Merge branch 'rawhide' into epel7

2021-10-18 18:59:38 -04:00 · 2021-10-18 18:59:38 -04:00 · 0cc5fc00c4
parent 8325e98e19 3ba5cb0faa
commit 0cc5fc00c4
7 changed files with 262 additions and 35 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -0,0 +1 @@
+1
--- a/91
+++ b/91
@ -0,0 +1,91 @@
+
+# HG changeset patch
+# User Maxim Dounin <mdounin@mdounin.ru>
+# Date 1621383211 -10800
+# Node ID ec107183079903013faee7e67e8721262fd95552
+# Parent  b38728495e1aa06b685dc42c909fb02d3cddecfa
+Mail: max_errors directive.
+
+Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands
+in Exim, specifies the number of errors after which the connection is closed.
+
+diff -r b38728495e1a -r ec1071830799 src/mail/ngx_mail.h
+--- a/src/mail/ngx_mail.h	Wed May 19 03:13:28 2021 +0300
+++ b/src/mail/ngx_mail.h	Wed May 19 03:13:31 2021 +0300
+@@ -115,6 +115,8 @@
+     ngx_msec_t              timeout;
+     ngx_msec_t              resolver_timeout;
+ 
+    ngx_uint_t              max_errors;
+
+     ngx_str_t               server_name;
+ 
+     u_char                 *file_name;
+@@ -231,6 +233,7 @@
+     ngx_uint_t              command;
+     ngx_array_t             args;
+ 
+    ngx_uint_t              errors;
+     ngx_uint_t              login_attempt;
+ 
+     /* used to parse POP3/IMAP/SMTP command */
+diff -r b38728495e1a -r ec1071830799 src/mail/ngx_mail_core_module.c
+--- a/src/mail/ngx_mail_core_module.c	Wed May 19 03:13:28 2021 +0300
+++ b/src/mail/ngx_mail_core_module.c	Wed May 19 03:13:31 2021 +0300
+@@ -85,6 +85,13 @@
+       offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
+       NULL },
+ 
+    { ngx_string("max_errors"),
+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_num_slot,
+      NGX_MAIL_SRV_CONF_OFFSET,
+      offsetof(ngx_mail_core_srv_conf_t, max_errors),
+      NULL },
+
+       ngx_null_command
+ };
+ 
+@@ -163,6 +170,8 @@
+     cscf->timeout = NGX_CONF_UNSET_MSEC;
+     cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+ 
+    cscf->max_errors = NGX_CONF_UNSET_UINT;
+
+     cscf->resolver = NGX_CONF_UNSET_PTR;
+ 
+     cscf->file_name = cf->conf_file->file.name.data;
+@@ -182,6 +191,7 @@
+     ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
+                               30000);
+ 
+    ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
+ 
+     ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
+ 
+diff -r b38728495e1a -r ec1071830799 src/mail/ngx_mail_handler.c
+--- a/src/mail/ngx_mail_handler.c	Wed May 19 03:13:28 2021 +0300
+++ b/src/mail/ngx_mail_handler.c	Wed May 19 03:13:31 2021 +0300
+@@ -874,7 +874,20 @@
+         return NGX_MAIL_PARSE_INVALID_COMMAND;
+     }
+ 
+-    if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
+    if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
+
+        s->errors++;
+
+        if (s->errors >= cscf->max_errors) {
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                          "client sent too many invalid commands");
+            s->quit = 1;
+        }
+
+        return rc;
+    }
+
+    if (rc == NGX_IMAP_NEXT) {
+         return rc;
+     }
+ 
+
--- a/macros.nginxmods.in
+++ b/macros.nginxmods.in
@ -0,0 +1,20 @@
+%_nginx_abiversion @@NGINX_ABIVERSION@@
+%_nginx_srcdir @@NGINX_SRCDIR@@
+%_nginx_buildsrcdir nginx-src
+%_nginx_modsrcdir ..
+%_nginx_modbuilddir ../%{_vpath_builddir}
+%nginx_moddir @@NGINX_MODDIR@@
+%nginx_modconfdir @@NGINX_MODCONFDIR@@
+
+%nginx_modrequires Requires: nginx(abi) = %{_nginx_abiversion}
+
+%nginx_modconfigure(:-:) \\\
+  %undefine _strict_symbol_defs_build \
+  cp -a "%{_nginx_srcdir}" "%{_nginx_buildsrcdir}" \
+  cd "%{_nginx_buildsrcdir}" \
+  nginx_ldopts="$RPM_LD_FLAGS -Wl,-E" \
+  ./configure --with-compat --with-cc-opt="%{optflags} $(pcre-config --cflags)" --with-ld-opt="$nginx_ldopts" \\\
+              --add-dynamic-module=$(realpath %{_nginx_modsrcdir}) --builddir=$(realpath %{_nginx_modbuilddir}) %{**} \
+  cd -
+
+%nginx_modbuild %{__make} -C "%{_nginx_buildsrcdir}" %{_make_output_sync} %{?_smp_mflags} %{_make_verbose} modules
--- a/nginx.logrotate
+++ b/nginx.logrotate
@ -5,6 +5,7 @@
    missingok
    notifempty
    compress
+    delaycompress
    sharedscripts
    postrotate
        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
--- a/nginx.spec
+++ b/nginx.spec
@ -26,10 +26,22 @@
 %global with_mailcap_mimetypes 1
 %endif

