diff --git a/README.fedora b/README.fedora new file mode 100644 index 0000000..59f03f6 --- /dev/null +++ b/README.fedora @@ -0,0 +1,20 @@ +############### +Dynamic modules +############### + +Dynamic modules are loaded using the "load_modules" directive. The RPM package +for each module has a '.conf' file in the /usr/share/nginx/modules directory. +The '.conf' file contains a single "load_modules" directive. + +This means that whenever a new dynamic module is installed, it will +automatically be enabled and Nginx will be reloaded. + +-------------------------------------------------------- +Prevent dynamic modules from being enabled automatically +-------------------------------------------------------- + +You may want to avoid dynamic modules being enabled automatically. Simply +remove this line from the top of /etc/nginx/nginx.conf: + + include /usr/lib64/nginx/modules/*.conf; + diff --git a/UPGRADE-NOTES-1.6-to-1.10 b/UPGRADE-NOTES-1.6-to-1.10 new file mode 100644 index 0000000..8852e1d --- /dev/null +++ b/UPGRADE-NOTES-1.6-to-1.10 @@ -0,0 +1,89 @@ +############# +Upgrade notes +############# + +To resolve numerous security flaws, the nginx package was updated to 1.10.x. + +You should review your configuration files in /etc/nginx to determine if there +are any incompatibilities. + +Please see upstream release notes for a complete list of new features, +bug fixes, and changes: http://nginx.org/en/CHANGES-1.10 + +Below is a summary of the main changes. If you have not modified any files in +/etc/nginx directory, the update will work seamlessly. However, if you are +using any nginx directives that have changed or been removed then you should +amend your configuration. + +Nginx gained support for dynamic modules. Some modules have been split into +subpackages, which for the time being are hard dependencies to aid the upgrade +path. The new subpackages are: + - nginx-mod-http-geoip + - nginx-mod-http-image-filter + - nginx-mod-http-perl + - nginx-mod-http-xslt-filter + - nginx-mod-mail + - nginx-mod-stream + +Changes with nginx 1.10.x + + *) Change: non-idempotent requests (POST, LOCK, PATCH) are no longer + passed to the next server by default if a request has been sent to a + backend; the "non_idempotent" parameter of the "proxy_next_upstream" + directive explicitly allows retrying such requests. + + *) Change: now the "output_buffers" directive uses two buffers by + default. + + *) Change: now nginx limits subrequests recursion, not simultaneous + subrequests. + + *) Change: now nginx checks the whole cache key when returning a + response from cache. + Thanks to Gena Makhomed and Sergey Brester. + + *) Change: the "proxy_downstream_buffer" and "proxy_upstream_buffer" + directives of the stream module are replaced with the + "proxy_buffer_size" directive. + + *) Change: duplicate "http", "mail", and "stream" blocks are now + disallowed. + + *) Change: now SSLv3 protocol is disabled by default. + + *) Change: some long deprecated directives are not supported anymore. + + *) Change: obsolete aio and rtsig event methods have been removed. + +Changes with nginx 1.8.x + + *) Change: the "sendfile" parameter of the "aio" directive is + deprecated; now nginx automatically uses AIO to pre-load data for + sendfile if both "aio" and "sendfile" directives are used. + + *) Change: now the "If-Modified-Since", "If-Range", etc. client request + header lines are passed to a backend while caching if nginx knows in + advance that the response will not be cached (e.g., when using + proxy_cache_min_uses). + + *) Change: now after proxy_cache_lock_timeout nginx sends a request to a + backend with caching disabled; the new directives + "proxy_cache_lock_age", "fastcgi_cache_lock_age", + "scgi_cache_lock_age", and "uwsgi_cache_lock_age" specify a time + after which the lock will be released and another attempt to cache a + response will be made. + + *) Change: the "log_format" directive can now be used only at http + level. + + *) Change: now nginx takes into account the "Vary" header line in a + backend response while caching. + + *) Change: the deprecated "limit_zone" directive is not supported + anymore. + + *) Change: now the "stub_status" directive does not require a parameter. + + *) Change: URI escaping now uses uppercase hexadecimal digits. + Thanks to Piotr Sikora. + diff --git a/nginx-1.6.3-Resolver-change-ngx_resolver_create-arguments.patch b/nginx-1.6.3-Resolver-change-ngx_resolver_create-arguments.patch deleted file mode 100644 index cb40874..0000000 --- a/nginx-1.6.3-Resolver-change-ngx_resolver_create-arguments.patch +++ /dev/null @@ -1,181 +0,0 @@ -exporting patch: -# HG changeset patch -# User Roman Arutyunyan -# Date 1453816008 -10800 -# Tue Jan 26 16:46:48 2016 +0300 -# Branch stable-1.8 -# Node ID 5557bf31e25da68d5cda19dbc91d86f47430df1f -# Parent 838946300825379ccdd3acfb131cf66d6ae3cb85 -Resolver: changed the ngx_resolver_create_*_query() arguments. - -No functional changes. - -This is needed by the following change. - -diff -r 838946300825 -r 5557bf31e25d src/core/ngx_resolver.c ---- a/src/core/ngx_resolver.c Tue Jan 26 16:46:38 2016 +0300 -+++ b/src/core/ngx_resolver.c Tue Jan 26 16:46:48 2016 +0300 -@@ -64,10 +64,10 @@ - ngx_queue_t *queue); - static ngx_int_t ngx_resolver_send_query(ngx_resolver_t *r, - ngx_resolver_node_t *rn); --static ngx_int_t ngx_resolver_create_name_query(ngx_resolver_node_t *rn, -- ngx_resolver_ctx_t *ctx); --static ngx_int_t ngx_resolver_create_addr_query(ngx_resolver_node_t *rn, -- ngx_resolver_ctx_t *ctx); -+static ngx_int_t ngx_resolver_create_name_query(ngx_resolver_t *r, -+ ngx_resolver_node_t *rn, ngx_str_t *name); -+static ngx_int_t ngx_resolver_create_addr_query(ngx_resolver_t *r, -+ ngx_resolver_node_t *rn, ngx_addr_t *addr); - static void ngx_resolver_resend_handler(ngx_event_t *ev); - static time_t ngx_resolver_resend(ngx_resolver_t *r, ngx_rbtree_t *tree, - ngx_queue_t *queue); -@@ -651,7 +651,7 @@ - ngx_rbtree_insert(&r->name_rbtree, &rn->node); - } - -- rc = ngx_resolver_create_name_query(rn, ctx); -+ rc = ngx_resolver_create_name_query(r, rn, &ctx->name); - - if (rc == NGX_ERROR) { - goto failed; -@@ -878,7 +878,7 @@ - ngx_rbtree_insert(tree, &rn->node); - } - -- if (ngx_resolver_create_addr_query(rn, ctx) != NGX_OK) { -+ if (ngx_resolver_create_addr_query(r, rn, &ctx->addr) != NGX_OK) { - goto failed; - } - -@@ -2511,27 +2511,23 @@ - - - static ngx_int_t --ngx_resolver_create_name_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx) -+ngx_resolver_create_name_query(ngx_resolver_t *r, ngx_resolver_node_t *rn, -+ ngx_str_t *name) - { - u_char *p, *s; - size_t len, nlen; - ngx_uint_t ident; --#if (NGX_HAVE_INET6) -- ngx_resolver_t *r; --#endif - ngx_resolver_qs_t *qs; - ngx_resolver_hdr_t *query; - -- nlen = ctx->name.len ? (1 + ctx->name.len + 1) : 1; -+ nlen = name->len ? (1 + name->len + 1) : 1; - - len = sizeof(ngx_resolver_hdr_t) + nlen + sizeof(ngx_resolver_qs_t); - - #if (NGX_HAVE_INET6) -- r = ctx->resolver; -- -- p = ngx_resolver_alloc(ctx->resolver, r->ipv6 ? len * 2 : len); -+ p = ngx_resolver_alloc(r, r->ipv6 ? len * 2 : len); - #else -- p = ngx_resolver_alloc(ctx->resolver, len); -+ p = ngx_resolver_alloc(r, len); - #endif - if (p == NULL) { - return NGX_ERROR; -@@ -2550,8 +2546,8 @@ - - ident = ngx_random(); - -- ngx_log_debug2(NGX_LOG_DEBUG_CORE, ctx->resolver->log, 0, -- "resolve: \"%V\" A %i", &ctx->name, ident & 0xffff); -+ ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0, -+ "resolve: \"%V\" A %i", name, ident & 0xffff); - - query->ident_hi = (u_char) ((ident >> 8) & 0xff); - query->ident_lo = (u_char) (ident & 0xff); -@@ -2581,11 +2577,11 @@ - p--; - *p-- = '\0'; - -- if (ctx->name.len == 0) { -+ if (name->len == 0) { - return NGX_DECLINED; - } - -- for (s = ctx->name.data + ctx->name.len - 1; s >= ctx->name.data; s--) { -+ for (s = name->data + name->len - 1; s >= name->data; s--) { - if (*s != '.') { - *p = *s; - len++; -@@ -2621,8 +2617,8 @@ - - ident = ngx_random(); - -- ngx_log_debug2(NGX_LOG_DEBUG_CORE, ctx->resolver->log, 0, -- "resolve: \"%V\" AAAA %i", &ctx->name, ident & 0xffff); -+ ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0, -+ "resolve: \"%V\" AAAA %i", name, ident & 0xffff); - - query->ident_hi = (u_char) ((ident >> 8) & 0xff); - query->ident_lo = (u_char) (ident & 0xff); -@@ -2639,11 +2635,12 @@ - - - static ngx_int_t --ngx_resolver_create_addr_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx) -+ngx_resolver_create_addr_query(ngx_resolver_t *r, ngx_resolver_node_t *rn, -+ ngx_addr_t *addr) - { - u_char *p, *d; - size_t len; -- in_addr_t addr; -+ in_addr_t inaddr; - ngx_int_t n; - ngx_uint_t ident; - ngx_resolver_hdr_t *query; -@@ -2652,7 +2649,7 @@ - struct sockaddr_in6 *sin6; - #endif - -- switch (ctx->addr.sockaddr->sa_family) { -+ switch (addr->sockaddr->sa_family) { - - #if (NGX_HAVE_INET6) - case AF_INET6: -@@ -2669,7 +2666,7 @@ - + sizeof(ngx_resolver_qs_t); - } - -- p = ngx_resolver_alloc(ctx->resolver, len); -+ p = ngx_resolver_alloc(r, len); - if (p == NULL) { - return NGX_ERROR; - } -@@ -2693,11 +2690,11 @@ - - p += sizeof(ngx_resolver_hdr_t); - -- switch (ctx->addr.sockaddr->sa_family) { -+ switch (addr->sockaddr->sa_family) { - - #if (NGX_HAVE_INET6) - case AF_INET6: -- sin6 = (struct sockaddr_in6 *) ctx->addr.sockaddr; -+ sin6 = (struct sockaddr_in6 *) addr->sockaddr; - - for (n = 15; n >= 0; n--) { - p = ngx_sprintf(p, "\1%xd\1%xd", -@@ -2712,11 +2709,11 @@ - - default: /* AF_INET */ - -- sin = (struct sockaddr_in *) ctx->addr.sockaddr; -- addr = ntohl(sin->sin_addr.s_addr); -+ sin = (struct sockaddr_in *) addr->sockaddr; -+ inaddr = ntohl(sin->sin_addr.s_addr); - - for (n = 0; n < 32; n += 8) { -- d = ngx_sprintf(&p[1], "%ud", (addr >> n) & 0xff); -+ d = ngx_sprintf(&p[1], "%ud", (inaddr >> n) & 0xff); - *p = (u_char) (d - &p[1]); - p = d; - } diff --git a/nginx-1.6.3-Resolver-fix-CNAME-processing.patch b/nginx-1.6.3-Resolver-fix-CNAME-processing.patch deleted file mode 100644 index 4bc734d..0000000 --- a/nginx-1.6.3-Resolver-fix-CNAME-processing.patch +++ /dev/null @@ -1,80 +0,0 @@ -exporting patch: -# HG changeset patch -# User Ruslan Ermilov -# Date 1453815998 -10800 -# Tue Jan 26 16:46:38 2016 +0300 -# Branch stable-1.8 -# Node ID 838946300825379ccdd3acfb131cf66d6ae3cb85 -# Parent f63dd04c158062d73fcb6aff59124910fa1fae75 -Resolver: fixed CNAME processing for several requests. - -When several requests were waiting for a response, then after getting -a CNAME response only the last request was properly processed, while -others were left waiting. - -diff -r f63dd04c1580 -r 838946300825 src/core/ngx_resolver.c ---- a/src/core/ngx_resolver.c Tue Jan 26 16:46:31 2016 +0300 -+++ b/src/core/ngx_resolver.c Tue Jan 26 16:46:38 2016 +0300 -@@ -473,7 +473,7 @@ - ngx_int_t rc; - ngx_uint_t naddrs; - ngx_addr_t *addrs; -- ngx_resolver_ctx_t *next; -+ ngx_resolver_ctx_t *next, *last; - ngx_resolver_node_t *rn; - - ngx_strlow(ctx->name.data, ctx->name.data, ctx->name.len); -@@ -484,6 +484,9 @@ - - if (rn) { - -+ /* ctx can be a list after NGX_RESOLVE_CNAME */ -+ for (last = ctx; last->next; last = last->next); -+ - if (rn->valid >= ngx_time()) { - - ngx_log_debug0(NGX_LOG_DEBUG_CORE, r->log, 0, "resolve cached"); -@@ -511,7 +514,7 @@ - } - } - -- ctx->next = rn->waiting; -+ last->next = rn->waiting; - rn->waiting = NULL; - - /* unlock name mutex */ -@@ -557,7 +560,7 @@ - return ngx_resolve_name_locked(r, ctx); - } - -- ctx->next = rn->waiting; -+ last->next = rn->waiting; - rn->waiting = NULL; - - /* unlock name mutex */ -@@ -590,7 +593,7 @@ - ngx_add_timer(ctx->event, ctx->timeout); - } - -- ctx->next = rn->waiting; -+ last->next = rn->waiting; - rn->waiting = ctx; - ctx->state = NGX_AGAIN; - -@@ -661,8 +664,14 @@ - ngx_resolver_free(r, rn->name); - ngx_resolver_free(r, rn); - -- ctx->state = NGX_RESOLVE_NXDOMAIN; -- ctx->handler(ctx); -+ do { -+ ctx->state = NGX_RESOLVE_NXDOMAIN; -+ next = ctx->next; -+ -+ ctx->handler(ctx); -+ -+ ctx = next; -+ } while (ctx); - - return NGX_OK; - } diff --git a/nginx-1.6.3-Resolver-fix-crashes-in-timeout-handler.patch b/nginx-1.6.3-Resolver-fix-crashes-in-timeout-handler.patch deleted file mode 100644 index 277a7e4..0000000 --- a/nginx-1.6.3-Resolver-fix-crashes-in-timeout-handler.patch +++ /dev/null @@ -1,134 +0,0 @@ -exporting patch: -# HG changeset patch -# User Ruslan Ermilov -# Date 1453815991 -10800 -# Tue Jan 26 16:46:31 2016 +0300 -# Branch stable-1.8 -# Node ID f63dd04c158062d73fcb6aff59124910fa1fae75 -# Parent c36482d0a79fe0f2e1467f80ec2fbcd0a2d682c6 -Resolver: fixed crashes in timeout handler. - -If one or more requests were waiting for a response, then after -getting a CNAME response, the timeout event on the first request -remained active, pointing to the wrong node with an empty -rn->waiting list, and that could cause either null pointer -dereference or use-after-free memory access if this timeout -expired. - -If several requests were waiting for a response, and the first -request terminated (e.g., due to client closing a connection), -other requests were left without a timeout and could potentially -wait indefinitely. - -This is fixed by introducing per-request independent timeouts. -This change also reverts 954867a2f0a6 and 5004210e8c78. - -diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c -index fe0ce50..7aa88a6 100644 ---- a/src/core/ngx_resolver.c -+++ b/src/core/ngx_resolver.c -@@ -417,7 +417,7 @@ ngx_resolve_name_done(ngx_resolver_ctx_t *ctx) - - /* lock name mutex */ - -- if (ctx->state == NGX_AGAIN) { -+ if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) { - - hash = ngx_crc32_short(ctx->name.data, ctx->name.len); - -@@ -571,6 +571,20 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx) - - if (rn->waiting) { - -+ if (ctx->event == NULL) { -+ ctx->event = ngx_resolver_calloc(r, sizeof(ngx_event_t)); -+ if (ctx->event == NULL) { -+ return NGX_ERROR; -+ } -+ -+ ctx->event->handler = ngx_resolver_timeout_handler; -+ ctx->event->data = ctx; -+ ctx->event->log = r->log; -+ ctx->ident = -1; -+ -+ ngx_add_timer(ctx->event, ctx->timeout); -+ } -+ - ctx->next = rn->waiting; - rn->waiting = ctx; - ctx->state = NGX_AGAIN; -@@ -664,7 +678,7 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx) - } - - ctx->event->handler = ngx_resolver_timeout_handler; -- ctx->event->data = rn; -+ ctx->event->data = ctx; - ctx->event->log = r->log; - ctx->ident = -1; - -@@ -794,6 +808,18 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx) - - if (rn->waiting) { - -+ ctx->event = ngx_resolver_calloc(r, sizeof(ngx_event_t)); -+ if (ctx->event == NULL) { -+ return NGX_ERROR; -+ } -+ -+ ctx->event->handler = ngx_resolver_timeout_handler; -+ ctx->event->data = ctx; -+ ctx->event->log = r->log; -+ ctx->ident = -1; -+ -+ ngx_add_timer(ctx->event, ctx->timeout); -+ - ctx->next = rn->waiting; - rn->waiting = ctx; - ctx->state = NGX_AGAIN; -@@ -857,7 +883,7 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx) - } - - ctx->event->handler = ngx_resolver_timeout_handler; -- ctx->event->data = rn; -+ ctx->event->data = ctx; - ctx->event->log = r->log; - ctx->ident = -1; - -@@ -949,7 +975,7 @@ ngx_resolve_addr_done(ngx_resolver_ctx_t *ctx) - - /* lock addr mutex */ - -- if (ctx->state == NGX_AGAIN) { -+ if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) { - - switch (ctx->addr.sockaddr->sa_family) { - -@@ -2791,21 +2817,13 @@ done: - static void - ngx_resolver_timeout_handler(ngx_event_t *ev) - { -- ngx_resolver_ctx_t *ctx, *next; -- ngx_resolver_node_t *rn; -+ ngx_resolver_ctx_t *ctx; - -- rn = ev->data; -- ctx = rn->waiting; -- rn->waiting = NULL; -+ ctx = ev->data; - -- do { -- ctx->state = NGX_RESOLVE_TIMEDOUT; -- next = ctx->next; -- -- ctx->handler(ctx); -+ ctx->state = NGX_RESOLVE_TIMEDOUT; - -- ctx = next; -- } while (ctx); -+ ctx->handler(ctx); - } - - --- -2.5.0 - diff --git a/nginx-1.6.3-Resolver-fix-possible-segmentation-fault.patch b/nginx-1.6.3-Resolver-fix-possible-segmentation-fault.patch deleted file mode 100644 index 97d4fdb..0000000 --- a/nginx-1.6.3-Resolver-fix-possible-segmentation-fault.patch +++ /dev/null @@ -1,22 +0,0 @@ -exporting patch: -# HG changeset patch -# User Roman Arutyunyan -# Date 1453815978 -10800 -# Tue Jan 26 16:46:18 2016 +0300 -# Branch stable-1.8 -# Node ID c36482d0a79fe0f2e1467f80ec2fbcd0a2d682c6 -# Parent e9a4531a2a5dabb9bee93cb8b41f24b8aeeba504 -Resolver: fixed possible segmentation fault on DNS format error. - -diff -r e9a4531a2a5d -r c36482d0a79f src/core/ngx_resolver.c ---- a/src/core/ngx_resolver.c Mon Jan 25 21:58:21 2016 +0300 -+++ b/src/core/ngx_resolver.c Tue Jan 26 16:46:18 2016 +0300 -@@ -1292,7 +1292,7 @@ - times = 0; - - for (q = ngx_queue_head(&r->name_resend_queue); -- q != ngx_queue_sentinel(&r->name_resend_queue) || times++ < 100; -+ q != ngx_queue_sentinel(&r->name_resend_queue) && times++ < 100; - q = ngx_queue_next(q)) - { - rn = ngx_queue_data(q, ngx_resolver_node_t, queue); diff --git a/nginx-1.6.3-Resolver-fix-use-after-free-with-CNAME.patch b/nginx-1.6.3-Resolver-fix-use-after-free-with-CNAME.patch deleted file mode 100644 index ba6a7d7..0000000 --- a/nginx-1.6.3-Resolver-fix-use-after-free-with-CNAME.patch +++ /dev/null @@ -1,252 +0,0 @@ -exporting patch: -# HG changeset patch -# User Roman Arutyunyan -# Date 1453816019 -10800 -# Tue Jan 26 16:46:59 2016 +0300 -# Branch stable-1.8 -# Node ID dac6eda40475f08b7372159d78dad1e13cd5bc7f -# Parent 5557bf31e25da68d5cda19dbc91d86f47430df1f -Resolver: fixed use-after-free memory accesses with CNAME. - -When several requests were waiting for a response, then after getting -a CNAME response only the last request's context had the name updated. -Contexts of other requests had the wrong