diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/ec1071830799 b/ec1071830799 new file mode 100644 index 0000000..3f46b6d --- /dev/null +++ b/ec1071830799 @@ -0,0 +1,91 @@ + +# HG changeset patch +# User Maxim Dounin +# Date 1621383211 -10800 +# Node ID ec107183079903013faee7e67e8721262fd95552 +# Parent b38728495e1aa06b685dc42c909fb02d3cddecfa +Mail: max_errors directive. + +Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands +in Exim, specifies the number of errors after which the connection is closed. + +diff -r b38728495e1a -r ec1071830799 src/mail/ngx_mail.h +--- a/src/mail/ngx_mail.h Wed May 19 03:13:28 2021 +0300 ++++ b/src/mail/ngx_mail.h Wed May 19 03:13:31 2021 +0300 +@@ -115,6 +115,8 @@ + ngx_msec_t timeout; + ngx_msec_t resolver_timeout; + ++ ngx_uint_t max_errors; ++ + ngx_str_t server_name; + + u_char *file_name; +@@ -231,6 +233,7 @@ + ngx_uint_t command; + ngx_array_t args; + ++ ngx_uint_t errors; + ngx_uint_t login_attempt; + + /* used to parse POP3/IMAP/SMTP command */ +diff -r b38728495e1a -r ec1071830799 src/mail/ngx_mail_core_module.c +--- a/src/mail/ngx_mail_core_module.c Wed May 19 03:13:28 2021 +0300 ++++ b/src/mail/ngx_mail_core_module.c Wed May 19 03:13:31 2021 +0300 +@@ -85,6 +85,13 @@ + offsetof(ngx_mail_core_srv_conf_t, resolver_timeout), + NULL }, + ++ { ngx_string("max_errors"), ++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_num_slot, ++ NGX_MAIL_SRV_CONF_OFFSET, ++ offsetof(ngx_mail_core_srv_conf_t, max_errors), ++ NULL }, ++ + ngx_null_command + }; + +@@ -163,6 +170,8 @@ + cscf->timeout = NGX_CONF_UNSET_MSEC; + cscf->resolver_timeout = NGX_CONF_UNSET_MSEC; + ++ cscf->max_errors = NGX_CONF_UNSET_UINT; ++ + cscf->resolver = NGX_CONF_UNSET_PTR; + + cscf->file_name = cf->conf_file->file.name.data; +@@ -182,6 +191,7 @@ + ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout, + 30000); + ++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5); + + ngx_conf_merge_str_value(conf->server_name, prev->server_name, ""); + +diff -r b38728495e1a -r ec1071830799 src/mail/ngx_mail_handler.c +--- a/src/mail/ngx_mail_handler.c Wed May 19 03:13:28 2021 +0300 ++++ b/src/mail/ngx_mail_handler.c Wed May 19 03:13:31 2021 +0300 +@@ -874,7 +874,20 @@ + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ ++ s->errors++; ++ ++ if (s->errors >= cscf->max_errors) { ++ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ "client sent too many invalid commands"); ++ s->quit = 1; ++ } ++ ++ return rc; ++ } ++ ++ if (rc == NGX_IMAP_NEXT) { + return rc; + } + + diff --git a/macros.nginxmods.in b/macros.nginxmods.in new file mode 100644 index 0000000..9b612b2 --- /dev/null +++ b/macros.nginxmods.in @@ -0,0 +1,20 @@ +%_nginx_abiversion @@NGINX_ABIVERSION@@ +%_nginx_srcdir @@NGINX_SRCDIR@@ +%_nginx_buildsrcdir nginx-src +%_nginx_modsrcdir .. +%_nginx_modbuilddir ../%{_vpath_builddir} +%nginx_moddir @@NGINX_MODDIR@@ +%nginx_modconfdir @@NGINX_MODCONFDIR@@ + +%nginx_modrequires Requires: nginx(abi) = %{_nginx_abiversion} + +%nginx_modconfigure(:-:) \\\ + %undefine _strict_symbol_defs_build \ + cp -a "%{_nginx_srcdir}" "%{_nginx_buildsrcdir}" \ + cd "%{_nginx_buildsrcdir}" \ + nginx_ldopts="$RPM_LD_FLAGS -Wl,-E" \ + ./configure --with-compat --with-cc-opt="%{optflags} $(pcre-config --cflags)" --with-ld-opt="$nginx_ldopts" \\\ + --add-dynamic-module=$(realpath %{_nginx_modsrcdir}) --builddir=$(realpath %{_nginx_modbuilddir}) %{**} \ + cd - + +%nginx_modbuild %{__make} -C "%{_nginx_buildsrcdir}" %{_make_output_sync} %{?