+# Cf. https://www.nginx.com/blog/creating-installable-packages-dynamic-modules/
+%global nginx_abiversion %{version}
+
+%global nginx_moduledir %{_libdir}/nginx/modules
+%global nginx_moduleconfdir %{_datadir}/nginx/modules
+%global nginx_srcdir %{_usrsrc}/%{name}-%{version}-%{release}
+
+# Do not generate provides/requires from nginx sources
+%global __provides_exclude_from ^%{nginx_srcdir}/.*$
+%global __requires_exclude_from ^%{nginx_srcdir}/.*$
+
+
 Name:              nginx
 Epoch:             1
 Version:           1.20.1
-Release:           2%{?dist}
+Release:           8%{?dist}

 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@ -48,6 +60,8 @@ Source11:          nginx.logrotate
 Source12:          nginx.conf
 Source13:          nginx-upgrade
 Source14:          nginx-upgrade.8
+Source15:          macros.nginxmods.in
+Source16:          nginxmods.attr
 Source102:         nginx-logo.png
 Source103:         404.html
 Source104:         50x.html
@ -62,6 +76,9 @@ Patch0:            0001-remove-Werror-in-upstream-build-scripts.patch
 # rejected upstream: https://trac.nginx.org/nginx/ticket/1897
 Patch1:            0002-fix-PIDFile-handling.patch

+# Fix for CVE-2021-3618: ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication
+Patch2:            http://hg.nginx.org/nginx/raw-rev/ec1071830799
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@ -103,6 +120,8 @@ BuildRequires:     systemd
 Requires(post):    systemd
 Requires(preun):   systemd
 Requires(postun):  systemd
+# For external nginx modules
+Provides:          nginx(abi) = %{nginx_abiversion}

 %description
 Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
@ -139,7 +158,7 @@ directories.
 %package mod-http-geoip
 Summary:           Nginx HTTP geoip module
 BuildRequires:     GeoIP-devel
-Requires:          nginx
+Requires:          nginx(abi) = %{nginx_abiversion}
 Requires:          GeoIP

 %description mod-http-geoip
@ -149,7 +168,7 @@ Requires:          GeoIP
 %package mod-http-image-filter
 Summary:           Nginx HTTP image filter module
 BuildRequires:     gd-devel
-Requires:          nginx
+Requires:          nginx(abi) = %{nginx_abiversion}
 Requires:          gd

 %description mod-http-image-filter
@ -162,7 +181,7 @@ BuildRequires:     perl-devel
 BuildRequires:     perl-generators
 %endif
 BuildRequires:     perl(ExtUtils::Embed)
-Requires:          nginx
+Requires:          nginx(abi) = %{nginx_abiversion}
 Requires:          perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 Requires:          perl(constant)

@ -172,25 +191,51 @@ Requires:          perl(constant)
 %package mod-http-xslt-filter
 Summary:           Nginx XSLT module
 BuildRequires:     libxslt-devel
-Requires:          nginx
+Requires:          nginx(abi) = %{nginx_abiversion}

 %description mod-http-xslt-filter
 %{summary}.