name. This name was used by -ngx_resolve_name_done() to find the node to remove the request context -from. When the name was wrong, the request could not be properly -cancelled, its context was freed but stayed linked to the node's waiting -list. This happened e.g. when the first request was aborted or timed -out before the resolving completed. When it completed, this triggered -a use-after-free memory access by calling ctx->handler of already freed -request context. The bug manifests itself by -"could not cancel resolving" alerts in error_log. - -When a request was responded with a CNAME, the request context kept -the pointer to the original node's rn->u.cname. If the original node -expired before the resolving timed out or completed with an error, -this would trigger a use-after-free memory access via ctx->name in -ctx->handler(). - -The fix is to keep ctx->name unmodified. The name from context -is no longer used by ngx_resolve_name_done(). Instead, we now keep -the pointer to resolver node to which this request is linked. -Keeping the original name intact also improves logging. - -diff -r 5557bf31e25d -r dac6eda40475 src/core/ngx_resolver.c ---- a/src/core/ngx_resolver.c Tue Jan 26 16:46:48 2016 +0300 -+++ b/src/core/ngx_resolver.c Tue Jan 26 16:46:59 2016 +0300 -@@ -59,7 +59,7 @@ - static void ngx_resolver_cleanup(void *data); - static void ngx_resolver_cleanup_tree(ngx_resolver_t *r, ngx_rbtree_t *tree); - static ngx_int_t ngx_resolve_name_locked(ngx_resolver_t *r, -- ngx_resolver_ctx_t *ctx); -+ ngx_resolver_ctx_t *ctx, ngx_str_t *name); - static void ngx_resolver_expire(ngx_resolver_t *r, ngx_rbtree_t *tree, - ngx_queue_t *queue); - static ngx_int_t ngx_resolver_send_query(ngx_resolver_t *r, -@@ -375,7 +375,7 @@ - - /* lock name mutex */ - -- rc = ngx_resolve_name_locked(r, ctx); -+ rc = ngx_resolve_name_locked(r, ctx, &ctx->name); - - if (rc == NGX_OK) { - return NGX_OK; -@@ -402,7 +402,6 @@ - void - ngx_resolve_name_done(ngx_resolver_ctx_t *ctx) - { -- uint32_t hash; - ngx_resolver_t *r; - ngx_resolver_ctx_t *w, **p; - ngx_resolver_node_t *rn; -@@ -424,9 +423,7 @@ - - if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) { - -- hash = ngx_crc32_short(ctx->name.data, ctx->name.len); -- -- rn = ngx_resolver_lookup_name(r, &ctx->name, hash); -+ rn = ctx->node; - - if (rn) { - p = &rn->waiting; -@@ -467,20 +464,22 @@ - - - static ngx_int_t --ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx) -+ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx, -+ ngx_str_t *name) - { - uint32_t hash; - ngx_int_t rc; -+ ngx_str_t cname; - ngx_uint_t naddrs; - ngx_addr_t *addrs; - ngx_resolver_ctx_t *next, *last; - ngx_resolver_node_t *rn; - -- ngx_strlow(ctx->name.data, ctx->name.data, ctx->name.len); -- -- hash = ngx_crc32_short(ctx->name.data, ctx->name.len); -- -- rn = ngx_resolver_lookup_name(r, &ctx->name, hash); -+ ngx_strlow(name->data, name->data, name->len); -+ -+ hash = ngx_crc32_short(name->data, name->len); -+ -+ rn = ngx_resolver_lookup_name(r, name, hash); - - if (rn) { - -@@ -554,10 +553,10 @@ - - if (ctx->recursion++ < NGX_RESOLVER_MAX_RECURSION) { - -- ctx->name.len = rn->cnlen; -- ctx->name.data = rn->u.cname; -- -- return ngx_resolve_name_locked(r, ctx); -+ cname.len = rn->cnlen; -+ cname.data = rn->u.cname; -+ -+ return ngx_resolve_name_locked(r, ctx, &cname); - } - - last->next = rn->waiting; -@@ -597,6 +596,11 @@ - rn->waiting = ctx; - ctx->state = NGX_AGAIN; - -+ do { -+ ctx->node = rn; -+ ctx = ctx->next; -+ } while (ctx); -+ - return NGX_AGAIN; - } - -@@ -635,14 +639,14 @@ - return NGX_ERROR; - } - -- rn->name = ngx_resolver_dup(r, ctx->name.data, ctx->name.len); -+ rn->name = ngx_resolver_dup(r, name->data, name->len); - if (rn->name == NULL) { - ngx_resolver_free(r, rn); - return NGX_ERROR; - } - - rn->node.key = hash; -- rn->nlen = (u_short) ctx->name.len; -+ rn->nlen = (u_short) name->len; - rn->query = NULL; - #if (NGX_HAVE_INET6) - rn->query6 = NULL; -@@ -651,7 +655,7 @@ - ngx_rbtree_insert(&r->name_rbtree, &rn->node); - } - -- rc = ngx_resolver_create_name_query(r, rn, &ctx->name); -+ rc = ngx_resolver_create_name_query(r, rn, name); - - if (rc == NGX_ERROR) { - goto failed; -@@ -715,6 +719,11 @@ - - ctx->state = NGX_AGAIN; - -+ do { -+ ctx->node = rn; -+ ctx = ctx->next; -+ } while (ctx); -+ - return NGX_AGAIN; - - failed: -@@ -837,6 +846,7 @@ - ctx->next = rn->waiting; - rn->waiting = ctx; - ctx->state = NGX_AGAIN; -+ ctx->node = rn; - - /* unlock addr mutex */ - -@@ -922,6 +932,7 @@ - /* unlock addr mutex */ - - ctx->state = NGX_AGAIN; -+ ctx->node = rn; - - return NGX_OK; - -@@ -952,17 +963,11 @@ - void - ngx_resolve_addr_done(ngx_resolver_ctx_t *ctx) - { -- in_addr_t addr; - ngx_queue_t *expire_queue; - ngx_rbtree_t *tree; - ngx_resolver_t *r; - ngx_resolver_ctx_t *w, **p; -- struct sockaddr_in *sin; - ngx_resolver_node_t *rn; --#if (NGX_HAVE_INET6) -- uint32_t hash; -- struct sockaddr_in6 *sin6; --#endif - - r = ctx->resolver; - -@@ -991,21 +996,7 @@ - - if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) { - -- switch (ctx->addr.sockaddr->sa_family) { -- --#if (NGX_HAVE_INET6) -- case AF_INET6: -- sin6 = (struct sockaddr_in6 *) ctx->addr.sockaddr; -- hash = ngx_crc32_short(sin6->sin6_addr.s6_addr, 16); -- rn = ngx_resolver_lookup_addr6(r, &sin6->sin6_addr, hash); -- break; --#endif -- -- default: /* AF_INET */ -- sin = (struct sockaddr_in *) ctx->addr.sockaddr; -- addr = ntohl(sin->sin_addr.s_addr); -- rn = ngx_resolver_lookup_addr(r, addr); -- } -+ rn = ctx->node; - - if (rn) { - p = &rn->waiting; -@@ -1994,9 +1985,12 @@ - rn->waiting = NULL; - - if (ctx) { -- ctx->name = name; -- -- (void) ngx_resolve_name_locked(r, ctx); -+ -+ for (next = ctx; next; next = next->next) { -+ next->node = NULL; -+ } -+ -+ (void) ngx_resolve_name_locked(r, ctx, &name); - } - - ngx_resolver_free(r, rn->query); -diff -r 5557bf31e25d -r dac6eda40475 