diff -Nru nginx-1.17.2/CHANGES nginx-1.17.3/CHANGES --- nginx-1.17.2/CHANGES 2019-07-23 12:01:51.000000000 +0000 +++ nginx-1.17.3/CHANGES 2019-08-13 12:46:01.000000000 +0000 @@ -1,4 +1,17 @@ +Changes with nginx 1.17.3 13 Aug 2019 + + *) Security: when using HTTP/2 a client might cause excessive memory + consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, + CVE-2019-9516). + + *) Bugfix: "zero size buf" alerts might appear in logs when using + gzipping; the bug had appeared in 1.17.2. + + *) Bugfix: a segmentation fault might occur in a worker process if the + "resolver" directive was used in SMTP proxy. + + Changes with nginx 1.17.2 23 Jul 2019 *) Change: minimum supported zlib version is 1.2.0.4. diff -Nru nginx-1.17.2/CHANGES.ru nginx-1.17.3/CHANGES.ru --- nginx-1.17.2/CHANGES.ru 2019-07-23 12:01:50.000000000 +0000 +++ nginx-1.17.3/CHANGES.ru 2019-08-13 12:46:00.000000000 +0000 @@ -1,4 +1,17 @@ +Изменения в nginx 1.17.3 13.08.2019 + + *) Безопасность: при использовании HTTP/2 клиент мог вызвать чрезмерное + потребление памяти и ресурсов процессора (CVE-2019-9511, + CVE-2019-9513, CVE-2019-9516). + + *) Исправление: при использовании сжатия в логах могли появляться + сообщения "zero size buf"; ошибка появилась в 1.17.2. + + *) Исправление: при использовании директивы resolver в SMTP + прокси-сервере в рабочем процессе мог произойти segmentation fault. + + Изменения в nginx 1.17.2 23.07.2019 *) Изменение: минимальная поддерживаемая версия zlib - 1.2.0.4. diff -Nru nginx-1.17.2/debian/changelog nginx-1.17.3/debian/changelog --- nginx-1.17.2/debian/changelog 2019-07-23 19:12:47.000000000 +0000 +++ nginx-1.17.3/debian/changelog 2019-08-19 00:54:02.000000000 +0000 @@ -1,51 +1,40 @@ -nginx (1.17.2-0+eoan0) eoan; urgency=medium +nginx (1.17.3-0+eoan1) eoan; urgency=medium - * New upstream release (1.17.2) - * Packaging initially copied from Disco. + * Copied 1.16.0 packaging from NGINX Stable PPA to Mainline PPA + * New upstream release (1.17.3) * Upload for eoan - -- Thomas Ward Tue, 23 Jul 2019 15:12:47 -0400 + -- Thomas Ward Sun, 18 Aug 2019 20:54:02 -0400 -nginx (1.15.8-0+disco0) disco; urgency=medium +nginx (1.16.0-0+eoan1) eoan; urgency=medium - * New upstream release (1.15.8) - * Upload for disco - - -- Thomas Ward Fri, 01 Feb 2019 20:32:04 -0500 - -nginx (1.15.6-0+cosmic0) cosmic; urgency=medium - - * New upstream release (1.15.6). - * Upload for cosmic - - -- Thomas Ward Fri, 09 Nov 2018 10:11:58 -0500 - -nginx (1.15.5-0+cosmic1) cosmic; urgency=medium - - * debian/rules: Enable --with-compat for all flavors of NGINX. + * New upstream release (1.16.0) + * Packaging copied from disco to eoan. + * Upload for eoan - -- Thomas Ward Wed, 17 Oct 2018 09:27:15 -0400 + -- Thomas Ward Fri, 19 Jul 2019 19:34:04 -0400 -nginx (1.15.5-0+cosmic0) cosmic; urgency=medium +nginx (1.14.2-0+disco1) disco; urgency=medium - * New upstream release: 1.15.5 - * Upload for cosmic + * New upstream release (1.14.2) containing bugfixes and updates. + * Copy Cosmic versino of package into PPA as base for Disco variant. + * Upload for disco - -- Thomas Ward Fri, 12 Oct 2018 12:54:33 -0400 + -- Thomas Ward Sun, 03 Mar 2019 12:23:54 -0500 -nginx (1.15.2-0+cosmic0) cosmic; urgency=medium +nginx (1.14.1-0+cosmic0) cosmic; urgency=medium - * New upstream release: 1.15.2. + * New upstream release (1.14.1) containing bugfixes and security updates. * Upload for cosmic - -- Thomas Ward Thu, 02 Aug 2018 11:36:45 -0400 + -- Thomas Ward Fri, 09 Nov 2018 10:05:18 -0500 -nginx (1.15.0-0+cosmic0) cosmic; urgency=medium +nginx (1.14.0-0+cosmic0) cosmic; urgency=medium - * New upstream release: 1.15.0 Mainline. - * Upload for cosmic, based on the