 %package mod-mail
 Summary:           Nginx mail modules
-Requires:          nginx
+Requires:          nginx(abi) = %{nginx_abiversion}

 %description mod-mail
 %{summary}.

 %package mod-stream
 Summary:           Nginx stream modules
-Requires:          nginx
+Requires:          nginx(abi) = %{nginx_abiversion}

 %description mod-stream
 %{summary}.

+%package mod-devel
+Summary:           Nginx module development files
+Requires:          nginx = %{epoch}:%{version}-%{release}
+Requires:          make
+Requires:          gcc
+Requires:          gd-devel
+%if 0%{?with_gperftools}
+Requires:          gperftools-devel
+%endif
+%if %{with geoip}
+Requires:          GeoIP-devel
+%endif
+Requires:          libxslt-devel
+%if 0%{?fedora} || 0%{?rhel} >= 8
+Requires:          openssl-devel
+%else
+Requires:          openssl11-devel
+%endif
+Requires:          pcre-devel
+Requires:          perl-devel
+Requires:          perl(ExtUtils::Embed)
+Requires:          zlib-devel
+
+%description mod-devel
+%{summary}.
+

 %prep
 # Combine all keys from upstream into one file
@ -211,6 +256,10 @@ sed \
  -i auto/lib/openssl/conf
 %endif

+# Prepare sources for installation
+cp -a ../%{name}-%{version} ../%{name}-%{version}-%{release}-src
+mv ../%{name}-%{version}-%{release}-src .
+

 %build
 # nginx does not utilize a standard configure script.  It has its own
@ -223,7 +272,7 @@ nginx_ldopts="$RPM_LD_FLAGS -Wl,-E"
 if ! ./configure \
    --prefix=%{_datadir}/nginx \
    --sbin-path=%{_sbindir}/nginx \
-    --modules-path=%{_libdir}/nginx/modules \
+    --modules-path=%{nginx_moduledir} \
    --conf-path=%{_sysconfdir}/nginx/nginx.conf \
    --error-log-path=%{_localstatedir}/log/nginx/error.log \
    --http-log-path=%{_localstatedir}/log/nginx/access.log \
@ -308,8 +357,8 @@ install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx/tmp
 install -p -d -m 0700 %{buildroot}%{_localstatedir}/log/nginx

 install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/html
-install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/modules
-install -p -d -m 0755 %{buildroot}%{_libdir}/nginx/modules
+install -p -d -m 0755 %{buildroot}%{nginx_moduleconfdir}
+install -p -d -m 0755 %{buildroot}%{nginx_moduledir}

 install -p -m 0644 ./nginx.conf \
    %{buildroot}%{_sysconfdir}/nginx
@ -335,6 +384,11 @@ mkdir -p %{buildroot}%{_datadir}/nginx/html/icons
 ln -s ../../../pixmaps/poweredby.png \
      %{buildroot}%{_datadir}/nginx/html/icons/poweredby.png

+%if 0%{?rhel} >= 9
+ln -s ../../pixmaps/system-noindex-logo.png \
+      %{buildroot}%{_datadir}/nginx/html/system_noindex_logo.png
+%endif
+
 install -p -m 0644 %{SOURCE103} %{SOURCE104} \
    %{buildroot}%{_datadir}/nginx/html

