with-http_perl_module=dynamic \
--with-mail=dynamic \
--with-mail_ssl_module \
--with-pcre \
--with-pcre-jit \
--with-stream=dynamic \
--with-stream_ssl_module \
%if 0%{?with_gperftools}
--with-google_perftools_module \
%endif
@ -178,27 +251,35 @@ find %{buildroot} -type f -name .packlist -exec rm -f '{}' \;
find %{buildroot} -type f -name perllocal.pod -exec rm -f '{}' \;
find %{buildroot} -type f -empty -exec rm -f '{}' \;
find %{buildroot} -type f -iname '*.so' -exec chmod 0755 '{}' \;
install -p -D -m 0644 %{SOURCE10} \
%{buildroot}%{_unitdir}/nginx.service
install -p -D -m 0644 %{SOURCE11} \
%{buildroot}%{_sysconfdir}/logrotate.d/nginx
install -p -d -m 0755 %{buildroot}%{nginx_confdir}/conf.d
install -p -d -m 0755 %{buildroot}%{nginx_confdir}/default.d
install -p -d -m 0700 %{buildroot}%{nginx_home}
install -p -d -m 0700 %{buildroot}%{nginx_home_tmp}
install -p -d -m 0700 %{buildroot}%{nginx_logdir}
install -p -d -m 0755 %{buildroot}%{nginx_webroot}
install -p -d -m 0755 %{buildroot}%{_sysconfdir}/nginx/conf.d
install -p -d -m 0755 %{buildroot}%{_sysconfdir}/nginx/default.d
install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx
install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx/tmp
install -p -d -m 0700 %{buildroot}%{_localstatedir}/log/nginx
install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/html
install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/modules
install -p -d -m 0755 %{buildroot}%{_libdir}/nginx/modules
install -p -m 0644 %{SOURCE12} \
%{buildroot}%{nginx_confdir}
%{buildroot}%{_sysconfdir}/nginx
install -p -m 0644 %{SOURCE100} \
%{buildroot}%{nginx_webroot}
%{buildroot}%{_datadir}/nginx/html
install -p -m 0644 %{SOURCE101} %{SOURCE102} \
%{buildroot}%{nginx_webroot}
%{buildroot}%{_datadir}/nginx/html
install -p -m 0644 %{SOURCE103} %{SOURCE104} \
%{buildroot}%{nginx_webroot}
%{buildroot}%{_datadir}/nginx/html
%if 0%{?with_mailcap_mimetypes}
rm -f %{buildroot}%{_sysconfdir}/nginx/mime.types
%endif
install -p -D -m 0644 %{_builddir}/nginx-%{version}/man/nginx.8 \
%{buildroot}%{_mandir}/man8/nginx.8
@ -211,17 +292,59 @@ for i in ftdetect indent syntax; do
%{buildroot}%{_datadir}/vim/vimfiles/${i}/nginx.vim
done
echo 'load_module "%{_libdir}/nginx/modules/ngx_http_geoip_module.so";' \
> %{buildroot}%{_datadir}/nginx/modules/mod-http-geoip.conf
echo 'load_module "%{_libdir}/nginx/modules/ngx_http_image_filter_module.so";' \
> %{buildroot}%{_datadir}/nginx/modules/mod-http-image-filter.conf
echo 'load_module "%{_libdir}/nginx/modules/ngx_http_perl_module.so";' \
> %{buildroot}%{_datadir}/nginx/modules/mod-http-perl.conf
echo 'load_module "%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so";' \
> %{buildroot}%{_datadir}/nginx/modules/mod-http-xslt-filter.conf
echo 'load_module "%{_libdir}/nginx/modules/ngx_mail_module.so";' \
> %{buildroot}%{_datadir}/nginx/modules/mod-mail.conf
echo 'load_module "%{_libdir}/nginx/modules/ngx_stream_module.so";' \
> %{buildroot}%{_datadir}/nginx/modules/mod-stream.conf
%pre filesystem
getent group %{nginx_group} > /dev/null || groupadd -r %{nginx_group}
getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user}
getent passwd %{nginx_user} > /dev/null || \
useradd -r -d %{nginx_home} -g %{nginx_group} \
useradd -r -d %{_localstatedir}/lib/nginx -g %{nginx_user} \
-s /sbin/nologin -c "Nginx web server" %{nginx_user}
exit 0
%post
%systemd_post nginx.service
%post mod-http-geoip
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-http-image-filter
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-http-perl
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-http-xslt-filter
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-mail
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%post mod-stream
if [ $1 -eq 1 ]; then
/usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || :
fi
%preun
%systemd_preun nginx.service
@ -232,8 +355,12 @@ if [ $1 -ge 1 ]; then
fi
%files
%doc LICENSE CHANGES README
%{nginx_datadir}/html/*
%license LICENSE
%doc CHANGES README README.fedora
%if 0%{rhel} == 7
%doc UPGRADE-NOTES-1.6-to-1.10
%endif
%{_datadir}/nginx/html/*
%{_bindir}/nginx-upgrade