bionic upload for first upload. + * Sync bionic builds to cosmic + * d/rules: Enable --with-compat for all NGINX flavors. - -- Thomas Ward Mon, 18 Jun 2018 11:38:24 -0400 + -- Thomas Ward Wed, 17 Oct 2018 09:38:54 -0400 nginx (1.14.0-0+bionic0) bionic; urgency=medium diff -Nru nginx-1.17.2/src/core/nginx.h nginx-1.17.3/src/core/nginx.h --- nginx-1.17.2/src/core/nginx.h 2019-07-23 12:01:47.000000000 +0000 +++ nginx-1.17.3/src/core/nginx.h 2019-08-13 12:45:57.000000000 +0000 @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1017002 -#define NGINX_VERSION "1.17.2" +#define nginx_version 1017003 +#define NGINX_VERSION "1.17.3" #define NGINX_VER "nginx/" NGINX_VERSION #ifdef NGX_BUILD diff -Nru nginx-1.17.2/src/http/modules/ngx_http_gzip_filter_module.c nginx-1.17.3/src/http/modules/ngx_http_gzip_filter_module.c --- nginx-1.17.2/src/http/modules/ngx_http_gzip_filter_module.c 2019-07-23 12:01:47.000000000 +0000 +++ nginx-1.17.3/src/http/modules/ngx_http_gzip_filter_module.c 2019-08-13 12:45:57.000000000 +0000 @@ -778,7 +778,7 @@ ctx->out_buf->last = ctx->zstream.next_out; - if (ctx->zstream.avail_out == 0) { + if (ctx->zstream.avail_out == 0 && rc != Z_STREAM_END) { /* zlib wants to output some more gzipped data */ @@ -868,6 +868,7 @@ ngx_http_gzip_ctx_t *ctx) { int rc; + ngx_buf_t *b; ngx_chain_t *cl; ctx->zin = ctx->zstream.total_in; @@ -888,13 +889,19 @@ return NGX_ERROR; } - cl->buf = ctx->out_buf; + b = ctx->out_buf; + + if (ngx_buf_size(b) == 0) { + b->temporary = 0; + } + + b->last_buf = 1; + + cl->buf = b; cl->next = NULL; *ctx->last_out = cl; ctx->last_out = &cl->next; - ctx->out_buf->last_buf = 1; - ctx->zstream.avail_in = 0; ctx->zstream.avail_out = 0; diff -Nru nginx-1.17.2/src/http/v2/ngx_http_v2.c nginx-1.17.3/src/http/v2/ngx_http_v2.c --- nginx-1.17.2/src/http/v2/ngx_http_v2.c 2019-07-23 12:01:47.000000000 +0000 +++ nginx-1.17.3/src/http/v2/ngx_http_v2.c 2019-08-13 12:45:57.000000000 +0000 @@ -273,6 +273,7 @@ h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); h2c->concurrent_pushes = h2scf->concurrent_pushes; + h2c->priority_limit = h2scf->concurrent_streams; h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); if (h2c->pool == NULL) { @@ -1546,6 +1547,14 @@ header->name.len = h2c->state.field_end - h2c->state.field_start; header->name.data = h2c->state.field_start; + if (header->name.len == 0) { + ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "client sent zero header name length"); + + return ngx_http_v2_connection_error(h2c, + NGX_HTTP_V2_PROTOCOL_ERROR); + } + return ngx_http_v2_state_field_len(h2c, pos, end); } @@ -1796,6 +1805,13 @@ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); } + if (--h2c->priority_limit == 0) { + ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "client sent too many PRIORITY frames"); + + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM); + } + if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) { return ngx_http_v2_state_save(h2c, pos, end, ngx_http_v2_state_priority); @@ -3112,6 +3128,8 @@ h2c->processing++; } + h2c->priority_limit += h2scf->concurrent_streams; + return stream; } @@ -3249,10 +3267,6 @@ ngx_uint_t i; ngx_http_core_srv_conf_t *cscf; - if (header->name.len == 0) { - return NGX_ERROR; - } - r->invalid_header = 0; cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); @@ -4365,6 +4379,8 @@ */ pool = stream->pool; + h2c->frames -= stream->frames; + ngx_http_free_request(stream->request, rc); if (pool != h2c->state.pool) { diff -Nru nginx-1.17.2/src/http/v2/ngx_http_v2_filter_module.c nginx-1.17.3/src/http/v2/ngx_http_v2_filter_module.c --- nginx-1.17.2/src/http/v2/ngx_http_v2_filter_module.c 2019-07-23 12:01:47.000000000 +0000 +++ nginx-1.17.3/src/http/v2/ngx_http_v2_filter_module.c 2019-08-13 12:45:57.000000000 +0000 @@ -1669,22 +1669,34 @@ ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, size_t len, ngx_chain_t *first, ngx_chain_t *last) { - u_char flags; - ngx_buf_t *buf; - ngx_chain_t *cl; - ngx_http_v2_out_frame_t *frame; + u_char flags; + ngx_buf_t *buf; + ngx_chain_t *cl; + ngx_http_v2_out_frame_t *frame; + ngx_http_v2_connection_t *h2c; frame = stream->free_frames; + h2c = stream->connection; if (frame) { stream->free_frames = frame->next; - } else { + } else if (h2c->frames < 10000) { frame = ngx_palloc(stream->request->pool, sizeof(ngx_http_v2_out_frame_t)); if (frame == NULL) { return NULL; } + + stream->frames++; + h2c->frames++; + + } else { + ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "http2 flood detected"); + + h2c->connection->error = 1; + return NULL; } flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; diff -Nru nginx-1.17.2/src/http/v2/ngx_http_v2.h nginx-1.17.3/src/http/v2/ngx_http_v2.h --- nginx-1.17.2/src/http/v2/ngx_http_v2.h 2019-07-23 12:01:47.000000000 +0000 +++ nginx-1.17.3/src/http/v2/ngx_http_v2.h 2019-08-13 12:45:57.000000000 +0000 @@ -122,6 +122,7 @@ ngx_uint_t processing; ngx_uint_t frames; ngx_uint_t idle; + ngx_uint_t priority_limit; ngx_uint_t pushing; ngx_uint_t concurrent_pushes; @@ -192,6 +193,8 @@ ngx_buf_t *preread; + ngx_uint_t frames; + ngx_http_v2_out_frame_t *free_frames; ngx_chain_t *free_frame_headers; ngx_chain_t *free_bufs; diff -Nru nginx-1.17.2/src/mail/ngx_mail_smtp_handler.c nginx-1.17.3/src/mail/ngx_mail_smtp_handler.c --- nginx-1.17.2/src/mail/ngx_mail_smtp_handler.c 2019-07-23 12:01:47.000000000 +0000 +++ nginx-1.17.3/src/mail/ngx_mail_smtp_handler.c 2019-08-13 12:45:57.000000000 +0000 @@ -15,6 +15,7 @@ static void ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx); static void ngx_mail_smtp_resolve_name(ngx_event_t *rev); static void ngx_mail_smtp_resolve_name_handler(ngx_resolver_ctx_t *ctx); +static void ngx_mail_smtp_block_reading(ngx_event_t *rev); static void ngx_mail_smtp_greeting(ngx_mail_session_t *s, ngx_connection_t *c); static void ngx_mail_smtp_invalid_pipelining(ngx_event_t *rev); static ngx_int_t ngx_mail_smtp_create_buffer(ngx_mail_session_t *s, @@ -88,6 +89,9 @@ ctx->data = s; ctx->timeout = cscf->resolver_timeout; + s->resolver_ctx = ctx; + c->read->handler = ngx_mail_smtp_block_reading; + if (ngx_resolve_addr(ctx) != NGX_OK) { ngx_mail_close_connection(c); } @@ -169,6 +173,9 @@ ctx->data = s; ctx->timeout = cscf->resolver_timeout; + s->resolver_ctx = ctx; + c->read->handler = ngx_mail_smtp_block_reading; + if (ngx_resolve_name(ctx) != NGX_OK) { ngx_mail_close_connection(c); } @@ -239,6 +246,38 @@ static void +ngx_mail_smtp_block_reading(ngx_event_t *rev) +{ + ngx_connection_t *c; + ngx_mail_session_t *s; + ngx_resolver_ctx_t *ctx; + + c = rev->data; + s = c->data; + + ngx_log_debug0(NGX_LOG_DEBUG_MAIL, c->log, 0, "smtp reading blocked"); + + if (ngx_handle_read_event(rev, 0) != NGX_OK) { + + if (s->resolver_ctx) { + ctx = s->resolver_ctx; + + if (ctx->handler == ngx_mail_smtp_resolve_addr_handler) { + ngx_resolve_addr_done(ctx); + + } else if (ctx->handler == ngx_mail_smtp_resolve_name_handler) { + ngx_resolve_name_done(ctx); + } + + s->resolver_ctx = NULL; + } + + ngx_mail_close_connection(c); + } +} + + +static void ngx_mail_smtp_greeting(ngx_mail_session_t *s, ngx_connection_t *c) { ngx_msec_t timeout; @@ -258,6 +297,10 @@ ngx_mail_close_connection(c); } + if (c->read->ready) { + ngx_post_event(c->read, &ngx_posted_events); + } + if (sscf->greeting_delay) { c->read->handler = ngx_mail_smtp_invalid_pipelining; return;