@ -354,19 +408,34 @@ for i in ftdetect ftplugin indent syntax; do
 done

 %if %{with geoip}
-echo 'load_module "%{_libdir}/nginx/modules/ngx_http_geoip_module.so";' \
-    > %{buildroot}%{_datadir}/nginx/modules/mod-http-geoip.conf
+echo 'load_module "%{nginx_moduledir}/ngx_http_geoip_module.so";' \
+    > %{buildroot}%{nginx_moduleconfdir}/mod-http-geoip.conf
 %endif
-echo 'load_module "%{_libdir}/nginx/modules/ngx_http_image_filter_module.so";' \
-    > %{buildroot}%{_datadir}/nginx/modules/mod-http-image-filter.conf
-echo 'load_module "%{_libdir}/nginx/modules/ngx_http_perl_module.so";' \
-    > %{buildroot}%{_datadir}/nginx/modules/mod-http-perl.conf
-echo 'load_module "%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so";' \
-    > %{buildroot}%{_datadir}/nginx/modules/mod-http-xslt-filter.conf
-echo 'load_module "%{_libdir}/nginx/modules/ngx_mail_module.so";' \
-    > %{buildroot}%{_datadir}/nginx/modules/mod-mail.conf
-echo 'load_module "%{_libdir}/nginx/modules/ngx_stream_module.so";' \
-    > %{buildroot}%{_datadir}/nginx/modules/mod-stream.conf
+echo 'load_module "%{nginx_moduledir}/ngx_http_image_filter_module.so";' \
+    > %{buildroot}%{nginx_moduleconfdir}/mod-http-image-filter.conf
+echo 'load_module "%{nginx_moduledir}/ngx_http_perl_module.so";' \
+    > %{buildroot}%{nginx_moduleconfdir}/mod-http-perl.conf
+echo 'load_module "%{nginx_moduledir}/ngx_http_xslt_filter_module.so";' \
+    > %{buildroot}%{nginx_moduleconfdir}/mod-http-xslt-filter.conf
+echo 'load_module "%{nginx_moduledir}/ngx_mail_module.so";' \
+    > %{buildroot}%{nginx_moduleconfdir}/mod-mail.conf
+echo 'load_module "%{nginx_moduledir}/ngx_stream_module.so";' \
+    > %{buildroot}%{nginx_moduleconfdir}/mod-stream.conf
+
+# Install files for supporting nginx module builds
+## Install source files
+mkdir -p %{buildroot}%{_usrsrc}
+mv %{name}-%{version}-%{release}-src %{buildroot}%{nginx_srcdir}
+## Install rpm macros
+mkdir -p %{buildroot}%{_rpmmacrodir}
+sed -e "s|@@NGINX_ABIVERSION@@|%{nginx_abiversion}|g" \
+    -e "s|@@NGINX_MODDIR@@|%{nginx_moduledir}|g" \
+    -e "s|@@NGINX_MODCONFDIR@@|%{nginx_moduleconfdir}|g" \
+    -e "s|@@NGINX_SRCDIR@@|%{nginx_srcdir}|g" \
+    %{SOURCE15} > %{buildroot}%{_rpmmacrodir}/macros.nginxmods
+## Install dependency generator
+install -Dpm0644 -t %{buildroot}%{_fileattrsdir} %{SOURCE16}
+

 %pre filesystem
 getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user}
@ -459,7 +528,8 @@ fi
 %attr(711,root,root) %dir %{_localstatedir}/log/nginx
 %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/access.log
 %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/error.log
-%dir %{_libdir}/nginx/modules
+%dir %{nginx_moduledir}
+%dir %{nginx_moduleconfdir}

 %files all-modules

@ -474,35 +544,58 @@ fi

 %if %{with geoip}
 %files mod-http-geoip
-%{_datadir}/nginx/modules/mod-http-geoip.conf
-%{_libdir}/nginx/modules/ngx_http_geoip_module.so
+%{nginx_moduleconfdir}/mod-http-geoip.conf
+%{nginx_moduledir}/ngx_http_geoip_module.so
 %endif

