diff options
| author | CoprDistGit <infra@openeuler.org> | 2026-05-19 07:31:02 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2026-05-19 07:31:02 +0000 |
| commit | 9a57a5bc9947dd73cbe060a0584599f694ef9c4d (patch) | |
| tree | ca517e733b8893655752783e36bd05e7b9dafcaa | |
| parent | 84c38e44b89abd508b2c386dc7e6c13f30ec8cc8 (diff) | |
automatic import of nginxopeneuler24.03_LTS_SP2openeuler22.03_LTS_SP2
27 files changed, 1841 insertions, 0 deletions
@@ -0,0 +1,2 @@ +/nginx-1.26.3.tar.gz +/nginx-logo.png diff --git a/404.html b/404.html new file mode 100644 index 0000000..4c28a42 --- /dev/null +++ b/404.html @@ -0,0 +1,114 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> + +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> + <head> + <title>The page is not found</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <style type="text/css"> + /*<![CDATA[*/ + body { + background-color: #fff; + color: #000; + font-size: 0.9em; + font-family: sans-serif,helvetica; + margin: 0; + padding: 0; + } + :link { + color: #c00; + } + :visited { + color: #c00; + } + a:hover { + color: #f50; + } + h1 { + text-align: center; + margin: 0; + padding: 0.6em 2em 0.4em; + background-color: #294172; + color: #fff; + font-weight: normal; + font-size: 1.75em; + border-bottom: 2px solid #000; + } + h1 strong { + font-weight: bold; + font-size: 1.5em; + } + h2 { + text-align: center; + background-color: #3C6EB4; + font-size: 1.1em; + font-weight: bold; + color: #fff; + margin: 0; + padding: 0.5em; + border-bottom: 2px solid #294172; + } + h3 { + text-align: center; + background-color: #ff0000; + padding: 0.5em; + color: #fff; + } + hr { + display: none; + } + .content { + padding: 1em 5em; + } + .alert { + border: 2px solid #000; + } + + img { + border: 2px solid #fff; + padding: 2px; + margin: 2px; + } + a:hover img { + border: 2px solid #294172; + } + .logos { + margin: 1em; + text-align: center; + } + /*]]>*/ + </style> + </head> + + <body> + <h1><strong>nginx error!</strong></h1> + + <div class="content"> + + <h3>The page you are looking for is not found.</h3> + + <div class="alert"> + <h2>Website Administrator</h2> + <div class="content"> + <p>Something has triggered missing webpage on your + website. This is the default 404 error page for + <strong>nginx</strong> that is distributed with + openEuler. It is located + <tt>/usr/share/nginx/html/404.html</tt></p> + + <p>You should customize this error page for your own + site or edit the <tt>error_page</tt> directive in + the <strong>nginx</strong> configuration file + <tt>/etc/nginx/nginx.conf</tt>.</p> + + </div> + </div> + + <div class="logos"> + <a href="http://nginx.net/"><img + src="/nginx-logo.png" + alt="[ Powered by nginx ]" + width="121" height="32" /></a> + </div> + </div> + </body> +</html> diff --git a/50x.html b/50x.html new file mode 100644 index 0000000..ff40fd9 --- /dev/null +++ b/50x.html @@ -0,0 +1,114 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> + +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> + <head> + <title>The page is temporarily unavailable</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <style type="text/css"> + /*<![CDATA[*/ + body { + background-color: #fff; + color: #000; + font-size: 0.9em; + font-family: sans-serif,helvetica; + margin: 0; + padding: 0; + } + :link { + color: #c00; + } + :visited { + color: #c00; + } + a:hover { + color: #f50; + } + h1 { + text-align: center; + margin: 0; + padding: 0.6em 2em 0.4em; + background-color: #294172; + color: #fff; + font-weight: normal; + font-size: 1.75em; + border-bottom: 2px solid #000; + } + h1 strong { + font-weight: bold; + font-size: 1.5em; + } + h2 { + text-align: center; + background-color: #3C6EB4; + font-size: 1.1em; + font-weight: bold; + color: #fff; + margin: 0; + padding: 0.5em; + border-bottom: 2px solid #294172; + } + h3 { + text-align: center; + background-color: #ff0000; + padding: 0.5em; + color: #fff; + } + hr { + display: none; + } + .content { + padding: 1em 5em; + } + .alert { + border: 2px solid #000; + } + + img { + border: 2px solid #fff; + padding: 2px; + margin: 2px; + } + a:hover img { + border: 2px solid #294172; + } + .logos { + margin: 1em; + text-align: center; + } + /*]]>*/ + </style> + </head> + + <body> + <h1><strong>nginx error!</strong></h1> + + <div class="content"> + + <h3>The page you are looking for is temporarily unavailable. Please try again later.</h3> + + <div class="alert"> + <h2>Website Administrator</h2> + <div class="content"> + <p>Something has triggered an error on your + website. This is the default error page for + <strong>nginx</strong> that is distributed with + openEuler. It is located + <tt>/usr/share/nginx/html/50x.html</tt></p> + + <p>You should customize this error page for your own + site or edit the <tt>error_page</tt> directive in + the <strong>nginx</strong> configuration file + <tt>/etc/nginx/nginx.conf</tt>.</p> + + </div> + </div> + + <div class="logos"> + <a href="http://nginx.net/"><img + src="/nginx-logo.png" + alt="[ Powered by nginx ]" + width="121" height="32" /></a> + </div> + </div> + </body> +</html> diff --git a/README.dynamic b/README.dynamic new file mode 100644 index 0000000..5758858 --- /dev/null +++ b/README.dynamic @@ -0,0 +1,20 @@ +############### +Dynamic modules +############### + +Dynamic modules are loaded using the "load_modules" directive. The RPM package +for each module has a '.conf' file in the /usr/share/nginx/modules directory. +The '.conf' file contains a single "load_modules" directive. + +This means that whenever a new dynamic module is installed, it will +automatically be enabled and Nginx will be reloaded. + +-------------------------------------------------------- +Prevent dynamic modules from being enabled automatically +-------------------------------------------------------- + +You may want to avoid dynamic modules being enabled automatically. Simply +remove this line from the top of /etc/nginx/nginx.conf: + + include /usr/share/nginx/modules/*.conf; + diff --git a/UPGRADE-NOTES-1.6-to-1.10 b/UPGRADE-NOTES-1.6-to-1.10 new file mode 100644 index 0000000..65760bf --- /dev/null +++ b/UPGRADE-NOTES-1.6-to-1.10 @@ -0,0 +1,88 @@ +############# +Upgrade notes +############# + +To resolve numerous security flaws, the nginx package was updated to 1.10.x. + +You should review your configuration files in /etc/nginx to determine if there +are any incompatibilities. Below is a summary of the main incompatible changes. +Some nginx directives have been changed or removed, so you may need to modify +your configuration. + +Please see upstream release notes for a complete list of new features, +bug fixes, and changes: http://nginx.org/en/CHANGES-1.10 +One notable feature is support for HTTP/2. + +Nginx gained support for dynamic modules. As part of this update, dynamic +modules have been split into subpackages. For the time being these are hard +dependencies to aid the upgrade path. When you install nginx, all of these +modules are installed and enabled by default: + - nginx-mod-http-geoip + - nginx-mod-http-image-filter + - nginx-mod-http-perl + - nginx-mod-http-xslt-filter + - nginx-mod-mail + - nginx-mod-stream + +Changes with nginx 1.10.x + + *) Change: non-idempotent requests (POST, LOCK, PATCH) are