%{_sbindir}/nginx
%{_datadir}/vim/vimfiles/ftdetect/nginx.vim
@ -243,77 +370,151 @@ fi
%{_mandir}/man8/nginx.8*
%{_mandir}/man8/nginx-upgrade.8*
%{_unitdir}/nginx.service
%config(noreplace) %{nginx_confdir}/fastcgi.conf
%config(noreplace) %{nginx_confdir}/fastcgi.conf.default
%config(noreplace) %{nginx_confdir}/fastcgi_params
%config(noreplace) %{nginx_confdir}/fastcgi_params.default
%config(noreplace) %{nginx_confdir}/koi-utf
%config(noreplace) %{nginx_confdir}/koi-win
%config(noreplace) %{nginx_confdir}/mime.types
%config(noreplace) %{nginx_confdir}/mime.types.default
%config(noreplace) %{nginx_confdir}/nginx.conf
%config(noreplace) %{nginx_confdir}/nginx.conf.default
%config(noreplace) %{nginx_confdir}/scgi_params
%config(noreplace) %{nginx_confdir}/scgi_params.default
%config(noreplace) %{nginx_confdir}/uwsgi_params
%config(noreplace) %{nginx_confdir}/uwsgi_params.default
%config(noreplace) %{nginx_confdir}/win-utf
%config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf
%config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf.default
%config(noreplace) %{_sysconfdir}/nginx/fastcgi_params
%config(noreplace) %{_sysconfdir}/nginx/fastcgi_params.default
%config(noreplace) %{_sysconfdir}/nginx/koi-utf
%config(noreplace) %{_sysconfdir}/nginx/koi-win
%if ! 0%{?with_mailcap_mimetypes}
%config(noreplace) %{_sysconfdir}/nginx/mime.types
%endif
%config(noreplace) %{_sysconfdir}/nginx/mime.types.default
%config(noreplace) %{_sysconfdir}/nginx/nginx.conf
%config(noreplace) %{_sysconfdir}/nginx/nginx.conf.default
%config(noreplace) %{_sysconfdir}/nginx/scgi_params
%config(noreplace) %{_sysconfdir}/nginx/scgi_params.default
%config(noreplace) %{_sysconfdir}/nginx/uwsgi_params
%config(noreplace) %{_sysconfdir}/nginx/uwsgi_params.default
%config(noreplace) %{_sysconfdir}/nginx/win-utf
%config(noreplace) %{_sysconfdir}/logrotate.d/nginx
%attr(700,%{nginx_user},%{nginx_user}) %dir %{_localstatedir}/lib/nginx
%attr(700,%{nginx_user},%{nginx_user}) %dir %{_localstatedir}/lib/nginx/tmp
%attr(700,%{nginx_user},%{nginx_user}) %dir %{_localstatedir}/log/nginx
%dir %{_libdir}/nginx/modules
%files all-modules
%files filesystem
%dir %{_datadir}/nginx
%dir %{_datadir}/nginx/html
%dir %{_sysconfdir}/nginx
%dir %{_sysconfdir}/nginx/conf.d
%dir %{_sysconfdir}/nginx/default.d
%files mod-http-geoip
%{_datadir}/nginx/modules/mod-http-geoip.conf
%{_libdir}/nginx/modules/ngx_http_geoip_module.so
%files mod-http-image-filter
%{_datadir}/nginx/modules/mod-http-image-filter.conf
%{_libdir}/nginx/modules/ngx_http_image_filter_module.so
%files mod-http-perl
%{_datadir}/nginx/modules/mod-http-perl.conf
%{_libdir}/nginx/modules/ngx_http_perl_module.so
%dir %{perl_vendorarch}/auto/nginx
%{perl_vendorarch}/nginx.pm
%{perl_vendorarch}/auto/nginx/nginx.so
%attr(700,%{nginx_user},%{nginx_group}) %dir %{nginx_home}
%attr(700,%{nginx_user},%{nginx_group}) %dir %{nginx_home_tmp}
%attr(700,%{nginx_user},%{nginx_group}) %dir %{nginx_logdir}
%files filesystem
%dir %{nginx_datadir}
%dir %{nginx_datadir}/html
%dir %{nginx_confdir}
%dir %{nginx_confdir}/conf.d
%dir %{nginx_confdir}/default.d
%files mod-http-xslt-filter
%{_datadir}/nginx/modules/mod-http-xslt-filter.conf
%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so
%files mod-mail
%{_datadir}/nginx/modules/mod-mail.conf
%{_libdir}/nginx/modules/ngx_mail_module.so
%files mod-stream
%{_datadir}/nginx/modules/mod-stream.conf
%{_libdir}/nginx/modules/ngx_stream_module.so
%changelog
* Tue May 31 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-9
- fix CVE-2016-4450
* Tue May 31 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.10.1-1
- update to upstream release 1.10.1
* Tue Jan 26 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-8
* Sun May 15 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1:1.10.0-4
- Perl 5.24 rebuild
* Sun May 8 2016 Peter Robinson <pbrobinson@fedoraproject.org> 1:1.10.0-3
- Enable AIO on aarch64 (rhbz 1258414)
* Wed Apr 27 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.10.0-2
- only Require nginx-all-modules for EPEL and current Fedora releases
* Wed Apr 27 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.10.0-1
