From 7c49090830007a6300bd0b629e4586eb6c261155 Mon Sep 17 00:00:00 2001 From: Marco Ebert Date: Tue, 17 Jun 2025 15:21:38 +0200 Subject: [PATCH] NGINX: Bump to OpenResty v1.25.3.2. --- images/nginx/rootfs/build.sh | 67 ++++++++------- .../28_nginx-1.25.3-CVE-2025-23419.patch | 40 +++++++++ ...ginx-1.25.3-upstream_timeout_fields.patch} | 0 ...nx-1.25.3-safe_resolver_ipv6_option.patch} | 0 ...h => 31_nginx-1.25.3-socket_cloexec.patch} | 0 ...x-1.25.3-reuseport_close_unused_fds.patch} | 0 .../33_nginx-1.25.3-proc_exit_handler.patch | 81 +++++++++++++++++++ 7 files changed, 154 insertions(+), 34 deletions(-) create mode 100644 images/nginx/rootfs/patches/28_nginx-1.25.3-CVE-2025-23419.patch rename images/nginx/rootfs/patches/{28_nginx-1.25.3-upstream_timeout_fields.patch => 29_nginx-1.25.3-upstream_timeout_fields.patch} (100%) rename images/nginx/rootfs/patches/{29_nginx-1.25.3-safe_resolver_ipv6_option.patch => 30_nginx-1.25.3-safe_resolver_ipv6_option.patch} (100%) rename images/nginx/rootfs/patches/{30_nginx-1.25.3-socket_cloexec.patch => 31_nginx-1.25.3-socket_cloexec.patch} (100%) rename images/nginx/rootfs/patches/{31_nginx-1.25.3-reuseport_close_unused_fds.patch => 32_nginx-1.25.3-reuseport_close_unused_fds.patch} (100%) create mode 100644 images/nginx/rootfs/patches/33_nginx-1.25.3-proc_exit_handler.patch diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 4e24da0b92..92eb5a01c5 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -24,85 +24,85 @@ export NGINX_VERSION=1.25.5 export NDK_VERSION=v0.3.3 # Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master -export SETMISC_VERSION=796f5a3e518748eb29a93bd450324e0ad45b704e +export SETMISC_VERSION=v0.33 # Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.37...master export MORE_HEADERS_VERSION=v0.37 -# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master +# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...master export NGINX_DIGEST_AUTH=v1.0.0 -# Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master +# Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/e12e965ac1837ca709709f9a26f572a54d83430e...master export NGINX_SUBSTITUTIONS=e12e965ac1837ca709709f9a26f572a54d83430e -# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master -export MODSECURITY_VERSION=v1.0.3 +# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.4...master +export MODSECURITY_VERSION=v1.0.4 # Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.14...v3/master export MODSECURITY_LIB_VERSION=v3.0.14 -# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v4.10.0...main -export OWASP_MODSECURITY_CRS_VERSION=v4.10.0 +# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v4.15.0...main +export OWASP_MODSECURITY_CRS_VERSION=v4.15.0 -# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.26``...master +# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.26...master export LUA_NGX_VERSION=v0.10.26 # Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/bea8a0c0de94cede71554f53818ac0267d675d63...master export LUA_STREAM_NGX_VERSION=bea8a0c0de94cede71554f53818ac0267d675d63 -# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master -export LUA_UPSTREAM_VERSION=542be0893543a4e42d89f6dd85372972f5ff2a36 +# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/v0.07...master +export LUA_UPSTREAM_VERSION=v0.07 -# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.13...openresty:master +# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.13...master export LUA_CJSON_VERSION=2.1.0.13 -# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/a607a41a8115fecfc05b5c283c81532a3d605425...master -export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425 +# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/445df24ef3781e488cee3dfe8a1e111997fc1dfe...master +export GEOIP2_VERSION=445df24ef3781e488cee3dfe8a1e111997fc1dfe -# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20240314...v2.1-agentzh -export LUAJIT_VERSION=v2.1-20240314 +# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20231117.1...v2.1-agentzh +export LUAJIT_VERSION=v2.1-20231117.1 -# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/1cd4363c0a239afe4765ec607dcfbbb4e5900eea...master -export