 %files mod-http-image-filter
-%{_datadir}/nginx/modules/mod-http-image-filter.conf
-%{_libdir}/nginx/modules/ngx_http_image_filter_module.so
+%{nginx_moduleconfdir}/mod-http-image-filter.conf
+%{nginx_moduledir}/ngx_http_image_filter_module.so

 %files mod-http-perl
-%{_datadir}/nginx/modules/mod-http-perl.conf
-%{_libdir}/nginx/modules/ngx_http_perl_module.so
+%{nginx_moduleconfdir}/mod-http-perl.conf
+%{nginx_moduledir}/ngx_http_perl_module.so
 %dir %{perl_vendorarch}/auto/nginx
 %{perl_vendorarch}/nginx.pm
 %{perl_vendorarch}/auto/nginx/nginx.so

 %files mod-http-xslt-filter
-%{_datadir}/nginx/modules/mod-http-xslt-filter.conf
-%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so
+%{nginx_moduleconfdir}/mod-http-xslt-filter.conf
+%{nginx_moduledir}/ngx_http_xslt_filter_module.so

 %files mod-mail
-%{_datadir}/nginx/modules/mod-mail.conf
-%{_libdir}/nginx/modules/ngx_mail_module.so
+%{nginx_moduleconfdir}/mod-mail.conf
+%{nginx_moduledir}/ngx_mail_module.so

 %files mod-stream
-%{_datadir}/nginx/modules/mod-stream.conf
-%{_libdir}/nginx/modules/ngx_stream_module.so
+%{nginx_moduleconfdir}/mod-stream.conf
+%{nginx_moduledir}/ngx_stream_module.so
+
+%files mod-devel
+%{_rpmmacrodir}/macros.nginxmods
+%{_fileattrsdir}/nginxmods.attr
+%{nginx_srcdir}/


 %changelog
+* Mon Oct 18 2021 Felix Kaechele <heffer@fedoraproject.org> - 1:1.20.1-8
+- Fix "file size changed while zipping" when rotating logs (rhbz#1980948,2015249,2015243)
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1:1.20.1-7
+- Rebuilt with OpenSSL 3.0.0
+
+* Tue Aug 10 2021 Neal Gompa <ngompa@datto.com> - 1:1.20.1-6
+- Add -mod-devel subpackage for building external nginx modules (rhbz#1989778)
+
+* Mon Aug 09 2021 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-5
+- Add symlink used by system-logos-httpd
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.20.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Fri Jun 25 2021 Felix Kaechele <heffer@fedoraproject.org> - 1:1.20.1-3
+- fix for CVE-2021-3618 (rhbz#1975651)
+
 * Tue Jun 01 2021 Felix Kaechele <heffer@fedoraproject.org> - 1:1.20.1-2
 - use different fix for rhbz#1683388 as it introduced permissions issues in 1:1.20.0-2

--- a/nginxmods.attr
+++ b/nginxmods.attr
@ -0,0 +1,14 @@
+%__nginxmods_requires() %{lua:
+    -- Match buildroot paths of the form
+    --    /PATH/OF/BUILDROOT/usr/lib/nginx/modules/  and
+    --    /PATH/OF/BUILDROOT/usr/lib64/nginx/modules/
+    -- generating a line of the form:
+    --    nginx(abi) = VERSION
+    local path = rpm.expand("%1")
+    if path:match("/usr/lib%d*/nginx/modules/.*") then
+        local requires = "nginx(abi) = " .. rpm.expand("%{_nginx_abiversion}")
+        print(requires)
+    end
+}
+
+%__nginxmods_path ^%{_prefix}/lib(64)?/nginx/modules/.*\\.so$
--- a/plans/all.fmf
+++ b/plans/all.fmf
@ -0,0 +1,7 @@
+summary: Test plan with all Fedora tests
+discover:
+       how: fmf
+       url: https://src.fedoraproject.org/tests/nginx.git
+execute:
+       how: tmt
+