- update to upstream release 1.10.0
- split dynamic modules into subpackages
- spec file cleanup
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.8.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Jan 26 2016 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.1-1
- update to upstream release 1.8.1
- CVE-2016-0747: Insufficient limits of CNAME resolution in resolver
- CVE-2016-0746: Use-after-free during CNAME response processing in resolver
- CVE-2016-0742: Invalid pointer dereference in resolver
* Sun Oct 04 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-7
* Sun Oct 04 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-14
- consistently use '%%global with_foo' style of logic
- remove PID file before starting nginx (#1268621)
* Fri Jul 03 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-6
* Fri Sep 25 2015 Ville Skyttä <ville.skytta@iki.fi> - 1:1.8.0-13
- Use nginx-mimetypes from mailcap (#1248736)
- Mark LICENSE as %%license
* Thu Sep 10 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-12
- also build with gperftools on aarch64 (#1258412)
* Wed Aug 12 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 1:1.8.0-11
- nginx.conf: added commented-out SSL configuration directives (#1179232)
* Fri Jul 03 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-10
- switch back to /bin/kill in logrotate script due to SELinux denials
* Tue Jun 16 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-5
- set KillMode=process in systemd service file
* Tue Jun 16 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-4
- fix path to png images in error pages (#1232277)
* Tue Jun 16 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-9
- fix path to png in error pages (#1232277)
- optimize png images with optipng
* Sun Jun 14 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-3
* Sun Jun 14 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-8
- replace /bin/kill with /usr/bin/systemctl kill in logrotate script (#1231543)
- remove After=syslog.target in nginx.service (#1231543)
- replace ExecStop with KillSignal=SIGQUIT in nginx.service (#1231543)
- remove KillMode=mixed as this is not supported on systemd v208
* Sun May 10 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-2
- improve nginx-upgrade
- run nginx-upgrade on package updates
* Wed Jun 03 2015 Jitka Plesnikova <jplesnik@redhat.com> - 1:1.8.0-7
- Perl 5.22 rebuild
* Sun May 10 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-6
- revert previous change
* Sun May 10 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-5
- move default server to default.conf (#1220094)
* Sun May 10 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-4
- add TimeoutStopSec=5 and KillMode=mixed to nginx.service
- remove some redundant files
- set worker_processes to auto
- add some common options to the http block in nginx.conf
- listen on ipv6 for the default server (#1217081)
- remove redundant commands in %%post
- add --with-pcre-jit to configure options
- run nginx-upgrade on package update
- remove some redundant scriptlet commands
- listen on ipv6 for default server (#1217081)
* Thu Apr 09 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.3-1
- update to upstream release 1.6.3
* Wed Apr 22 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-3
- improve nginx-upgrade script
* Wed Apr 22 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-2
- add --with-pcre-jit
* Wed Apr 22 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.8.0-1
- update to upstream release 1.8.0
* Thu Apr 09 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.7.12-1
- update to upstream release 1.7.12
* Sun Feb 15 2015 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.7.10-1
- update to upstream release 1.7.10
- remove systemd conditionals
* Wed Oct 22 2014 Jamie Nguyen <jamielinux@fedoraproject.org> - 1:1.6.2-4
- fix package ownership of directories

4
sources
View File

@ -1,2 +1,2 @@
ea813aee2c344c2f5b66cdb24a472738 nginx-1.6.3.tar.gz
16301c1d7f4773ed62e24f820d8b5181 nginx-1.6.3.tar.gz.asc
088292d9caf6059ef328aa7dda332e44 nginx-1.10.1.tar.gz
bb38cb136c10010d3162403f6a39215d nginx-1.10.1.tar.gz.asc