LUA_RESTY_BALANCER=1cd4363c0a239afe4765ec607dcfbbb4e5900eea +# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.05...master +export LUA_RESTY_BALANCER=v0.05 -# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/99e7578465b40f36f596d099b82eab404f2b42ed...master -export LUA_RESTY_CACHE=99e7578465b40f36f596d099b82eab404f2b42ed +# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.13...master +export LUA_RESTY_CACHE=v0.13 -# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master +# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.28...master export LUA_RESTY_CORE=v0.1.28 # Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/f418d77082eaef48331302e84330488fdc810ef4...master export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4 -# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/8bb53516e2933e61c317db740a9b7c2048847c2f...master -export LUA_RESTY_DNS=8bb53516e2933e61c317db740a9b7c2048847c2f +# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/v0.23...master +export LUA_RESTY_DNS=v0.23 -# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.1...master -export LUA_RESTY_HTTP=v0.17.1 +# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.17.2...master +export LUA_RESTY_HTTP=v0.17.2 # Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master -export LUA_RESTY_LOCK=405d0bf4cbfa74d742c6ed3158d442221e6212a9 +export LUA_RESTY_LOCK=v0.09 # Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master -export LUA_RESTY_UPLOAD_VERSION=979372cce011f3176af3c9aff53fd0e992c4bfd3 +export LUA_RESTY_UPLOAD_VERSION=v0.11 # Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master -export LUA_RESTY_STRING_VERSION=6f1bc21d86daef804df3cc34d6427ef68da26844 +export LUA_RESTY_STRING_VERSION=v0.15 # Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master -export LUA_RESTY_MEMCACHED_VERSION=2f02b68bf65fa2332cce070674a93a69a6c7239b +export LUA_RESTY_MEMCACHED_VERSION=v0.17 # Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master -export LUA_RESTY_REDIS_VERSION=8641b9f1b6f75cca50c90cf8ca5c502ad8950aa8 +export LUA_RESTY_REDIS_VERSION=v0.30 -# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6.1...master +# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/3e93c53eb8c9884efe939ef070486a0e507cc5be...master export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be # Check for recent changes: https://github.com/ElvinEfendi/lua-resty-global-throttle/compare/v0.2.0...main export LUA_RESTY_GLOBAL_THROTTLE_VERSION=v0.2.0 -# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.1.7...master -export MIMALOC_VERSION=v2.1.7 +# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v2.2.4...main +export MIMALOC_VERSION=v2.2.4 # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.18.0...main export OPENTELEMETRY_CPP_VERSION=v1.18.0 @@ -326,8 +326,7 @@ git config --global --add core.compression -1 cd "$BUILD_PATH" git clone --depth=100 https://github.com/google/ngx_brotli.git cd ngx_brotli -# https://github.com/google/ngx_brotli/issues/156 -git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52 +git reset --hard a71f9312c2deb28875acc7bacfdd5695a111aa53 git submodule init git submodule update diff --git a/images/nginx/rootfs/patches/28_nginx-1.25.3-CVE-2025-23419.patch b/images/nginx/rootfs/patches/28_nginx-1.25.3-CVE-2025-23419.patch new file mode 100644 index 0000000000..372c0b9973 --- /dev/null +++ b/images/nginx/rootfs/patches/28_nginx-1.25.3-CVE-2025-23419.patch @@ -0,0 +1,40 @@ +diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c +index 013b7158e..a7a3ee5b0 100644 +--- a/src/http/ngx_http_request.c ++++ b/src/http/ngx_http_request.c +@@ -909,6 +909,26 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + goto done; + } + ++ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); ++ ++#if (defined TLS1_3_VERSION \ ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ if (sscf->verify) { ++ const char *hostname; ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ c->ssl->handshake_rejected = 1; ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } ++#endif ++ + hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); + if (hc->ssl_servername == NULL) { + goto error; +@@ -922,8 +942,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + + ngx_set_connection_log(c, clcf->error_log); + +- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); +- + c->ssl->buffer_size = sscf->buffer_size; + + if (sscf->ssl.ctx) { diff --git a/images/nginx/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch b/images/nginx/rootfs/patches/29_nginx-1.25.3-upstream_timeout_fields.patch similarity index 100% rename from images/nginx/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch rename to images/nginx/rootfs/patches/29_nginx-1.25.3-upstream_timeout_fields.patch diff --git a/images/nginx/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch b/images/nginx/rootfs/patches/30_nginx-1.25.3-safe_resolver_ipv6_option.patch similarity index 100% rename from images/nginx/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch rename to images/nginx/rootfs/patches/30_nginx-1.25.3-safe_resolver_ipv6_option.patch diff --git a/images/nginx/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch b/images/nginx/rootfs/patches/31_nginx-1.25.3-socket_cloexec.patch similarity index 100% rename from images/nginx/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch rename to images/nginx/rootfs/patches/31_nginx-1.25.3-socket_cloexec.patch diff --git a/images/nginx/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch b/images/nginx/rootfs/patches/32_nginx-1.25.3-reuseport_close_unused_fds.patch similarity index 100% rename from images/nginx/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch rename to images/nginx/rootfs/patches/32_nginx-1.25.3-reuseport_close_unused_fds.patch diff --git a/images/nginx/rootfs/patches/33_nginx-1.25.3-proc_exit_handler.patch b/images/nginx/rootfs/patches/33_nginx-1.25.3-proc_exit_handler.patch new file mode 100644 index 0000000000..4f04afd5fa --- /dev/null +++ b/images/nginx/rootfs/patches/33_nginx-1.25.3-proc_exit_handler.patch @@ -0,0 +1,81 @@ +commit 29cafd35fb2b7cff759fb4c9b84fa4600875321f +Author: lijunlong +Date: Sun Apr 11 14:34:47 2021 +0800 + + feature: added a process exit callback point. + +diff --git a/src/core/ngx_cycle.c b/src/core/ngx_cycle.c +index d7479fa4..c421e43c 100644 +--- a/src/core/ngx_cycle.c ++++ b/src/core/ngx_cycle.c +@@ -255,6 +255,7 @@ ngx_init_cycle(ngx_cycle_t *old_cycle) + } + + ++ ngx_proc_exit_top_handler = ngx_proc_exit_def_handler; + conf.ctx = cycle->conf_ctx; + conf.cycle = cycle; + conf.pool = pool; +diff --git a/src/os/unix/ngx_process.c b/src/os/unix/ngx_process.c +index 15680237..9d2e81c5 100644 +--- a/src/os/unix/ngx_process.c ++++ b/src/os/unix/ngx_process.c +@@ -34,6 +34,7 @@ ngx_int_t ngx_process_slot; + ngx_socket_t ngx_channel; + ngx_int_t ngx_last_process; + ngx_process_t ngx_processes[NGX_MAX_PROCESSES]; ++ngx_proc_exit_pt ngx_proc_exit_top_handler; + + + ngx_signal_t signals[] = { +@@ -83,6 +84,13 @@ ngx_signal_t signals[] = { + }; + + ++void ++ngx_proc_exit_def_handler(ngx_pid_t pid) ++{ ++ /* do nothing */ ++} ++ ++ + ngx_pid_t + ngx_spawn_process(ngx_cycle_t *cycle, ngx_spawn_proc_pt proc, void *data, + char *name, ngx_int_t respawn) +@@ -557,6 +565,7 @@ ngx_process_get_status(void) + } + + ngx_unlock_mutexes(pid); ++ ngx_proc_exit_top_handler(pid); + } + } + +diff --git a/src/os/unix/ngx_process.h b/src/os/unix/ngx_process.h +index 3986639b..c5972541 100644 +--- a/src/os/unix/ngx_process.h ++++ b/src/os/unix/ngx_process.h +@@ -18,6 +18,8 @@ typedef pid_t ngx_pid_t; + #define NGX_INVALID_PID -1 + + typedef void (*ngx_spawn_proc_pt) (ngx_cycle_t *cycle, void *data); ++#define NGX_HAVE_PROC_EXIT 1 ++typedef void (*ngx_proc_exit_pt)(ngx_pid_t pid); + + typedef struct { + ngx_pid_t pid; +@@ -66,6 +67,7 @@ ngx_pid_t ngx_spawn_process(ngx_cycle_t *cycle, + ngx_pid_t ngx_execute(ngx_cycle_t *cycle, ngx_exec_ctx_t *ctx); + ngx_int_t ngx_init_signals(ngx_log_t *log); + void ngx_debug_point(void); ++void ngx_proc_exit_def_handler(ngx_pid_t pid); + + + #if (NGX_HAVE_SCHED_YIELD) +@@ -85,6 +87,7 @@ extern ngx_socket_t ngx_channel; + extern ngx_int_t ngx_process_slot; + extern ngx_int_t ngx_last_process; + extern ngx_process_t ngx_processes[NGX_MAX_PROCESSES]; ++extern ngx_proc_exit_pt ngx_proc_exit_top_handler; + + + #endif /* _NGX_PROCESS_H_INCLUDED_ */