no longer + passed to the next server by default if a request has been sent to a + backend; the "non_idempotent" parameter of the "proxy_next_upstream" + directive explicitly allows retrying such requests. + + *) Change: now the "output_buffers" directive uses two buffers by + default. + + *) Change: now nginx limits subrequests recursion, not simultaneous + subrequests. + + *) Change: now nginx checks the whole cache key when returning a + response from cache. + Thanks to Gena Makhomed and Sergey Brester. + + *) Change: the "proxy_downstream_buffer" and "proxy_upstream_buffer" + directives of the stream module are replaced with the + "proxy_buffer_size" directive. + + *) Change: duplicate "http", "mail", and "stream" blocks are now + disallowed. + + *) Change: now SSLv3 protocol is disabled by default. + + *) Change: some long deprecated directives are not supported anymore. + + *) Change: obsolete aio and rtsig event methods have been removed. + +Changes with nginx 1.8.x + + *) Change: the "sendfile" parameter of the "aio" directive is + deprecated; now nginx automatically uses AIO to pre-load data for + sendfile if both "aio" and "sendfile" directives are used. + + *) Change: now the "If-Modified-Since", "If-Range", etc. client request + header lines are passed to a backend while caching if nginx knows in + advance that the response will not be cached (e.g., when using + proxy_cache_min_uses). + + *) Change: now after proxy_cache_lock_timeout nginx sends a request to a + backend with caching disabled; the new directives + "proxy_cache_lock_age", "fastcgi_cache_lock_age", + "scgi_cache_lock_age", and "uwsgi_cache_lock_age" specify a time + after which the lock will be released and another attempt to cache a + response will be made. + + *) Change: the "log_format" directive can now be used only at http + level. + + *) Change: now nginx takes into account the "Vary" header line in a + backend response while caching. + + *) Change: the deprecated "limit_zone" directive is not supported + anymore. + + *) Change: now the "stub_status" directive does not require a parameter. + + *) Change: URI escaping now uses uppercase hexadecimal digits. + Thanks to Piotr Sikora. + diff --git a/backport-CVE-2025-53859-after-Mail-logging-upstream-to-the-error-log-with-smtp_auth-none.patch b/backport-CVE-2025-53859-after-Mail-logging-upstream-to-the-error-log-with-smtp_auth-none.patch new file mode 100644 index 0000000..e9beca9 --- /dev/null +++ b/backport-CVE-2025-53859-after-Mail-logging-upstream-to-the-error-log-with-smtp_auth-none.patch @@ -0,0 +1,34 @@ +From 239e10793adb1e32847095ba6c1d14249bf19a5c Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov <pluknet@nginx.com> +Date: Mon, 21 Jul 2025 17:44:28 +0400 +Subject: [PATCH] Mail: logging upstream to the error log with "smtp_auth + none;". + +Previously, it was never logged because of missing login. +--- + src/mail/ngx_mail_handler.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c +index d3be7f3b3b..a88e6c2873 100644 +--- a/src/mail/ngx_mail_handler.c ++++ b/src/mail/ngx_mail_handler.c +@@ -1006,14 +1006,12 @@ ngx_mail_log_error(ngx_log_t *log, u_char *buf, size_t len) + len -= p - buf; + buf = p; + +- if (s->login.len == 0) { +- return p; ++ if (s->login.len) { ++ p = ngx_snprintf(buf, len, ", login: \"%V\"", &s->login); ++ len -= p - buf; ++ buf = p; + } + +- p = ngx_snprintf(buf, len, ", login: \"%V\"", &s->login); +- len -= p - buf; +- buf = p; +- + if (s->proxy == NULL) { + return p; + } diff --git a/backport-CVE-2025-53859-after-Mail-reset-stale-auth-credentials-with-smtp_auth-none.patch b/backport-CVE-2025-53859-after-Mail-reset-stale-auth-credentials-with-smtp_auth-none.patch new file mode 100644 index 0000000..feecb7b --- /dev/null +++ b/backport-CVE-2025-53859-after-Mail-reset-stale-auth-credentials-with-smtp_auth-none.patch @@ -0,0 +1,46 @@ +From 9c02c84a7443f3d736a1a5eb3f596de9af8a0c9c Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov <pluknet@nginx.com> +Date: Mon, 7 Jul 2025 23:48:44 +0400 +Subject: [PATCH] Mail: reset stale auth credentials with "smtp_auth none;". + +They might be reused in a session if an SMTP client proceeded +unauthenticated after previous invalid authentication attempts. +This could confuse an authentication server when passing stale +credentials along with "Auth-Method: none". + +The condition to send the "Auth-Salt" header is similarly refined. +--- + src/mail/ngx_mail_auth_http_module.c | 5 ++++- + src/mail/ngx_mail_smtp_handler.c | 3 +++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c +index 27f64b92e0d..4ca6d6e24dc 100644 +--- a/src/mail/ngx_mail_auth_http_module.c ++++ b/src/mail/ngx_mail_auth_http_module.c +@@ -1321,7 +1321,10 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool, + b->last = ngx_copy(b->last, passwd.data, passwd.len); + *b->last++ = CR; *b->last++ = LF; + +- if (s->auth_method != NGX_MAIL_AUTH_PLAIN && s->salt.len) { ++ if ((s->auth_method == NGX_MAIL_AUTH_APOP ++ || s->auth_method == NGX_MAIL_AUTH_CRAM_MD5) ++ && s->salt.len) ++ { + b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1); + b->last = ngx_copy(b->last, s->salt.data, s->salt.len); + +diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c +index e68ceedfdb5..1e26c2c8d7b 100644 +--- a/src/mail/ngx_mail_smtp_handler.c ++++ b/src/mail/ngx_mail_smtp_handler.c +@@ -782,6 +782,9 @@ ngx_mail_smtp_mail(ngx_mail_session_t *s, ngx_connection_t *c) + + ngx_str_set(&s->out, smtp_ok); + ++ ngx_str_null(&s->login); ++ ngx_str_null(&s->passwd); ++ + return NGX_OK; + } + diff --git a/backport-CVE-2025-53859.patch b/backport-CVE-2025-53859.patch new file mode 100644 index 0000000..95f1ae5 --- /dev/null +++ b/backport-CVE-2025-53859.patch @@ -0,0 +1,139 @@ +From 765642b86e0df1b5ef37f42522be7d08d95909c9 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov <pluknet@nginx.com> +Date: Tue, 12 Aug 2025 15:55:02 +0400 +Subject: [PATCH] Mail: improved error handling in plain/login/cram-md5 auth + methods. + +Previously, login and password storage could be left in inconsistent +state in a session after decoding errors. +--- + src/mail/ngx_mail_handler.c | 38 +++++++++++++++++++++---------------- + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c +index 1167df3fb37..d3be7f3b3b7 100644 +--- a/src/mail/ngx_mail_handler.c ++++ b/src/mail/ngx_mail_handler.c +@@ -523,7 +523,7 @@ ngx_mail_starttls_only(ngx_mail_session_t *s, ngx_connection_t *c) + ngx_int_t + ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + { +- u_char *p, *last; ++ u_char *p, *pos, *last; + ngx_str_t *arg, plain; + + arg = s->args.elts; +@@ -555,7 +555,7 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- s->login.data = p; ++ pos = p; + + while (p < last && *p) { p++; } + +@@ -565,7 +565,8 @@ ngx_mail_auth_plain(ngx_mail_session_t *s, ngx_connection_t *c, ngx_uint_t n) + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- s->login.len = p++ - s->login.data; ++ s->login.len = p++ - pos; ++ s->login.data = pos; + + s->passwd.len = last - p; + s->passwd.data = p; +@@ -583,24 +584,26 @@ ngx_int_t + ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c, + ngx_uint_t n) + { +- ngx_str_t *arg; ++ ngx_str_t *arg, login; + + arg = s->args.elts; + + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login username: \"%V\"", &arg[n]); + +- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len)); +- if (s->login.data == NULL) { ++ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[n].len)); ++ if (login.