src/core/ngx_resolver.h ---- a/src/core/ngx_resolver.h Tue Jan 26 16:46:48 2016 +0300 -+++ b/src/core/ngx_resolver.h Tue Jan 26 16:46:59 2016 +0300 -@@ -161,6 +161,8 @@ - ngx_uint_t quick; /* unsigned quick:1; */ - ngx_uint_t recursion; - ngx_event_t *event; -+ -+ ngx_resolver_node_t *node; - }; - - diff --git a/nginx-1.6.3-Resolver-limit-CNAME-recursion.patch b/nginx-1.6.3-Resolver-limit-CNAME-recursion.patch deleted file mode 100644 index f812ae5..0000000 --- a/nginx-1.6.3-Resolver-limit-CNAME-recursion.patch +++ /dev/null @@ -1,68 +0,0 @@ -exporting patch: -# HG changeset patch -# User Ruslan Ermilov -# Date 1453816034 -10800 -# Tue Jan 26 16:47:14 2016 +0300 -# Branch stable-1.8 -# Node ID 93d70d87914c350948ab701cc99569680320e198 -# Parent dac6eda40475f08b7372159d78dad1e13cd5bc7f -Resolver: limited CNAME recursion. - -Previously, the recursion was only limited for cached responses. - -diff -r dac6eda40475 -r 93d70d87914c src/core/ngx_resolver.c ---- a/src/core/ngx_resolver.c Tue Jan 26 16:46:59 2016 +0300 -+++ b/src/core/ngx_resolver.c Tue Jan 26 16:47:14 2016 +0300 -@@ -1981,24 +1981,40 @@ - - ngx_queue_insert_head(&r->name_expire_queue, &rn->queue); - -- ctx = rn->waiting; -- rn->waiting = NULL; -- -- if (ctx) { -- -- for (next = ctx; next; next = next->next) { -- next->node = NULL; -- } -- -- (void) ngx_resolve_name_locked(r, ctx, &name); -- } -- - ngx_resolver_free(r, rn->query); - rn->query = NULL; - #if (NGX_HAVE_INET6) - rn->query6 = NULL; - #endif - -+ ctx = rn->waiting; -+ rn->waiting = NULL; -+ -+ if (ctx) { -+ -+ if (ctx->recursion++ >= NGX_RESOLVER_MAX_RECURSION) { -+ -+ /* unlock name mutex */ -+ -+ do { -+ ctx->state = NGX_RESOLVE_NXDOMAIN; -+ next = ctx->next; -+ -+ ctx->handler(ctx); -+ -+ ctx = next; -+ } while (ctx); -+ -+ return; -+ } -+ -+ for (next = ctx; next; next = next->next) { -+ next->node = NULL; -+ } -+ -+ (void) ngx_resolve_name_locked(r, ctx, &name); -+ } -+ - /* unlock name mutex */ - - return; diff --git a/nginx-1.8.1-null-pointer-deref.patch b/nginx-1.8.1-null-pointer-deref.patch deleted file mode 100644 index 6f2c25b..0000000 --- a/nginx-1.8.1-null-pointer-deref.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- src/os/unix/ngx_files.c -+++ src/os/unix/ngx_files.c -@@ -183,6 +183,12 @@ ngx_write_chain_to_file(ngx_file_t *file - /* create the iovec and coalesce the neighbouring bufs */ - - while (cl && vec.nelts < IOV_MAX) { -+ -+ if (ngx_buf_special(cl->buf)) { -+ cl = cl->next; -+ continue; -+ } -+ - if (prev == cl->buf->pos) { - iov->iov_len += cl->buf->last - cl->buf->pos; - diff --git a/nginx.conf b/nginx.conf index dc7936a..7fa8133 100644 --- a/nginx.conf +++ b/nginx.conf @@ -7,6 +7,9 @@ worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; +# Load dynamic modules. See /usr/share/nginx/README.fedora. +include /usr/share/nginx/modules/*.conf; + events { worker_connections 1024; } @@ -52,4 +55,36 @@ http { location = /50x.html { } } + +# Settings for a TLS enabled server. +# +# server { +# listen 443 ssl; +# listen [::]:443 ssl; +# server_name _; +# root /usr/share/nginx/html; +# +# ssl_certificate "/etc/pki/nginx/server.crt"; +# ssl_certificate_key "/etc/pki/nginx/private/server.key"; +# ssl_session_cache shared:SSL:1m; +# ssl_session_timeout 10m; +# ssl_ciphers PROFILE=SYSTEM; +# ssl_prefer_server_ciphers on; +# +# # Load configuration files for the default server block. +# include /etc/nginx/default.d/*.conf; +# +# location / { +# } +# +# error_page 404 /404.html; +# location = /40x.html { +# } +# +# error_page 500 502 503 504 /50x.html; +# location = /50x.html { +# } +# } + } + diff --git a/nginx.service b/nginx.service index a9b5a81..8597eb4 100644 --- a/nginx.service +++ b/nginx.service @@ -12,9 +12,9 @@ ExecStartPre=/usr/bin/rm -f /run/nginx.pid ExecStartPre=/usr/sbin/nginx -t ExecStart=/usr/sbin/nginx ExecReload=/bin/kill -s HUP $MAINPID -KillMode=process KillSignal=SIGQUIT TimeoutStopSec=5 +KillMode=mixed PrivateTmp=true [Install] diff --git a/nginx.spec b/nginx.spec index 7433fa6..7be9c41 100644 --- a/nginx.spec +++ b/nginx.spec @@ -1,27 +1,21 @@ %global _hardened_build 1 %global nginx_user nginx -%global nginx_group %{nginx_user} -%global nginx_home %{_localstatedir}/lib/nginx -%global nginx_home_tmp %{nginx_home}/tmp -%global nginx_confdir %{_sysconfdir}/nginx -%global nginx_datadir %{_datadir}/nginx -%global nginx_logdir %{_localstatedir}/log/nginx -%global nginx_webroot %{nginx_datadir}/html # gperftools exist only on selected arches -%ifarch %{ix86} x86_64 ppc ppc64 %{arm} -%global with_gperftools 1 +%ifnarch s390 s390x +%global with_gperftools 1 %endif -# AIO missing on some arches -%ifnarch aarch64 -%global with_aio 1 +%global with_aio 1 + +%if 0%{?fedora} > 22 +%global with_mailcap_mimetypes 1 %endif Name: nginx Epoch: 1 -Version: 1.6.3 -Release: 9%{?dist} +Version: 1.10.1 +Release: 1%{?dist} Summary: A high performance web server and reverse proxy server Group: System Environment/Daemons @@ -42,42 +36,33 @@ Source101: poweredby.png Source102: nginx-logo.png Source103: 404.html Source104: 50x.html +Source200: README.fedora +Source210: UPGRADE-NOTES-1.6-to-1.10 # removes -Werror in upstream build scripts. -Werror conflicts with # -D_FORTIFY_SOURCE=2 causing warnings to turn into errors. Patch0: nginx-auto-cc-gcc.patch -# CVE-2016-4450 -Patch1: nginx-1.8.1-null-pointer-deref.patch -# Patches taken from 1.8.1 release. Only the second patch in this series -# failed to apply and had to be modified. -Patch10: nginx-1.6.3-Resolver-fix-possible-segmentation-fault.patch -Patch11: nginx-1.6.3-Resolver-fix-crashes-in-timeout-handler.patch -Patch12: nginx-1.6.3-Resolver-fix-CNAME-processing.patch -Patch13: nginx-1.6.3-Resolver-change-ngx_resolver_create-arguments.patch -Patch14: nginx-1.6.3-Resolver-fix-use-after-free-with-CNAME.patch -Patch15: nginx-1.6.3-Resolver-limit-CNAME-recursion.patch - - -BuildRequires: GeoIP-devel -BuildRequires: gd-devel %if 0%{?with_gperftools} BuildRequires: gperftools-devel %endif -BuildRequires: libxslt-devel BuildRequires: openssl-devel BuildRequires: pcre-devel -BuildRequires: perl-devel -BuildRequires: perl(ExtUtils::Embed) BuildRequires: zlib-devel Requires: nginx-filesystem = %{epoch}:%{version}-%{release} -Requires: GeoIP -Requires: gd + +%if 0%{?rhel} || 0%{?fedora} < 24 +# Introduced at 1:1.10.0-1 to ease upgrade path. To be removed later. +Requires: nginx-all-modules = %{epoch}:%{version}-%{release} +%endif + Requires: openssl Requires: pcre -Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) Requires(pre): nginx-filesystem +%if 0%{?with_mailcap_mimetypes} +Requires: nginx-mimetypes +%endif Provides: webserver BuildRequires: systemd @@ -90,6 +75,29 @@ Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. +%package all-modules +Group: System Environment/Daemons +Summary: A meta package that installs all available Nginx modules +BuildArch: noarch + +Requires: nginx-mod-http-geoip = %{epoch}:%{version}-%{release} +Requires: nginx-mod-http-image-filter = %{epoch}:%{version}-%{release} +Requires: nginx-mod-http-perl = %{epoch}:%{version}-%{release} +Requires: nginx-mod-http-xslt-filter = %{epoch}:%{version}-%{release} +Requires: nginx-mod-mail = %{epoch}:%{version}-%{release} +Requires: nginx-mod-stream = %{epoch}:%{version}-%{release} + +%description all-modules +%{summary}. +%if 0%{?rhel} +The main nginx package depends on this to ease the upgrade path. After a grace +period of several months, modules will become optional. +%endif +%if 0%{?fedora} && 0%{?fedora} < 24 +The main nginx package depends on this to ease the upgrade path. Starting from +Fedora 24, modules are optional. +%endif + %package filesystem Group: System Environment/Daemons Summary: The basic directory layout for the Nginx server @@ -101,17 +109,78 @@ The nginx-filesystem package contains the basic directory layout for the Nginx server including the correct permissions for the directories. +%package mod-http-geoip +Group: System Environment/Daemons +Summary: Nginx HTTP geoip module +BuildRequires: GeoIP-devel +Requires: nginx +Requires: GeoIP + +%description mod-http-geoip +%{summary}. + +%package mod-http-image-filter +Group: System Environment/Daemons +Summary: Nginx HTTP image filter module +BuildRequires: gd-devel +Requires: nginx +Requires: gd + +%description mod-http-image-filter +%{summary}. + +%package mod-http-perl +Group: System Environment/Daemons +Summary: Nginx HTTP perl module +BuildRequires: perl-devel +%if 0%{?fedora} >= 24 +BuildRequires: perl-generators +%endif +BuildRequires: perl(ExtUtils::Embed) +Requires: nginx +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) + +%description mod-http-perl +%{summary}. + +%package mod-http-xslt-filter +Group: System Environment/Daemons +Summary: Nginx XSLT module +BuildRequires: libxslt-devel +Requires: nginx + +%description mod-http-xslt-filter +%{summary}. + +%package mod-mail +Group: System Environment/Daemons +Summary: Nginx mail modules +Requires: nginx + +%description mod-mail +%{summary}. + +%package mod-stream +Group: System Environment/Daemons +Summary: Nginx stream modules +Requires: nginx + +%description mod-stream +%{summary}. + %prep %setup -q %patch0 -p0 -%patch1 -p0 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 +cp %{SOURCE200} . +%if 0%{?rhel} == 7 +cp %{SOURCE210} . +%endif + +%if 0%{?rhel} < 8 +sed -i -e 's#KillMode=.*#KillMode=process#g' %{SOURCE10} +sed -i -e 's#PROFILE=SYSTEM#HIGH:!aNULL:!MD5#' %{SOURCE12} +%endif %build @@ -121,31 +190,32 @@ directories. # variable. export DESTDIR=%{buildroot} ./configure \ - --prefix=%{nginx_datadir} \ + --prefix=%{_datadir}/nginx \ --sbin-path=%{_sbindir}/nginx \ - --conf-path=%{nginx_confdir}/nginx.conf \ - --error-log-path=%{nginx_logdir}/error.log \ - --http-log-path=%{nginx_logdir}/access.log \ - --http-client-body-temp-path=%{nginx_home_tmp}/client_body \ - --http-proxy-temp-path=%{nginx_home_tmp}/proxy \ - --http-fastcgi-temp-path=%{nginx_home_tmp}/fastcgi \ - --http-uwsgi-temp-path=%{nginx_home_tmp}/uwsgi \ - --http-scgi-temp-path=%{nginx_home_tmp}/scgi \ + --modules-path=%{_libdir}/nginx/modules \ + --conf-path=%{_sysconfdir}/nginx/nginx.conf \ + --error-log-path=%{_localstatedir}/log/nginx/error.log \ + --http-log-path=%{_localstatedir}/log/nginx/access.log \ + --http-client-body-temp-path=%{_localstatedir}/lib/nginx/tmp/client_body \ + --http-proxy-temp-path=%{_localstatedir}/lib/nginx/tmp/proxy \ + --http-fastcgi-temp-path=%{_localstatedir}/lib/nginx/tmp/fastcgi \ + --http-uwsgi-temp-path=%{_localstatedir}/lib/nginx/tmp/uwsgi \ + --http-scgi-temp-path=%{_localstatedir}/lib/nginx/tmp/scgi \ --pid-path=/run/nginx.pid \ --lock-path=/run/lock/subsys/nginx \ --user=%{nginx_user} \ - --group=%{nginx_group} \ + --group=%{nginx_user} \ %if 0%{?with_aio} --with-file-aio \ %endif --with-ipv6 \ --with-http_ssl_module \ - --with-http_spdy_module \ + --with-http_v2_module \ --with-http_realip_module \ --with-http_addition_module \ - --with-http_xslt_module \ - --with-http_image_filter_module \ - --with-http_geoip_module \ + --with-http_xslt_module=dynamic \ + --with-http_image_filter_module=dynamic \ + --with-http_geoip_module=dynamic \ --with-http_sub_module \ --with-http_dav_module \ --with-http_flv_module \ @@ -155,12 +225,15 @@ export DESTDIR=%{buildroot} --with-http_random_index_module \ --with-http_secure_link_module \ --with-http_degradation_module \ + --with-http_slice_module \ --with-http_stub_status_module \ - --with-http_perl_module \ - --with-mail \ + --with-http_perl_module=dynamic \ + --with-mail=dynamic \ --with-mail_ssl_module \ --with-pcre \ --with-pcre-jit \ + --with-stream=dynamic \ + --with-stream_ssl_module \ %if 0%{?with_gperftools} --with-google_perftools_module \ %endif @@ -178,27 +251,35 @@ find %{buildroot} -type f -name .packlist -exec rm -f '{}' \; find %{buildroot} -type f -name perllocal.pod -exec rm -f '{}' \; find %{buildroot} -type f -empty -exec rm -f '{}' \; find %{buildroot} -type f -iname '*.so' -exec chmod 0755 '{}' \; + install -p -D -m 0644 %{SOURCE10} \ %{buildroot}%{_unitdir}/nginx.service - install -p -D -m 0644 %{SOURCE11} \ %{buildroot}%{_sysconfdir}/logrotate.d/nginx -install -p -d -m 0755 %{buildroot}%{nginx_confdir}/conf.d -install -p -d -m 0755 %{buildroot}%{nginx_confdir}/default.d -install -p -d -m 0700 %{buildroot}%{nginx_home} -install -p -d -m 0700 %{buildroot}%{nginx_home_tmp} -install -p -d -m 0700 %{buildroot}%{nginx_logdir} -install -p -d -m 0755 %{buildroot}%{nginx_webroot} +install -p -d -m 0755 %{buildroot}%{_sysconfdir}/nginx/conf.d +install -p -d -m 0755 %{buildroot}%{_sysconfdir}/nginx/default.d + +install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx +install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx/tmp +install -p -d -m 0700 %{buildroot}%{_localstatedir}/log/nginx + +install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/html +install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/modules +install -p -d -m 0755 %{buildroot}%{_libdir}/nginx/modules install -p -m 0644 %{SOURCE12} \ - %{buildroot}%{nginx_confdir} + %{buildroot}%{_sysconfdir}/nginx install -p -m 0644 %{SOURCE100} \ - %{buildroot}%{nginx_webroot} + %{buildroot}%{_datadir}/nginx/html install -p -m 0644 %{SOURCE101} %{SOURCE102} \ - %{buildroot}%{nginx_webroot} + %{buildroot}%{_datadir}/nginx/html install -p -m 0644 %{SOURCE103} %{SOURCE104} \ - %{buildroot}%{nginx_webroot} + %{buildroot}%{_datadir}/nginx/html + +%if 0%{?with_mailcap_mimetypes} +rm -f %{buildroot}%{_sysconfdir}/nginx/mime.types +%endif install -p -D -m 0644 %{_builddir}/nginx-%{version}/man/nginx.8 \ %{buildroot}%{_mandir}/man8/nginx.8 @@ -211,17 +292,59 @@ for i in ftdetect indent syntax; do %{buildroot}%{_datadir}/vim/vimfiles/${i}/nginx.vim done +echo 'load_module "%{_libdir}/nginx/modules/ngx_http_geoip_module.so";' \ + > %{buildroot}%{_datadir}/nginx/modules/mod-http-geoip.conf +echo 'load_module "%{_libdir}/nginx/modules/ngx_http_image_filter_module.so";' \ + > %{buildroot}%{_datadir}/nginx/modules/mod-http-image-filter.conf +echo 'load_module "%{_libdir}/nginx/modules/ngx_http_perl_module.so";' \ + > %{buildroot}%{_datadir}/nginx/modules/mod-http-perl.conf +echo 'load_module "%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so";' \ + > %{buildroot}%{_datadir}/nginx/modules/mod-http-xslt-filter.conf +echo 'load_module "%{_libdir}/nginx/modules/ngx_mail_module.so";' \ + > %{buildroot}%{_datadir}/nginx/modules/mod-mail.conf +echo 'load_module "%{_libdir}/nginx/modules/ngx_stream_module.so";' \ + > %{buildroot}%{_datadir}/nginx/modules/mod-stream.conf %pre filesystem -getent group %{nginx_group} > /dev/null || groupadd -r %{nginx_group} +getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user} getent passwd %{nginx_user} > /dev/null || \ - useradd -r -d %{nginx_home} -g %{nginx_group} \ + useradd -r -d %{_localstatedir}/lib/nginx -g %{nginx_user} \ -s /sbin/nologin -c "Nginx web server" %{nginx_user} exit 0 %post %systemd_post nginx.service +%post mod-http-geoip +if [ $1 -eq 1 ]; then + /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : +fi + +%post mod-http-image-filter +if [ $1 -eq 1 ]; then + /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : +fi + +%post mod-http-perl +if [ $1 -eq 1 ]; then + /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : +fi + +%post mod-http-xslt-filter +if [ $1 -eq 1 ]; then + /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : +fi + +%post mod-mail +if [ $1 -eq 1 ]; then + /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : +fi + +%post mod-stream +if [ $1 -eq 1 ]; then + /usr/bin/systemctl reload nginx.service >/dev/null 2>&1 || : +fi + %preun %systemd_preun nginx.service @@ -232,8 +355,12 @@ if [ $1 -ge 1 ]; then fi %files -%doc LICENSE CHANGES README -%{nginx_datadir}/html/* +%license LICENSE +%doc CHANGES README README.fedora +%if 0%{rhel} == 7 +%doc UPGRADE-NOTES-1.6-to-1.10 +%endif +%{_datadir}/nginx/html/* %{_bindir}/nginx-upgrade %{_sbindir}/nginx %{_datadir}/vim/vimfiles/ftdetect/nginx.vim @@ -243,77 +370,151 @@ fi %{_mandir}/man8/nginx.8* %{_mandir}/man8/nginx-upgrade.8* %{_unitdir}/nginx.service -%config(noreplace) %{nginx_confdir}/fastcgi.conf -%config(noreplace) %{nginx_confdir}/fastcgi.conf.default -%config(noreplace) %{nginx_confdir}/fastcgi_params -%config(noreplace) %{nginx_confdir}/fastcgi_params.default -%config(noreplace) %{nginx_confdir}/koi-utf -%config(noreplace) %{nginx_confdir}/koi-win -%config(noreplace) %{nginx_confdir}/mime.types -%config(noreplace) %{nginx_confdir}/mime.types.default -%config(noreplace) %{nginx_confdir}/nginx.conf -%config(noreplace) %{nginx_confdir}/nginx.conf.default -%config(noreplace) %{nginx_confdir}/scgi_params -%config(noreplace) %{nginx_confdir}/scgi_params.default -%config(noreplace) %{nginx_confdir}/uwsgi_params -%config(noreplace) %{nginx_confdir}/uwsgi_params.default -%config(noreplace) %{nginx_confdir}/win-utf +%config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf +%config(noreplace) %{_sysconfdir}/nginx/fastcgi.conf.default +%config(noreplace) %{_sysconfdir}/nginx/fastcgi_params +%config(noreplace) %{_sysconfdir}/nginx/fastcgi_params.default +%config(noreplace) %{_sysconfdir}/nginx/koi-utf +%config(noreplace) %{_sysconfdir}/nginx/koi-win +%if ! 