_smp_mflags} %{_make_verbose} modules diff --git a/nginx.logrotate b/nginx.logrotate index 7462580..174c4ee 100644 --- a/nginx.logrotate +++ b/nginx.logrotate @@ -5,6 +5,7 @@ missingok notifempty compress + delaycompress sharedscripts postrotate /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true diff --git a/nginx.spec b/nginx.spec index 03ce7b9..a92d020 100644 --- a/nginx.spec +++ b/nginx.spec @@ -26,10 +26,22 @@ %global with_mailcap_mimetypes 1 %endif +# Cf. https://www.nginx.com/blog/creating-installable-packages-dynamic-modules/ +%global nginx_abiversion %{version} + +%global nginx_moduledir %{_libdir}/nginx/modules +%global nginx_moduleconfdir %{_datadir}/nginx/modules +%global nginx_srcdir %{_usrsrc}/%{name}-%{version}-%{release} + +# Do not generate provides/requires from nginx sources +%global __provides_exclude_from ^%{nginx_srcdir}/.*$ +%global __requires_exclude_from ^%{nginx_srcdir}/.*$ + + Name: nginx Epoch: 1 Version: 1.20.1 -Release: 2%{?dist} +Release: 8%{?dist} Summary: A high performance web server and reverse proxy server # BSD License (two clause) @@ -48,6 +60,8 @@ Source11: nginx.logrotate Source12: nginx.conf Source13: nginx-upgrade Source14: nginx-upgrade.8 +Source15: macros.nginxmods.in +Source16: nginxmods.attr Source102: nginx-logo.png Source103: 404.html Source104: 50x.html @@ -62,6 +76,9 @@ Patch0: 0001-remove-Werror-in-upstream-build-scripts.patch # rejected upstream: https://trac.nginx.org/nginx/ticket/1897 Patch1: 0002-fix-PIDFile-handling.patch +# Fix for CVE-2021-3618: ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication +Patch2: http://hg.nginx.org/nginx/raw-rev/ec1071830799 + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2 @@ -103,6 +120,8 @@ BuildRequires: systemd Requires(post): systemd Requires(preun): systemd Requires(postun): systemd +# For external nginx modules +Provides: nginx(abi) = %{nginx_abiversion} %description Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and @@ -139,7 +158,7 @@ directories. %package mod-http-geoip Summary: Nginx HTTP geoip module BuildRequires: GeoIP-devel -Requires: nginx +Requires: nginx(abi) = %{nginx_abiversion} Requires: GeoIP %description mod-http-geoip @@ -149,7 +168,7 @@ Requires: GeoIP %package mod-http-image-filter Summary: Nginx HTTP image filter module BuildRequires: gd-devel -Requires: nginx +Requires: nginx(abi) = %{nginx_abiversion} Requires: gd %description mod-http-image-filter @@ -162,7 +181,7 @@ BuildRequires: perl-devel BuildRequires: perl-generators %endif BuildRequires: perl(ExtUtils::Embed) -Requires: nginx +Requires: nginx(abi) = %{nginx_abiversion} Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) Requires: perl(constant) @@ -172,25 +191,51 @@ Requires: perl(constant) %package mod-http-xslt-filter Summary: Nginx XSLT module BuildRequires: libxslt-devel -Requires: nginx +Requires: nginx(abi) = %{nginx_abiversion} %description mod-http-xslt-filter %{summary}. %package mod-mail Summary: Nginx mail modules -Requires: nginx +Requires: nginx(abi) = %{nginx_abiversion} %description mod-mail %{summary}. %package mod-stream Summary: Nginx stream modules -Requires: nginx +Requires: nginx(abi) = %{nginx_abiversion} %description mod-stream %{summary}. +%package mod-devel +Summary: Nginx module development files +Requires: nginx = %{epoch}:%{version}-%{release} +Requires: make +Requires: gcc +Requires: gd-devel +%if 0%{?with_gperftools} +Requires: gperftools-devel +%endif +%if %{with geoip} +Requires: GeoIP-devel +%endif +Requires: libxslt-devel +%if 0%{?fedora} || 0%{?rhel} >= 8 +Requires: openssl-devel +%else +Requires: openssl11-devel +%endif +Requires: pcre-devel +Requires: perl-devel +Requires: perl(ExtUtils::Embed) +Requires: zlib-devel + +%description mod-devel +%{summary}. + %prep # Combine all keys from upstream into one file @@ -211,6 +256,10 @@ sed \ -i auto/lib/openssl/conf %endif +# Prepare