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->login, &arg[n]) != NGX_OK) { ++ if (ngx_decode_base64(&login, &arg[n]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH LOGIN command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->login = login; ++ + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login username: \"%V\"", &s->login); + +@@ -611,7 +614,7 @@ ngx_mail_auth_login_username(ngx_mail_session_t *s, ngx_connection_t *c, + ngx_int_t + ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c) + { +- ngx_str_t *arg; ++ ngx_str_t *arg, passwd; + + arg = s->args.elts; + +@@ -620,18 +623,19 @@ ngx_mail_auth_login_password(ngx_mail_session_t *s, ngx_connection_t *c) + "mail auth login password: \"%V\"", &arg[0]); + #endif + +- s->passwd.data = ngx_pnalloc(c->pool, +- ngx_base64_decoded_length(arg[0].len)); +- if (s->passwd.data == NULL) { ++ passwd.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); ++ if (passwd.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->passwd, &arg[0]) != NGX_OK) { ++ if (ngx_decode_base64(&passwd, &arg[0]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH LOGIN command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->passwd = passwd; ++ + #if (NGX_DEBUG_MAIL_PASSWD) + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth login password: \"%V\"", &s->passwd); +@@ -674,24 +678,26 @@ ngx_int_t + ngx_mail_auth_cram_md5(ngx_mail_session_t *s, ngx_connection_t *c) + { + u_char *p, *last; +- ngx_str_t *arg; ++ ngx_str_t *arg, login; + + arg = s->args.elts; + + ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, + "mail auth cram-md5: \"%V\"", &arg[0]); + +- s->login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); +- if (s->login.data == NULL) { ++ login.data = ngx_pnalloc(c->pool, ngx_base64_decoded_length(arg[0].len)); ++ if (login.data == NULL) { + return NGX_ERROR; + } + +- if (ngx_decode_base64(&s->login, &arg[0]) != NGX_OK) { ++ if (ngx_decode_base64(&login, &arg[0]) != NGX_OK) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid base64 encoding in AUTH CRAM-MD5 command"); + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + ++ s->login = login; ++ + p = s->login.data; + last = p + s->login.len; + diff --git a/backport-CVE-2026-1642.patch b/backport-CVE-2026-1642.patch new file mode 100644 index 0000000..5cd329c --- /dev/null +++ b/backport-CVE-2026-1642.patch @@ -0,0 +1,42 @@ +From 784fa05025cb8cd0c770f99bc79d2794b9f85b6e Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan <arut@nginx.com> +Date: Thu, 29 Jan 2026 13:27:32 +0400 +Subject: [PATCH] Upstream: detect premature plain text response from SSL + backend. + +When connecting to a backend, the connection write event is triggered +first in most cases. However if a response arrives quickly enough, both +read and write events can be triggered together within the same event loop +iteration. In this case the read event handler is called first and the +write event handler is called after it. + +SSL initialization for backend connections happens only in the write event +handler since SSL handshake starts with sending Client Hello. Previously, +if a backend sent a quick plain text response, it could be parsed by the +read event handler prior to starting SSL handshake on the connection. +The change adds protection against parsing such responses on SSL-enabled +connections. +--- + src/http/ngx_http_upstream.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index df577ad6721..cadc74479d4 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -2508,6 +2508,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u) + return; + } + ++#if (NGX_HTTP_SSL) ++ if (u->ssl && c->ssl == NULL) { ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, ++ "upstream prematurely sent response"); ++ ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); ++ return; ++ } ++#endif ++ + u->state->bytes_received += n; + + u->buffer.last += n; diff --git a/backport-CVE-2026-27651.patch b/backport-CVE-2026-27651.patch new file mode 100644 index 0000000..65585ed --- /dev/null +++ b/backport-CVE-2026-27651.patch @@ -0,0 +1,28 @@ +From 9bc13718fe8a59a4538805516be7e141070c22d6 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov <pluknet@nginx.com> +Date: Wed, 18 Mar 2026 16:39:37 +0400 +Subject: [PATCH] Mail: fixed clearing s->passwd in auth http requests. + +Previously, it was not properly cleared retaining length as part of +authenticating with CRAM-MD5 and APOP methods that expect to receive +password in auth response. This resulted in null pointer dereference +and worker process crash in subsequent auth attempts with CRAM-MD5. + +Reported by Arkadi Vainbrand. +--- + src/mail/ngx_mail_auth_http_module.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c +index 4ca6d6e24d..3e5095a2d2 100644 +--- a/src/mail/ngx_mail_auth_http_module.c ++++ b/src/mail/ngx_mail_auth_http_module.c +@@ -1328,7 +1328,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool, + b->last = ngx_cpymem(b->last, "Auth-Salt: ", sizeof("Auth-Salt: ") - 1); + b->last = ngx_copy(b->last, s->salt.data, s->salt.len); + +- s->passwd.data = NULL; ++ ngx_str_null(&s->passwd); + } + + b->last = ngx_cpymem(b->last, "Auth-Protocol: ", diff --git a/backport-CVE-2026-27654.patch b/backport-CVE-2026-27654.patch new file mode 100644 index 0000000..d86d967 --- /dev/null +++ b/backport-CVE-2026-27654.patch @@ -0,0 +1,75 @@ +From 9739e755b8dddba82e65ca2a08d079f4c9826b75 Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan <arut@nginx.com> +Date: Mon, 16 Mar 2026 20:13:03 +0400 +Subject: [PATCH] Dav: destination length validation for COPY and MOVE. + +Previously, when alias was used in a location with Dav COPY or MOVE +enabled, and the destination URI was shorter than the alias, integer +underflow could happen in ngx_http_map_uri_to_path(), which could +result in heap buffer overwrite, followed by a possible segfault. +With some implementations of memcpy(), the segfault could be avoided +and the overwrite could result in a change of the source or destination +file names to be outside of the location root. + +Reported by Calif.io in collaboration with Claude and Anthropic Research. +--- + src/http/modules/ngx_http_dav_module.c | 39 +++++++++++++++++--------- + 1 file changed, 26 insertions(+), 13 deletions(-) + +diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c +index cfb98929e9..4619b139a2 100644 +--- a/src/http/modules/ngx_http_dav_module.c ++++ b/src/http/modules/ngx_http_dav_module.c +@@ -535,19 +535,20 @@ ngx_http_dav_mkcol_handler(ngx_http_request_t *r, ngx_http_dav_loc_conf_t *dlcf) + static ngx_int_t + ngx_http_dav_copy_move_handler(ngx_http_request_t *r) + { +- u_char *p, *host, *last, ch; +- size_t len, root; +- ngx_err_t err; +- ngx_int_t rc, depth; +- ngx_uint_t overwrite, slash, dir, flags; +- ngx_str_t path, uri, duri, args; +- ngx_tree_ctx_t tree; +- ngx_copy_file_t cf; +- ngx_file_info_t fi; +- ngx_table_elt_t *dest, *over; +- ngx_ext_rename_file_t ext; +- ngx_http_dav_copy_ctx_t copy; +- ngx_http_dav_loc_conf_t *dlcf; ++ u_char *p, *host, *last, ch; ++ size_t len, root; ++ ngx_err_t err; ++ ngx_int_t rc, depth; ++ ngx_uint_t overwrite, slash, dir, flags; ++ ngx_str_t path, uri, duri, args; ++ ngx_tree_ctx_t tree; ++ ngx_copy_file_t cf; ++ ngx_file_info_t fi; ++ ngx_table_elt_t *dest, *over; ++ ngx_ext_rename_file_t ext; ++ ngx_http_dav_copy_ctx_t copy; ++ ngx_http_dav_loc_conf_t *dlcf; ++ ngx_http_core_loc_conf_t *clcf; + + if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, +@@ -644,6 +645,18 @@ ngx_http_dav_copy_move_handler(ngx_http_request_t *r) + return NGX_HTTP_CONFLICT; + } + ++ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); ++ ++ if (clcf->alias ++ && clcf->alias != NGX_MAX_SIZE_T_VALUE ++ && duri.len < clcf->alias) ++ { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "client sent invalid \"Destination\" header: \"%V\"", ++ &dest->value); ++ return NGX_HTTP_BAD_REQUEST; ++ } ++ + depth = ngx_http_dav_depth(r, NGX_HTTP_DAV_INFINITY_DEPTH); + + if (depth != NGX_HTTP_DAV_INFINITY_DEPTH) { diff --git a/backport-CVE-2026-27784.patch b/backport-CVE-2026-27784.patch new file mode 100644 index 0000000..7a18951 --- /dev/null +++ b/backport-CVE-2026-27784.patch @@ -0,0 +1,81 @@ +From 3568812cf98dfd7661cd7516ecf9b398c134ab3c Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan <arut@nginx.com> +Date: Mon, 2 Mar 2026 21:12:34 +0400 +Subject: [PATCH] Mp4: fixed possible integer overflow on 32-bit platforms. + +Previously, a 32-bit overflow could happen while validating atom entries +count. This allowed processing of an invalid atom with entrires beyond +its boundaries with reads and writes outside of the allocated mp4 buffer. + +Reported by Prabhav Srinath (sprabhav7). +--- + src/http/modules/ngx_http_mp4_module.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 173d8ad541..678d6296c9 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -2297,7 +2297,7 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "mp4 time-to-sample entries:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stts_atom_t) +- + entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stts atom too small", mp4->file.name.data); +@@ -2612,7 +2612,7 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom->last = atom_table; + + if (ngx_mp4_atom_data_size(ngx_http_mp4_stss_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stss atom too small", mp4->file.name.data); +@@ -2817,7 +2817,7 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + atom->last = atom_table; + + if (ngx_mp4_atom_data_size(ngx_mp4_ctts_atom_t) +- + entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 ctts atom too small", mp4->file.name.data); +@@ -2999,7 +2999,7 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + "sample-to-chunk entries:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stsc_atom_t) +- + entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stsc atom too small", mp4->file.name.data); +@@ -3393,7 +3393,7 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + + if (size == 0) { + if (ngx_mp4_atom_data_size(ngx_mp4_stsz_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stsz atom too small", +@@ -3552,7 +3552,7 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_stco_atom_t) +- + entries * sizeof(uint32_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 stco atom too small", mp4->file.name.data); +@@ -3768,7 +3768,7 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size) + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries); + + if (ngx_mp4_atom_data_size(ngx_mp4_co64_atom_t) +- + entries * sizeof(uint64_t) > atom_data_size) ++ + (uint64_t) entries * sizeof(uint64_t) > atom_data_size) + { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 co64 atom too small", mp4->file.name.data); diff --git a/backport-CVE-2026-28753.patch b/backport-CVE-2026-28753.patch new file mode 100644 index 0000000..0ba89c6 --- /dev/null +++ b/backport-CVE-2026-28753.patch @@ -0,0 +1,87 @@ +From 6f3145006b41a4ec464eed4093553a335d35e8ac Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan <arut@nginx.com> +Date: Thu, 26 Feb 2026 11:52:53 +0400 +Subject: [PATCH] Mail: host validation. + +Now host name resolved from client address is validated to only contain +the characters specified in RFC 1034, Section 3.5. The validation allows +to avoid injections when using the resolved host name in auth_http and +smtp proxy. + +Reported by Asim Viladi Oglu Manizada, Colin Warren, +Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and +Bird Liu (Lanzhou University). +--- + src/mail/ngx_mail_smtp_handler.c | 45 ++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c +index 1e26c2c8d7..97bbd70631 100644 +--- a/src/mail/ngx_mail_smtp_handler.c ++++ b/src/mail/ngx_mail_smtp_handler.c +@@ -13,6 +13,7 @@ + + + static void ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx); ++static ngx_int_t ngx_mail_smtp_validate_host(ngx_str_t *name); + static void ngx_mail_smtp_resolve_name(ngx_event_t *rev); + static void ngx_mail_smtp_resolve_name_handler(ngx_resolver_ctx_t *ctx); + static void ngx_mail_smtp_block_reading(ngx_event_t *rev); +@@ -127,6 +128,20 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx) + return; + } + ++ if (ngx_mail_smtp_validate_host(&ctx->name) != NGX_OK) { ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, ++ "%V resolved to invalid host name \"%V\"", ++ &c->addr_text, &ctx->name); ++ ++ s->host = smtp_tempunavail; ++ ++ ngx_resolve_addr_done(ctx); ++ ++ ngx_mail_smtp_greeting(s, s->connection); ++ ++ return; ++ } ++ + c->log->action = "in resolving client hostname"; + + s->host.data = ngx_pstrdup(c->pool, &ctx->name); +@@ -149,6 +164,36 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx) + } + + ++static ngx_int_t ++ngx_mail_smtp_validate_host(ngx_str_t *name) ++{ ++ u_char ch; ++ ngx_uint_t i; ++ ++ if (name->len == 0) { ++ return NGX_DECLINED; ++ } ++ ++ for (i = 0; i < name->len; i++) { ++ ch = name->data[i]; ++ ++ /* allow only characters from RFC 1034, Section 3.5 */ ++ ++ if ((ch >= 'a' && ch <= 'z') ++ || (ch >= 'A' && ch <= 'Z') ++ || (ch >= '0' && ch <= '9') ++ || ch == '-' || ch == '.') ++ { ++ continue; ++ } ++ ++ return NGX_DECLINED; ++ } ++ ++ return NGX_OK; ++} ++ ++ + static void + ngx_mail_smtp_resolve_name(ngx_event_t *rev) + { diff --git a/backport-CVE-2026-32647.patch b/backport-CVE-2026-32647.patch new file mode 100644 index 0000000..0a1d23a --- /dev/null +++ b/backport-CVE-2026-32647.patch @@ -0,0 +1,71 @@ +From 7725c372c2fe11ff908b1d6138be219ad694c42f Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan <arut@nginx.com> +Date: Sat, 21 Feb 2026 12:04:36 +0400 +Subject: [PATCH] Mp4: avoid zero size buffers in output. + +Previously, data validation checks did not cover the cases when the output +contained empty buffers. Such buffers are considered illegal and produce +"zero size buf in output" alerts. The change rejects the mp4 files which +produce such alerts. + +Also, the change fixes possible buffer overread and overwrite that could +happen while processing empty stco and co64 atoms, as reported by +Pavel Kohout (Aisle Research) and Tim Becker. +--- + src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 445fab1cdf..173d8ad541 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4) + } + } + +- if (end_offset < start_offset) { +- end_offset = start_offset; ++ if (end_offset <= start_offset) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "no data between start time and end time in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; + } + + mp4->moov_size += 8; +@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4) + + *prev = &mp4->mdat_atom; + +- if (start_offset > mp4->mdat_data.buf->file_last) { ++ if (start_offset >= mp4->mdat_data.buf->file_last) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 mdat atom in \"%s\"", + mp4->file.name.data); +@@ -3444,7 +3447,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4, + if (data) { + entries = trak->sample_sizes_entries; + +- if (trak->start_sample > entries) { ++ if (trak->start_sample >= entries) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 stsz samples in \"%s\"", + mp4->file.name.data); +@@ -3619,7 +3622,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4, + return NGX_ERROR; + } + +- if (trak->start_chunk > trak->chunks) { ++ if (trak->start_chunk >= trak->chunks) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 stco chunks in \"%s\"", + mp4->file.name.data); +@@ -3834,7 +3837,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4, + return NGX_ERROR; + } + +- if (trak->start_chunk > trak->chunks) { ++ if (trak->start_chunk >= trak->chunks) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 co64 chunks in \"%s\"", + mp4->file.name.data); diff --git a/backport-CVE-2026-42945.patch b/backport-CVE-2026-42945.patch new file mode 100644 index 0000000..705d9ed --- /dev/null +++ b/backport-CVE-2026-42945.patch @@ -0,0 +1,25 @@ +From: nginx security <security@nginx.org> +Date: Wed May 14 2026 +Subject: [PATCH] fix: CVE-2026-42945 - Buffer overflow in ngx_http_rewrite_module +Upstream-commit: https://nginx.org/download/nginx-1.30.1.tar.gz +Signed-off-by: infra_team <zhaiwenjie1@huawei.com> + +--- + src/http/ngx_http_script.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c +--- a/src/http/ngx_http_script.c ++++ b/src/http/ngx_http_script.c +@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e) + + r = e->request; + ++ e->is_args = 0; + e->quote = 0; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "http script regex end"); + + if (code->redirect) { +-- diff --git a/index.html b/index.html new file mode 100644 index 0000000..bacdfb5 --- /dev/null +++ b/index.html @@ -0,0 +1,111 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> + +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <title>Test Page for the Nginx HTTP Server on openEuler</title> + <style type="text/css"> + /*<![CDATA[*/ + body { + background-color: #fff; + color: #000; + font-size: 0.9em; + font-family: sans-serif,helvetica; + margin: 0; + padding: 0; + } + :link { + color: #c00; + } + :visited { + color: #c00; + } + a:hover { + color: #f50; + } + h1 { + text-align: center; + margin: 0; + padding: 0.6em 2em 0.4em; + background-color: #294172; + color: #fff; + font-weight: normal; + font-size: 1.75em; + border-bottom: 2px solid #000; + } + h1 strong { + font-weight: bold; + font-size: 1.5em; + } + h2 { + text-align: center; + background-color: #3C6EB4; + font-size: 1.1em; + font-weight: bold; + color: #fff; + margin: 0; + padding: 0.5em; + border-bottom: 2px solid #294172; + } + hr { + display: none; + } + .content { + padding: 1em 5em; + } + .alert { + border: 2px solid #000; + } + + img { + border: 2px solid #fff; + padding: 2px; + margin: 2px; + } + a:hover img { + border: 2px solid #294172; + } + .logos { + margin: 1em; + text-align: center; + } + /*]]>*/ + </style> + </head> + + <body> + <h1>Welcome to <strong>nginx</strong> on openEuler!</h1> + + <div class="content"> + <p>This page is used to test the proper operation of the + <strong>nginx</strong> HTTP server after it has been + installed. If you can read this page, it means that the + web server installed at this site is working + properly.</p> + + <div class="alert"> + <h2>Website Administrator</h2> + <div class="content"> + <p>This is the default <tt>index.html</tt> page that + is distributed with <strong>nginx</strong> on + openEuler. It is located in + <tt>/usr/share/nginx/html</tt>.</p> + + <p>You should now put your content in a location of + your choice and edit the <tt>root</tt> configuration + directive in the <strong>nginx</strong> + configuration file + <tt>/etc/nginx/nginx.conf</tt>.</p> + + </div> + </div> + + <div class="logos"> + <a href="http://nginx.net/"><img + src="nginx-logo.png" + alt="[ Powered by nginx ]" + width="121" height="32" /></a> + </div> + </div> + </body> +</html> diff --git a/macros.nginxmods.in b/macros.nginxmods.in new file mode 100644 index 0000000..9b612b2 --- /dev/null +++ b/macros.nginxmods.in @@ -0,0 +1,20 @@ +%_nginx_abiversion @@NGINX_ABIVERSION@@ +%_nginx_srcdir @@NGINX_SRCDIR@@ +%_nginx_buildsrcdir nginx-src +%_nginx_modsrcdir .. +%_nginx_modbuilddir ../%{_vpath_builddir} +%nginx_moddir @@NGINX_MODDIR@@ +%nginx_modconfdir @@NGINX_MODCONFDIR@@ + +%nginx_modrequires Requires: nginx(abi) = %{_nginx_abiversion} + +%nginx_modconfigure(:-:) \\\ + %undefine _strict_symbol_defs_build \ + cp -a "%{_nginx_srcdir}" "%{_nginx_buildsrcdir}" \ + cd "%{_nginx_buildsrcdir}" \ + nginx_ldopts="$RPM_LD_FLAGS -Wl,-E" \ + ./configure --with-compat --with-cc-opt="%{optflags} $(pcre-config --cflags)" --with-ld-opt="$nginx_ldopts" \\\ + --add-dynamic-module=$(realpath %{_nginx_modsrcdir}) --builddir=$(realpath %{_nginx_modbuilddir}) %{**} \ + cd - + +%nginx_modbuild %{__make} -C "%{_nginx_buildsrcdir}" %{_make_output_sync} %{?_smp_mflags} %{_make_verbose} modules diff --git a/nginx-1.12.1-logs-perm.patch b/nginx-1.12.1-logs-perm.patch new file mode 100644 index 0000000..4884a84 --- /dev/null +++ b/nginx-1.12.1-logs-perm.patch @@ -0,0 +1,13 @@ +diff --git a/src/core/ngx_cycle.c b/src/core/ngx_cycle.c +index aee7a58..bcceecb 100644 +--- a/src/core/ngx_cycle.c ++++ b/src/core/ngx_cycle.c +@@ -1108,7 +1108,7 @@ ngx_reopen_files(ngx_cycle_t *cycle, ngx_uid_t user) + } + + fd = ngx_open_file(file[i].name.data, NGX_FILE_APPEND, +- NGX_FILE_CREATE_OR_OPEN, NGX_FILE_DEFAULT_ACCESS); ++ NGX_FILE_CREATE_OR_OPEN, NGX_FILE_DEFAULT_ACCESS | 0220); + + ngx_log_debug3(NGX_LOG_DEBUG_EVENT, cycle->log, 0, + "reopen file \"%s\", old:%d new:%d", diff --git a/nginx-auto-cc-gcc.patch b/nginx-auto-cc-gcc.patch new file mode 100644 index 0000000..0829d84 --- /dev/null +++ b/nginx-auto-cc-gcc.patch @@ -0,0 +1,10 @@ +--- a/auto/cc/gcc.orig 2007-03-22 08:34:53.000000000 -0600 ++++ b/auto/cc/gcc 2007-03-22 08:58:47.000000000 -0600 +@@ -172,7 +172,6 @@ + + + # stop on warning +-CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" diff --git a/nginx-fix-pidfile.patch b/nginx-fix-pidfile.patch new file mode 100644 index 0000000..47a16ff --- /dev/null +++ b/nginx-fix-pidfile.patch @@ -0,0 +1,89 @@ +Description: Fix NGINX pidfile handling +Author: Tj <ubuntu@iam.tj> +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1581864 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876365 +Last-Update: 2020-06-24 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +diff --git a/src/core/nginx.c b/src/core/nginx.c +index 9fcb0eb2..083eba1d 100644 +--- a/src/core/nginx.c ++++ b/src/core/nginx.c +@@ -338,14 +338,21 @@ main(int argc, char *const *argv) + ngx_process = NGX_PROCESS_MASTER; + } + ++ /* tell-tale to detect if this is parent or child process */ ++ ngx_int_t child_pid = NGX_BUSY; ++ + #if !