0%{?with_mailcap_mimetypes} +%config(noreplace) %{_sysconfdir}/nginx/mime.types +%endif +%config(noreplace) %{_sysconfdir}/nginx/mime.types.default +%config(noreplace) %{_sysconfdir}/nginx/nginx.conf +%config(noreplace) %{_sysconfdir}/nginx/nginx.conf.default +%config(noreplace) %{_sysconfdir}/nginx/scgi_params +%config(noreplace) %{_sysconfdir}/nginx/scgi_params.default +%config(noreplace) %{_sysconfdir}/nginx/uwsgi_params +%config(noreplace) %{_sysconfdir}/nginx/uwsgi_params.default +%config(noreplace) %{_sysconfdir}/nginx/win-utf %config(noreplace) %{_sysconfdir}/logrotate.d/nginx +%attr(700,%{nginx_user},%{nginx_user}) %dir %{_localstatedir}/lib/nginx +%attr(700,%{nginx_user},%{nginx_user}) %dir %{_localstatedir}/lib/nginx/tmp +%attr(700,%{nginx_user},%{nginx_user}) %dir %{_localstatedir}/log/nginx +%dir %{_libdir}/nginx/modules + +%files all-modules + +%files filesystem +%dir %{_datadir}/nginx +%dir %{_datadir}/nginx/html +%dir %{_sysconfdir}/nginx +%dir %{_sysconfdir}/nginx/conf.d +%dir %{_sysconfdir}/nginx/default.d + +%files mod-http-geoip +%{_datadir}/nginx/modules/mod-http-geoip.conf +%{_libdir}/nginx/modules/ngx_http_geoip_module.so + +%files mod-http-image-filter +%{_datadir}/nginx/modules/mod-http-image-filter.conf +%{_libdir}/nginx/modules/ngx_http_image_filter_module.so + +%files mod-http-perl +%{_datadir}/nginx/modules/mod-http-perl.conf +%{_libdir}/nginx/modules/ngx_http_perl_module.so %dir %{perl_vendorarch}/auto/nginx %{perl_vendorarch}/nginx.pm %{perl_vendorarch}/auto/nginx/nginx.so -%attr(700,%{nginx_user},%{nginx_group}) %dir %{nginx_home} -%attr(700,%{nginx_user},%{nginx_group}) %dir %{nginx_home_tmp} -%attr(700,%{nginx_user},%{nginx_group}) %dir %{nginx_logdir} -%files filesystem -%dir %{nginx_datadir} -%dir %{nginx_datadir}/html -%dir %{nginx_confdir} -%dir %{nginx_confdir}/conf.d -%dir %{nginx_confdir}/default.d +%files mod-http-xslt-filter +%{_datadir}/nginx/modules/mod-http-xslt-filter.conf +%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so + +%files mod-mail +%{_datadir}/nginx/modules/mod-mail.conf +%{_libdir}/nginx/modules/ngx_mail_module.so + +%files mod-stream +%{_datadir}/nginx/modules/mod-stream.conf +%{_libdir}/nginx/modules/ngx_stream_module.so %changelog -* Tue May 31 2016 Jamie Nguyen - 1:1.6.3-9 -- fix CVE-2016-4450 +* Tue May 31 2016 Jamie Nguyen - 1:1.10.1-1 +- update to upstream release 1.10.1 -* Tue Jan 26 2016 Jamie Nguyen - 1:1.6.3-8 +* Sun May 15 2016 Jitka Plesnikova - 1:1.10.0-4 +- Perl 5.24 rebuild + +* Sun May 8 2016 Peter Robinson 1:1.10.0-3 +- Enable AIO on aarch64 (rhbz 1258414) + +* Wed Apr 27 2016 Jamie Nguyen - 1:1.10.0-2 +- only Require nginx-all-modules for EPEL and current Fedora releases + +* Wed Apr 27 2016 Jamie Nguyen - 1:1.10.0-1 +- update to upstream release 1.10.0 +- split dynamic modules into subpackages +- spec file cleanup + +* Thu Feb 04 2016 Fedora Release Engineering - 1:1.8.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Jan 26 2016 Jamie Nguyen - 1:1.8.1-1 +- update to upstream release 1.8.1 - CVE-2016-0747: Insufficient limits of CNAME resolution in resolver - CVE-2016-0746: Use-after-free during CNAME response processing in resolver - CVE-2016-0742: Invalid pointer dereference in resolver -* Sun Oct 04 2015 Jamie Nguyen - 1:1.6.3-7 +* Sun Oct 04 2015 Jamie Nguyen - 1:1.8.0-14 +- consistently use '%%global with_foo' style of logic - remove PID file before starting nginx (#1268621) -* Fri Jul 03 2015 Jamie Nguyen - 1:1.6.3-6 +* Fri Sep 25 2015 Ville Skyttä - 1:1.8.0-13 +- Use nginx-mimetypes from mailcap (#1248736) +- Mark LICENSE as %%license + +* Thu Sep 10 2015 Jamie Nguyen - 1:1.8.0-12 +- also build with gperftools on aarch64 (#1258412) + +* Wed Aug 12 2015 Nikos Mavrogiannopoulos - 1:1.8.0-11 +- nginx.conf: added commented-out SSL configuration directives (#1179232) + +* Fri Jul 03 2015 Jamie Nguyen - 1:1.8.0-10 - switch back to /bin/kill in logrotate script due to SELinux denials -* Tue Jun 16 2015 Jamie Nguyen - 1:1.6.3-5 -- set KillMode=process in systemd service file - -* Tue Jun 16 2015 Jamie Nguyen - 1:1.6.3-4 -- fix path to png images in error pages (#1232277) +* Tue Jun 16 2015 Jamie Nguyen - 1:1.8.0-9 +- fix path to png in error pages (#1232277) - optimize png images with optipng -* Sun Jun 14 2015 Jamie Nguyen - 1:1.6.3-3 +* Sun Jun 14 2015 Jamie Nguyen - 1:1.8.0-8 - replace /bin/kill with /usr/bin/systemctl kill in logrotate script (#1231543) - remove After=syslog.target in nginx.service (#1231543) - replace ExecStop with KillSignal=SIGQUIT in nginx.service (#1231543) -- remove KillMode=mixed as this is not supported on systemd v208 -* Sun May 10 2015 Jamie Nguyen - 1:1.6.3-2 -- improve nginx-upgrade -- run nginx-upgrade on package updates +* Wed Jun 03 2015 Jitka Plesnikova - 1:1.8.0-7 +- Perl 5.22 rebuild + +* Sun May 10 2015 Jamie Nguyen - 1:1.8.0-6 +- revert previous change + +* Sun May 10 2015 Jamie Nguyen - 1:1.8.0-5 +- move default server to default.conf (#1220094) + +* Sun May 10 2015 Jamie Nguyen - 1:1.8.0-4 - add TimeoutStopSec=5 and KillMode=mixed to nginx.service -- remove some redundant files +- set worker_processes to auto - add some common options to the http block in nginx.conf -- listen on ipv6 for the default server (#1217081) -- remove redundant commands in %%post -- add --with-pcre-jit to configure options +- run nginx-upgrade on package update +- remove some redundant scriptlet commands +- listen on ipv6 for default server (#1217081) -* Thu Apr 09 2015 Jamie Nguyen - 1:1.6.3-1 -- update to upstream release 1.6.3 +* Wed Apr 22 2015 Jamie Nguyen - 1:1.8.0-3 +- improve nginx-upgrade script + +* Wed Apr 22 2015 Jamie Nguyen - 1:1.8.0-2 +- add --with-pcre-jit + +* Wed Apr 22 2015 Jamie Nguyen - 1:1.8.0-1 +- update to upstream release 1.8.0 + +* Thu Apr 09 2015 Jamie Nguyen - 1:1.7.12-1 +- update to upstream release 1.7.12 + +* Sun Feb 15 2015 Jamie Nguyen - 1:1.7.10-1 +- update to upstream release 1.7.10 +- remove systemd conditionals * Wed Oct 22 2014 Jamie Nguyen - 1:1.6.2-4 - fix package ownership of directories diff --git a/sources b/sources index f4ead0b..5ccafa5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -ea813aee2c344c2f5b66cdb24a472738 nginx-1.6.3.tar.gz -16301c1d7f4773ed62e24f820d8b5181 nginx-1.6.3.tar.gz.asc +088292d9caf6059ef328aa7dda332e44 nginx-1.10.1.tar.gz +bb38cb136c10010d3162403f6a39215d nginx-1.10.1.tar.gz.asc