sources for installation +cp -a ../%{name}-%{version} ../%{name}-%{version}-%{release}-src +mv ../%{name}-%{version}-%{release}-src . + %build # nginx does not utilize a standard configure script. It has its own @@ -223,7 +272,7 @@ nginx_ldopts="$RPM_LD_FLAGS -Wl,-E" if ! ./configure \ --prefix=%{_datadir}/nginx \ --sbin-path=%{_sbindir}/nginx \ - --modules-path=%{_libdir}/nginx/modules \ + --modules-path=%{nginx_moduledir} \ --conf-path=%{_sysconfdir}/nginx/nginx.conf \ --error-log-path=%{_localstatedir}/log/nginx/error.log \ --http-log-path=%{_localstatedir}/log/nginx/access.log \ @@ -308,8 +357,8 @@ install -p -d -m 0700 %{buildroot}%{_localstatedir}/lib/nginx/tmp install -p -d -m 0700 %{buildroot}%{_localstatedir}/log/nginx install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/html -install -p -d -m 0755 %{buildroot}%{_datadir}/nginx/modules -install -p -d -m 0755 %{buildroot}%{_libdir}/nginx/modules +install -p -d -m 0755 %{buildroot}%{nginx_moduleconfdir} +install -p -d -m 0755 %{buildroot}%{nginx_moduledir} install -p -m 0644 ./nginx.conf \ %{buildroot}%{_sysconfdir}/nginx @@ -335,6 +384,11 @@ mkdir -p %{buildroot}%{_datadir}/nginx/html/icons ln -s ../../../pixmaps/poweredby.png \ %{buildroot}%{_datadir}/nginx/html/icons/poweredby.png +%if 0%{?rhel} >= 9 +ln -s ../../pixmaps/system-noindex-logo.png \ + %{buildroot}%{_datadir}/nginx/html/system_noindex_logo.png +%endif + install -p -m 0644 %{SOURCE103} %{SOURCE104} \ %{buildroot}%{_datadir}/nginx/html @@ -354,19 +408,34 @@ for i in ftdetect ftplugin indent syntax; do done %if %{with geoip} -echo 'load_module "%{_libdir}/nginx/modules/ngx_http_geoip_module.so";' \ - > %{buildroot}%{_datadir}/nginx/modules/mod-http-geoip.conf +echo 'load_module "%{nginx_moduledir}/ngx_http_geoip_module.so";' \ + > %{buildroot}%{nginx_moduleconfdir}/mod-http-geoip.conf %endif -echo 'load_module "%{_libdir}/nginx/modules/ngx_http_image_filter_module.so";' \ - > %{buildroot}%{_datadir}/nginx/modules/mod-http-image-filter.conf -echo 'load_module "%{_libdir}/nginx/modules/ngx_http_perl_module.so";' \ - > %{buildroot}%{_datadir}/nginx/modules/mod-http-perl.conf -echo 'load_module "%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so";' \ - > %{buildroot}%{_datadir}/nginx/modules/mod-http-xslt-filter.conf -echo 'load_module "%{_libdir}/nginx/modules/ngx_mail_module.so";' \ - > %{buildroot}%{_datadir}/nginx/modules/mod-mail.conf -echo 'load_module "%{_libdir}/nginx/modules/ngx_stream_module.so";' \ - > %{buildroot}%{_datadir}/nginx/modules/mod-stream.conf +echo 'load_module "%{nginx_moduledir}/ngx_http_image_filter_module.so";' \ + > %{buildroot}%{nginx_moduleconfdir}/mod-http-image-filter.conf +echo 'load_module "%{nginx_moduledir}/ngx_http_perl_module.so";' \ + > %{buildroot}%{nginx_moduleconfdir}/mod-http-perl.conf +echo 'load_module "%{nginx_moduledir}/ngx_http_xslt_filter_module.so";' \ + > %{buildroot}%{nginx_moduleconfdir}/mod-http-xslt-filter.conf +echo 'load_module "%{nginx_moduledir}/ngx_mail_module.so";' \ + > %{buildroot}%{nginx_moduleconfdir}/mod-mail.conf +echo 'load_module "%{nginx_moduledir}/ngx_stream_module.so";' \ + > %{buildroot}%{nginx_moduleconfdir}/mod-stream.conf + +# Install files for supporting nginx module builds +## Install source files +mkdir -p %{buildroot}%{_usrsrc} +mv %{name}-%{version}-%{release}-src %{buildroot}%{nginx_srcdir} +## Install rpm macros +mkdir -p %{buildroot}%{_rpmmacrodir} +sed -e "s|@@NGINX_ABIVERSION@@|%{nginx_abiversion}|g" \ + -e "s|@@NGINX_MODDIR@@|%{nginx_moduledir}|g" \ + -e "s|@@NGINX_MODCONFDIR@@|%{nginx_moduleconfdir}|g" \ + -e "s|@@NGINX_SRCDIR@@|%{nginx_srcdir}|g" \ + %{SOURCE15} > %{buildroot}%{_rpmmacrodir}/macros.nginxmods +## Install dependency generator +install -Dpm0644 -t %{buildroot}%{_fileattrsdir} %{SOURCE16} + %pre filesystem getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user} @@ -459,7 +528,8 @@ fi %attr(711,root,root) %dir %{_localstatedir}/log/nginx %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/access.log %ghost %attr(640,%{nginx_user},root) %{_localstatedir}/log/nginx/error.log -%dir %{_libdir}/nginx/modules +%dir %{nginx_moduledir} +%dir %{nginx_moduleconfdir} %files all-modules @@ -474,35 +544,58 @@ fi %if %{with geoip} %files mod-http-geoip -%{_datadir}/nginx/modules/mod-http-geoip.conf -%{_libdir}/nginx/modules/ngx_http_geoip_module.so +%{nginx_moduleconfdir}/mod-http-geoip.conf +%{nginx_moduledir}/ngx_http_geoip_module.so %endif %files mod-http-image-filter -%{_datadir}/nginx/modules/mod-http-image-filter.conf -%{_libdir}/nginx/modules/ngx_http_image_filter_module.so +%{nginx_moduleconfdir}/mod-http-image-filter.conf +%{nginx_moduledir}/ngx_http_image_filter_module.so %files mod-http-perl -%{_datadir}/nginx/modules/mod-http-perl.conf -%{_libdir}/nginx/modules/ngx_http_perl_module.so +%{nginx_moduleconfdir}/mod-http-perl.conf +%{nginx_moduledir}/ngx_http_perl_module.so %dir %{perl_vendorarch}/auto/nginx %{perl_vendorarch}/nginx.pm %{perl_vendorarch}/auto/nginx/nginx.so %files mod-http-xslt-filter -%{_datadir}/nginx/modules/mod-http-xslt-filter.conf -%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so +%{nginx_moduleconfdir}/mod-http-xslt-filter.conf +%{nginx_moduledir}/ngx_http_xslt_filter_module.so %files mod-mail -%{_datadir}/nginx/modules/mod-mail.conf -%{_libdir}/nginx/modules/ngx_mail_module.so +%{nginx_moduleconfdir}/mod-mail.conf +%{nginx_moduledir}/ngx_mail_module.so %files mod-stream -%{_datadir}/nginx/modules/mod-stream.conf -%{_libdir}/nginx/modules/ngx_stream_module.so +%{nginx_moduleconfdir}/mod-stream.conf +%{nginx_moduledir}/ngx_stream_module.so + +%files mod-devel +%{_rpmmacrodir}/macros.nginxmods +%{_fileattrsdir}/nginxmods.attr +%{nginx_srcdir}/ %changelog +* Mon Oct 18 2021 Felix Kaechele - 1:1.20.1-8 +- Fix "file size changed while zipping" when rotating logs (rhbz#1980948,2015249,2015243) + +* Tue Sep 14 2021 Sahana Prasad - 1:1.20.1-7 +- Rebuilt with OpenSSL 3.0.0 + +* Tue Aug 10 2021 Neal Gompa - 1:1.20.1-6 +- Add -mod-devel subpackage for building external nginx modules (rhbz#1989778) + +* Mon Aug 09 2021 Luboš Uhliarik - 1:1.20.1-5 +- Add symlink used by system-logos-httpd + +* Thu Jul 22 2021 Fedora Release Engineering - 1:1.20.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jun 25 2021 Felix Kaechele - 1:1.20.1-3 +- fix for CVE-2021-3618 (rhbz#1975651) + * Tue Jun 01 2021 Felix Kaechele - 1:1.20.1-2 - use different fix for rhbz#1683388 as it introduced permissions issues in 1:1.20.0-2 diff --git a/nginxmods.attr b/nginxmods.attr new file mode 100644 index 0000000..102da1a --- /dev/null +++ b/nginxmods.attr @@ -0,0 +1,14 @@ +%__nginxmods_requires() %{lua: + -- Match buildroot paths of the form + -- /PATH/OF/BUILDROOT/usr/lib/nginx/modules/ and + -- /PATH/OF/BUILDROOT/usr/lib64/nginx/modules/ + -- generating a line of the form: + -- nginx(abi) = VERSION + local path = rpm.expand("%1") + if path:match("/usr/lib%d*/nginx/modules/.*") then + local requires = "nginx(abi) = " .. rpm.expand("%{_nginx_abiversion}") + print(requires) + end +} + +%__nginxmods_path ^%{_prefix}/lib(64)?/nginx/modules/.*\\.so$ diff --git a/plans/all.fmf b/plans/all.fmf new file mode 100644 index 0000000..fe471f0 --- /dev/null +++ b/plans/all.fmf @@ -0,0 +1,7 @@ +summary: Test plan with all Fedora tests +discover: + how: fmf + url: https://src.fedoraproject.org/tests/nginx.git +execute: + how: tmt +