(NGX_WIN32) + + if (ngx_init_signals(cycle->log) != NGX_OK) { + return 1; + } + ++ /* tell-tale that this code has been executed */ ++ child_pid--; ++ + if (!ngx_inherited && ccf->daemon) { +- if (ngx_daemon(cycle->log) != NGX_OK) { ++ child_pid = ngx_daemon(cycle->log); ++ if (child_pid == NGX_ERROR) { + return 1; + } + +@@ -358,8 +365,19 @@ main(int argc, char *const *argv) + + #endif + +- if (ngx_create_pidfile(&ccf->pid, cycle->log) != NGX_OK) { +- return 1; ++ /* If ngx_daemon() returned the child's PID in the parent process ++ * after the fork() set ngx_pid to the child_pid, which gets ++ * written to the PID file, then exit. ++ * For NGX_WIN32 always write the PID file ++ * For others, only write it from the parent process */ ++ if (child_pid < NGX_OK || child_pid > NGX_OK) { ++ ngx_pid = child_pid > NGX_OK ? child_pid : ngx_pid; ++ if (ngx_create_pidfile(&ccf->pid, cycle->log) != NGX_OK) { ++ return 1; ++ } ++ } ++ if (child_pid > NGX_OK) { ++ exit(0); + } + + if (ngx_log_redirect_stderr(cycle) != NGX_OK) { +diff --git a/src/os/unix/ngx_daemon.c b/src/os/unix/ngx_daemon.c +index 385c49b6..3719854c 100644 +--- a/src/os/unix/ngx_daemon.c ++++ b/src/os/unix/ngx_daemon.c +@@ -7,14 +7,17 @@ + + #include <ngx_config.h> + #include <ngx_core.h> ++#include <unistd.h> + + + ngx_int_t + ngx_daemon(ngx_log_t *log) + { + int fd; ++ /* retain the return value for passing back to caller */ ++ pid_t pid_child = fork(); + +- switch (fork()) { ++ switch (pid_child) { + case -1: + ngx_log_error(NGX_LOG_EMERG, log, ngx_errno, "fork() failed"); + return NGX_ERROR; +@@ -23,7 +26,8 @@ ngx_daemon(ngx_log_t *log) + break; + + default: +- exit(0); ++ /* let caller do the exit() */ ++ return pid_child; + } + + ngx_parent = ngx_pid; diff --git a/nginx-upgrade b/nginx-upgrade new file mode 100644 index 0000000..f84d91a --- /dev/null +++ b/nginx-upgrade @@ -0,0 +1,19 @@ +#!/bin/sh +[ ! -f /run/nginx.pid ] && exit 1 +echo "Start new nginx master..." +/bin/systemctl kill --signal=SIGUSR2 nginx.service +sleep 5 +[ ! -f /run/nginx.pid.oldbin ] && sleep 10 +if [ ! -f /run/nginx.pid.oldbin ]; then + echo "Failed to start new nginx master." + exit 1 +fi +echo "Stop old nginx master gracefully..." +oldpid=`/usr/bin/cat /run/nginx.pid.oldbin 2>/dev/null` +/bin/kill -s QUIT $oldpid 2>/dev/null +sleep 5 +[ -f /run/nginx.pid.oldbin ] && sleep 10 +if [ -f /run/nginx.pid.oldbin ]; then + echo "Failed to stop old nginx master." + exit 1 +fi diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..8839c11 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,83 @@ +# For more information on configuration, see: +# * Official English Documentation: http://nginx.org/en/docs/ +# * Official Russian Documentation: http://nginx.org/ru/docs/ + +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log notice; +pid /run/nginx.pid; + +# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nopush on; + keepalive_timeout 65; + types_hash_max_size 4096; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Load modular configuration files from the /etc/nginx/conf.d directory. + # See http://nginx.org/en/docs/ngx_core_module.html#include + # for more information. + include /etc/nginx/conf.d/*.conf; + + server { + listen 80; + listen [::]:80; + server_name _; + root /usr/share/nginx/html; + + # Load configuration files for the default server block. + include /etc/nginx/default.d/*.conf; + + error_page 404 /404.html; + location = /404.html { + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + } + } + +# Settings for a TLS enabled server. +# +# server { +# listen 443 ssl http2; +# listen [::]:443 ssl http2; +# server_name _; +# root /usr/share/nginx/html; +# +# ssl_certificate "/etc/pki/nginx/server.crt"; +# ssl_certificate_key "/etc/pki/nginx/private/server.key"; +# ssl_session_cache shared:SSL:1m; +# ssl_session_timeout 10m; +# ssl_ciphers PROFILE=SYSTEM; +# ssl_prefer_server_ciphers on; +# +# # Load configuration files for the default server block. +# include /etc/nginx/default.d/*.conf; +# +# error_page 404 /404.html; +# location = /404.html { +# } +# +# error_page 500 502 503 504 /50x.html; +# location = /50x.html { +# } +# } + +} + diff --git a/nginx.logrotate b/nginx.logrotate new file mode 100644 index 0000000..353da6e --- /dev/null +++ b/nginx.logrotate @@ -0,0 +1,13 @@ +/var/log/nginx/*log { + create 0664 nginx root + daily + rotate 10 + missingok + notifempty + compress + sharedscripts + postrotate + /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true + endscript +} + diff --git a/nginx.service b/nginx.service new file mode 100644 index 0000000..5b16189 --- /dev/null +++ b/nginx.service @@ -0,0 +1,20 @@ +[Unit] +Description=The nginx HTTP and reverse proxy server +After=network.target remote-fs.target nss-lookup.target + +[Service] +Type=forking +PIDFile=/run/nginx.pid +# Nginx will fail to start if /run/nginx.pid already exists but has the wrong +# SELinux context. This might happen when running `nginx -t` from the cmdline. +ExecStartPre=/usr/bin/rm -f /run/nginx.pid +ExecStartPre=/usr/sbin/nginx -t +ExecStart=/usr/sbin/nginx +ExecReload=/bin/kill -s HUP $MAINPID +KillSignal=SIGQUIT +TimeoutStopSec=5 +KillMode=mixed +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/nginx.spec b/nginx.spec new file mode 100644 index 0000000..3a8bba5 --- /dev/null +++ b/nginx.spec @@ -0,0 +1,481 @@ +%global _hardened_build 1 +%global nginx_user nginx + +%undefine _strict_symbol_defs_build + +%bcond_with geoip + +%global with_gperftools 1 + +%global with_mailcap_mimetypes 0 + +%global with_aio 1 + +%global __provides_exclude_from ^%{_usrsrc}/%{name}-%{version}-%{release}/.*$ +%global __requires_exclude_from ^%{_usrsrc}/%{name}-%{version}-%{release}/.*$ + +Name: nginx +Epoch: 1 +Version: 1.26.3 +Release: 5 +Summary: A HTTP server, reverse proxy and mail proxy server +License: BSD-2-Clause +URL: http://nginx.org/ + +Source0: https://nginx.org/download/nginx-%{version}.tar.gz +Source10: nginx.service +Source11: nginx.logrotate +Source12: nginx.conf +Source13: nginx-upgrade +Source14: macros.nginxmods.in +Source15: nginxmods.attr +Source100: index.html +Source102: nginx-logo.png +Source103: 404.html +Source104: 50x.html +Source200: README.dynamic +Source210: UPGRADE-NOTES-1.6-to-1.10 + +Patch0: nginx-auto-cc-gcc.patch +Patch1: nginx-1.12.1-logs-perm.patch +Patch2: nginx-fix-pidfile.patch +Patch8: backport-CVE-2025-53859.patch +Patch9: backport-CVE-2025-53859-after-Mail-reset-stale-auth-credentials-with-smtp_auth-none.patch +Patch10: backport-CVE-2025-53859-after-Mail-logging-upstream-to-the-error-log-with-smtp_auth-none.patch +Patch11: backport-CVE-2026-1642.patch +Patch12: backport-CVE-2026-27654.patch +Patch13: backport-CVE-2026-27784.patch +Patch14: backport-CVE-2026-32647.patch +Patch15: backport-CVE-2026-27651.patch +Patch16: backport-CVE-2026-28753.patch +Patch17: backport-CVE-2026-42945.patch + +BuildRequires: gcc openssl-devel pcre2-devel zlib-devel systemd gperftools-devel +Requires: nginx-filesystem = %{epoch}:%{version}-%{release} openssl +Requires: nginx-all-modules = %{epoch}:%{version}-%{release} +%if 0%{?with_mailcap_mimetypes} +Requires: nginx-mimetypes +%endif +Requires(pre): nginx-filesystem +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Provides: webserver +Provides: nginx(abi) = %{version} +Recommends: logrotate + +%description +NGINX is a free, open-source, high-performance HTTP server and reverse proxy, +as well as an IMAP/POP3 proxy server. + +%package all-modules +Summary: Nginx modules +BuildArch: noarch + +%if %{with geoip} +Requires: nginx-mod-http-geoip = %{epoch}:%{version}-%{release} +%endif +Requires: nginx-mod-http-image-filter = %{epoch}:%{version}-%{release} +Requires: nginx-mod-http-perl = %{epoch}:%{version}-%{release} +Requires: nginx-mod-http-xslt-filter = %{epoch}:%{version}-%{release} +Requires: nginx-mod-mail = %{epoch}:%{version}-%{release} +Requires: nginx-mod-stream = %{epoch}:%{version}-%{release} + +%description all-modules +NGINX is a free, open-source, high-performance HTTP server and reverse proxy, +as well as an IMAP/POP3 proxy server. +This package is a meta package that installs all available Nginx modules. + +%package filesystem +Summary: Filesystem for the Nginx server +BuildArch: noarch +Requires(pre): shadow-utils + +%description filesystem +NGINX is a free, open-source, high-performance HTTP server and reverse proxy, +as well as an IMAP/POP3 proxy server. +The package contains the basic directory layout for the Nginx server. + +%if %{with geoip} +%package mod-http-geoip +Summary: HTTP geoip module for nginx +BuildRequires: GeoIP-devel +Requires: nginx(abi) = %{version} GeoIP + +%description mod-http-geoip +The package is the Nginx HTTP geoip module. +%endif + +%package mod-http-image-filter +Summary: HTTP image filter module for nginx +BuildRequires: gd-devel +Requires: nginx(abi) = %{version} gd + +%description mod-http-image-filter +Nginx HTTP image filter module. + +%package mod-http-perl +Summary: HTTP perl module for nginx +BuildRequires: perl-devel perl(ExtUtils::Embed) +Requires: nginx(abi) = %{version} perl(constant) +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) + +%description mod-http-perl +Nginx HTTP perl module. + +%package mod-http-xslt-filter +Summary: XSLT module for nginx +BuildRequires: libxslt-devel +Requires: nginx(abi) = %{version} + +%description mod-http-xslt-filter +Nginx XSLT module. + +%package mod-mail +Summary: mail modules for nginx +Requires: nginx(abi) = %{version} + +%description mod-mail +Nginx mail modules + +%package mod-stream +Summary: stream modules for nginx +Requires: nginx(abi) = %{version} + +%description mod-stream +Nginx stream modules. + +%package mod-devel +Summary: nginx module development +Requires: nginx = %{epoch}:%{version}-%{release} +Requires: make gcc gd-devel libxslt-devel openssl-devel +Requires: pcre2-devel perl-devel perl(ExtUtils::Embed) zlib-devel +%if 0%{?with_gperftools} +Requires: gperftools-devel +%endif +%if %{with geoip} +Requires: GeoIP-devel +%endif + +%description mod-devel +Nginx module development + +%package_help + +%prep +%autosetup -n %{name}-%{version} -p1 +cp %{SOURCE200} %{SOURCE210} %{SOURCE10} %{SOURCE12} . +cp -a ../%{name}-%{version} ../%{name}-%{version}-%{release}-src +mv ../%{name}-%{version}-%{release}-src . + +%build +export DESTDIR=%{buildroot} +nginx_ldopts="$RPM_LD_FLAGS -Wl,-E" +if ! ./configure \ + --prefix=%{_datadir}/nginx --sbin-path=%{_sbindir}/nginx --modules-path=%{_libdir}/nginx/modules \ + --conf-path=%{_sysconfdir}/nginx/nginx.conf --error-log-path=%{_localstatedir}/log/nginx/error.log \ + --http-log-path=%{_localstatedir}/log/nginx/access.log \ + --http-client-body-temp-path=%{_localstatedir}/lib/nginx/tmp/client_body \ + --http-fastcgi-temp-path=%{_localstatedir}/lib/nginx/tmp/fastcgi \ + --http-proxy-temp-path=%{_localstatedir}/lib/nginx/tmp/proxy \ + --http-scgi-temp-path=%{_localstatedir}/lib/nginx/tmp/scgi \ + --http-uwsgi-temp-path=%{_localstatedir}/lib/nginx/tmp/uwsgi \ + --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx \ + --user=%{nginx_user} --group=%{nginx_user} \ +%if 0%{?with_aio} + --with-file-aio \ +%endif + --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module \ + --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic \ +%if %{with geoip} + --with-http_geoip_module=dynamic \ +%endif + --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module \ + --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module \ + --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module \ + --with-http_perl_module=dynamic --with-http_auth_request_module \ + --with-mail=dynamic --with-mail_ssl_module --with-openssl-opt=yes --with-pcre --with-pcre-jit --with-stream=dynamic \ + --with-stream_ssl_module --with-google_perftools_module --with-debug \ + --with-cc-opt="%{optflags} $(pcre2-config --cflags)" --with-ld-opt="$nginx_ldopts"; then + : configure failed + cat objs/autoconf.err + exit 1 +fi + +%make_build + + +%install +%make_install INSTALLDIRS=vendor + +find %{buildroot} -type f -empty -exec rm -f '{}' \; +find %{buildroot} -type f -name .packlist -exec rm -f '{}' \; +find %{buildroot} -type f -name perllocal.pod -exec rm -f '{}' \; +find %{buildroot} -type f -iname '*.so' -exec chmod 0755 '{}' \; + +pushd %{buildroot} +install -p -D -m 0644 %{_builddir}/nginx-%{version}/nginx.service .%{_unitdir}/nginx.service +install -p -D -m 0644 %{SOURCE11} .%{_sysconfdir}/logrotate.d/nginx +install -p -d -m 0755 .%{_sysconfdir}/systemd/system/nginx.service.d +install -p -d -m 0755 .%{_unitdir}/nginx.service.d +install -p -d -m 0755 .%{_sysconfdir}/nginx/conf.d +install -p -d -m 0755 .%{_sysconfdir}/nginx/default.d +install -p -d -m 0700 .%{_localstatedir}/lib/nginx +install -p -d -m 0700 .%{_localstatedir}/lib/nginx/tmp +install -p -d -m 0700 .%{_localstatedir}/log/nginx +install -p -d -m 0755 .%{_datadir}/nginx/html +install -p -d -m 0755 .%{_datadir}/nginx/modules +install -p -d -m 0755 .%{_libdir}/nginx/modules +install -p -m 0644 %{_builddir}/nginx-%{version}/nginx.conf .%{_sysconfdir}/nginx +install -p -m 0644 %{SOURCE100} .%{_datadir}/nginx/html +install -p -m 0644 %{SOURCE102} .%{_datadir}/nginx/html +install -p -m 0644 %{SOURCE103} %{SOURCE104} .%{_datadir}/nginx/html + +%if 0%{?with_mailcap_mimetypes} +rm -f .%{_sysconfdir}/nginx/mime.types +%endif + +install -p -D -m 0644 %{_builddir}/nginx-%{version}/man/nginx.8 .%{_mandir}/man8/nginx.8 +install -p -D -m 0755 %{SOURCE13} .%{_bindir}/nginx-upgrade +popd + +for i in ftdetect indent syntax; do + install -p -D -m644 contrib/vim/${i}/nginx.vim %{buildroot}%{_datadir}/vim/vimfiles/${i}/nginx.vim +done + +%if %{with geoip} +echo 'load_module "%{_libdir}/nginx/modules/ngx_http_geoip_module.so";' \ + > %{buildroot}%{_datadir}/nginx/modules/mod-http-geoip.conf +%endif + +pushd %{buildroot} +echo 'load_module "%{_libdir}/nginx/modules/ngx_http_image_filter_module.so";' \ + > .%{_datadir}/nginx/modules/mod-http-image-filter.conf +echo 'load_module "%{_libdir}/nginx/modules/ngx_http_perl_module.so";' \ + > .%{_datadir}/nginx/modules/mod-http-perl.conf +echo 'load_module "%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so";' \ + > .%{_datadir}/nginx/modules/mod-http-xslt-filter.conf +echo 'load_module "%{_libdir}/nginx/modules/ngx_mail_module.so";' \ + > .%{_datadir}/nginx/modules/mod-mail.conf +echo 'load_module "%{_libdir}/nginx/modules/ngx_stream_module.so";' \ + > .%{_datadir}/nginx/modules/mod-stream.conf +popd + +mkdir -p %{buildroot}%{_usrsrc} +mv %{name}-%{version}-%{release}-src %{buildroot}%{_usrsrc}/%{name}-%{version}-%{release} + +mkdir -p %{buildroot}%{_rpmmacrodir} +sed -e "s|@@NGINX_ABIVERSION@@|%{version}|g" \ + -e "s|@@NGINX_MODDIR@@|%{_libdir}\/nginx\/modules|g" \ + -e "s|@@NGINX_MODCONFDIR@@|%{_datadir}\/nginx\/modules|g" \ + -e "s|@@NGINX_SRCDIR@@|%{_usrsrc}\/%{name}-%{version}-%{release}|g" \ + %{SOURCE14} > %{buildroot}%{_rpmmacrodir}/macros.nginxmods +install -Dpm0644 %{SOURCE15} %{buildroot}%{_fileattrsdir}/nginxmods.attr + +%pre filesystem +getent group %{nginx_user} > /dev/null || groupadd -r %{nginx_user} +getent passwd %{nginx_user} > /dev/null || useradd -r -d %{_localstatedir}/lib/nginx -g %{nginx_user} \ + -s /sbin/nologin -c "Nginx web server" %{nginx_user} +exit 0 + +%post +%systemd_post nginx.service + +%if %{with geoip} +%post mod-http-geoip +if [ $1 -eq 1 ]; then + systemctl reload nginx.service >/dev/null 2>&1 || : +fi +%endif + +%post mod-http-image-filter +if [ $1 -eq 1 ]; then + systemctl reload nginx.service >/dev/null 2>&1 || : +fi + +%post mod-http-perl +if [ $1 -eq 1 ]; then + systemctl reload nginx.service >/dev/null 2>&1 || : +fi + +%post mod-http-xslt-filter +if [ $1 -eq 1 ]; then + systemctl reload nginx.service >/dev/null 2>&1 || : +fi + +%post mod-mail +if [ $1 -eq 1 ]; then + systemctl reload nginx.service >/dev/null 2>&1 || : +fi + +%post mod-stream +if [ $1 -eq 1 ]; then + systemctl reload nginx.service >/dev/null 2>&1 || : +fi + +%preun +%systemd_preun nginx.service + +%postun +%systemd_postun nginx.service +if [ $1 -ge 1 ]; then + /usr/bin/nginx-upgrade >/dev/null 2>&1 || : +fi + +%files +%defattr(-,root,root) +%license LICENSE +%config(noreplace) %{_sysconfdir}/nginx/* +%config(noreplace) %{_sysconfdir}/logrotate.d/nginx +%exclude %{_sysconfdir}/nginx/conf.d +%exclude %{_sysconfdir}/nginx/default.d +%if 0%{?with_mailcap_mimetypes} +%exclude %{_sysconfdir}/nginx/mime.types +%endif +%{_bindir}/nginx-upgrade +%{_sbindir}/nginx +%dir %{_libdir}/nginx/modules +%dir %{_datadir}/nginx/modules +%attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx +%attr(770,%{nginx_user},root) %dir %{_localstatedir}/lib/nginx/tmp +%{_unitdir}/nginx.service +%{_datadir}/nginx/html/* +%{_datadir}/vim/vimfiles/ftdetect/nginx.vim +%{_datadir}/vim/vimfiles/syntax/nginx.vim +%{_datadir}/vim/vimfiles/indent/nginx.vim +%attr(770,%{nginx_user},root) %dir %{_localstatedir}/log/nginx + +%files all-modules + +%files filesystem +%dir %{_sysconfdir}/nginx +%dir %{_sysconfdir}/nginx/{conf.d,default.d} +%dir %{_sysconfdir}/systemd/system/nginx.service.d +%dir %{_unitdir}/nginx.service.d +%dir %{_datadir}/nginx +%dir %{_datadir}/nginx/html + +%if %{with geoip} +%files mod-http-geoip +%{_libdir}/nginx/modules/ngx_http_geoip_module.so +%{_datadir}/nginx/modules/mod-http-geoip.conf +%endif + +%files mod-http-image-filter +%{_libdir}/nginx/modules/ngx_http_image_filter_module.so +%{_datadir}/nginx/modules/mod-http-image-filter.conf + +%files mod-http-perl +%{_libdir}/nginx/modules/ngx_http_perl_module.so +%{_datadir}/nginx/modules/mod-http-perl.conf +%dir %{perl_vendorarch}/auto/nginx +%{perl_vendorarch}/nginx.pm +%{perl_vendorarch}/auto/nginx/nginx.so + +%files mod-http-xslt-filter +%{_libdir}/nginx/modules/ngx_http_xslt_filter_module.so +%{_datadir}/nginx/modules/mod-http-xslt-filter.conf + +%files mod-mail +%{_libdir}/nginx/modules/ngx_mail_module.so +%{_datadir}/nginx/modules/mod-mail.conf + +%files mod-stream +%{_libdir}/nginx/modules/ngx_stream_module.so +%{_datadir}/nginx/modules/mod-stream.conf + +%files mod-devel +%{_rpmmacrodir}/macros.nginxmods +%{_fileattrsdir}/nginxmods.attr +%{_usrsrc}/%{name}-%{version}-%{release} + +%files help +%defattr(-,root,root) +%doc CHANGES README README.dynamic +%{_mandir}/man3/nginx.3pm* +%{_mandir}/man8/nginx.8* + +%changelog +* Fri May 15 2026 infra_team <zhaiwenjie1@huawei.com> - 1:1.26.3-5 +- fix CVE-2026-42945 + +* Thu Mar 26 2026 gaihuiying <eaglegai@163.com> - 1:1.26.3-4 +- fix CVE-2026-27654 CVE-2026-27784 CVE-2026-32647 + CVE-2026-27651 CVE-2026-28753 + +* Mon Mar 09 2026 gaihuiying <eaglegai@163.com> - 1:1.26.3-3 +- fix CVE-2026-1642 + +* Mon Aug 18 2025 gaihuiying <eaglegai@163.com> - 1:1.26.3-2 +- fix CVE-2025-53859 + +* Thu Feb 06 2025 gaihuiying <eaglegai@163.com> - 1:1.26.3-1 +- update nginx to 1.26.3 + +* Thu Aug 15 2024 Funda Wang <fundawang@yeah.net> - 1:1.24.0-2 +- fix CVE-2024-7347 + +* Tue Jan 02 2024 gaihuiying <eaglegai@163.com> - 1:1.24.0-1 +- update nginx to 1.24.0 + +* Thu Oct 19 2023 yanglu <yanglu72@h-partners.com> - 1:1.23.3-2 +- fix CVE-2023-44487 + +* Thu Mar 16 2023 gaihuiying <eaglegai@163.com> - 1:1.23.3-1 +- update nginx to 1.23.3 + +* Thu Nov 24 2022 zhouyihang <zhouyihang3@h-partners.com> - 1:1.23.2-2 +- add package mod-devel + +* Mon Nov 14 2022 gaihuiying <eaglegai@163.com> - 1:1.23.2-1 +- update nginx to 1.23.2 + +* Tue Jul 19 2022 gaihuiying <eaglegai@163.com> - 1:1.21.5-2 +- switch pcre to pcre2 + +* Sat Jan 15 2022 yaoxin <yaoxin30@huawei.com> - 1:1.21.5-1 +- Upgrade nginx to 1.21.5 + +* Tue Jun 15 2021 yanglu <yanglu72@huawei.com> - 1:1.18.0-5 +- fix CVE-2021-23017 + +* Sat Mar 20 2021 wangxiaopeng <wangxiaopeng7@huawei.com> - 1:1.18.0-4 +- Fix NGINX pidfile handling + +* Mon Mar 15 2021 gaihuiying <gaihuiying1@huawei.com> - 1:1.18.0-3 +- delete unimportant comment + +* Thu Sep 3 2020 yanan li <liyanan032@huawei.com> - 1:1.18.0-2 +- add mime.types file to nginx packages + +* Thu Jun 4 2020 huanghaitao <huanghaitao8@huawei.com> - 1:1.18.0-1 +- Change source to latest update + +* Fri May 22 2020 wutao <wutao61@huawei.com> - 1:1.16.1-4 +- change and delete html + +* Mon May 11 2020 wutao <wutao61@huawei.com> - 1:1.16.1-3 +- modify patch and html + +* Wed Mar 18 2020 yuxiangyang <yuxiangyang4@huawei.com> - 1:1.16.1-2 +- delete http_stub_status_module.This configuration creates a simple + web page with basic status data,but it will affect cpu scale-out because + it use atomic cas. + +* Mon Mar 16 2020 likexin <likexin4@huawei.com> - 1:1.16.1-1 +- update to 1.16.1 + +* Mon Mar 16 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.12.1-17 +- Type:bugfix +- ID:NA +- SUG:restart +- DESC: fix CVE-2019-20372 + +* Sat Dec 28 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.12.1-16 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC: add the with_mailcap_mimetypes + +* Wed Dec 4 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.12.1-15 +- Package init diff --git a/nginxmods.attr b/nginxmods.attr new file mode 100644 index 0000000..102da1a --- /dev/null +++ b/nginxmods.attr @@ -0,0 +1,14 @@ +%__nginxmods_requires() %{lua: + -- Match buildroot paths of the form + -- /PATH/OF/BUILDROOT/usr/lib/nginx/modules/ and + -- /PATH/OF/BUILDROOT/usr/lib64/nginx/modules/ + -- generating a line of the form: + -- nginx(abi) = VERSION + local path = rpm.expand("%1") + if path:match("/usr/lib%d*/nginx/modules/.*") then + local requires = "nginx(abi) = " .. rpm.expand("%{_nginx_abiversion}") + print(requires) + end +} + +%__nginxmods_path ^%{_prefix}/lib(64)?/nginx/modules/.*\\.so$ @@ -0,0 +1,2 @@ +75f8fdd88469c4d31e0715e186b2f1f9 nginx-1.26.3.tar.gz +425a3bef572ffa7e706bd7db8452c733 nginx-logo.png |