diff --git a/nginx-1.4.2-passenger-4.0.18.patch b/nginx-1.4.2-passenger-4.0.18.patch deleted file mode 100644 index c4b6410..0000000 --- a/nginx-1.4.2-passenger-4.0.18.patch +++ /dev/null @@ -1,82 +0,0 @@ -Index: passenger/build/common_library.rb -=================================================================== ---- passenger.orig/build/common_library.rb -+++ passenger/build/common_library.rb -@@ -34,7 +34,7 @@ require 'phusion_passenger/common_librar - # Defines tasks for compiling a static library containing Boost and OXT. - def define_libboost_oxt_task(namespace, output_dir, extra_compiler_flags = nil) - output_file = "#{output_dir}.a" -- flags = "-Iext #{extra_compiler_flags} #{PlatformInfo.portability_cflags} #{EXTRA_CXXFLAGS}" -+ flags = "-Iext #{extra_compiler_flags} #{PlatformInfo.portability_cflags} #{EXTRA_CXXFLAGS} -fPIC #{ENV['RPM_OPT_FLAGS']} " - - if false && boolean_option('RELEASE') - # Disable RELEASE support. Passenger Standalone wants to link to the -@@ -126,7 +126,7 @@ if USE_VENDORED_LIBEV - ] - file LIBEV_OUTPUT_DIR + "Makefile" => dependencies do - # Disable all warnings: http://pod.tst.eu/http://cvs.schmorp.de/libev/ev.pod#COMPILER_WARNINGS -- cflags = "#{EXTRA_CXXFLAGS} -w" -+ cflags = "#{EXTRA_CXXFLAGS} #{ENV['RPM_OPT_FLAGS']} -w" - sh "mkdir -p #{LIBEV_OUTPUT_DIR}" if !File.directory?(LIBEV_OUTPUT_DIR) - sh "cd #{LIBEV_OUTPUT_DIR} && sh #{LIBEV_SOURCE_DIR}configure " + - "--disable-shared --enable-static CFLAGS='#{cflags}' orig_CFLAGS=1" -@@ -174,7 +174,7 @@ if USE_VENDORED_LIBEIO - file LIBEIO_OUTPUT_DIR + "Makefile" => dependencies do - # Disable all warnings. The author has a clear standpoint on that: - # http://pod.tst.eu/http://cvs.schmorp.de/libev/ev.pod#COMPILER_WARNINGS -- cflags = "#{EXTRA_CXXFLAGS} -w" -+ cflags = "#{EXTRA_CXXFLAGS} #{ENV['RPM_OPT_FLAGS']} -w" - sh "mkdir -p #{LIBEIO_OUTPUT_DIR}" if !File.directory?(LIBEIO_OUTPUT_DIR) - sh "cd #{LIBEIO_OUTPUT_DIR} && sh #{LIBEIO_SOURCE_DIR}configure " + - "--disable-shared --enable-static CFLAGS='#{cflags}'" -@@ -183,6 +183,7 @@ if USE_VENDORED_LIBEIO - libeio_sources = Dir["ext/libeio/{*.c,*.h}"] - file LIBEIO_OUTPUT_DIR + ".libs/libeio.a" => [LIBEIO_OUTPUT_DIR + "Makefile"] + libeio_sources do - sh "rm -f #{LIBEIO_OUTPUT_DIR}/libeio.la" -+ sh "cd #{LIBEIO_OUTPUT_DIR} && make eio.o" - sh "cd #{LIBEIO_OUTPUT_DIR} && make libeio.la" - end - -Index: passenger/ext/boost/libs/thread/src/pthread/thread.cpp -=================================================================== ---- passenger.orig/ext/boost/libs/thread/src/pthread/thread.cpp -+++ passenger/ext/boost/libs/thread/src/pthread/thread.cpp -@@ -376,6 +376,7 @@ namespace boost - boost::throw_exception(thread_resource_error(system::errc::invalid_argument, "boost thread: thread not joinable")); - #endif - } -+ return false; - } - - bool thread::joinable() const BOOST_NOEXCEPT -Index: passenger/ext/nginx/StaticContentHandler.c -=================================================================== ---- passenger.orig/ext/nginx/StaticContentHandler.c -+++ passenger/ext/nginx/StaticContentHandler.c -@@ -67,13 +67,6 @@ passenger_static_content_handler(ngx_htt - return NGX_DECLINED; - } - -- #if (PASSENGER_NGINX_MINOR_VERSION == 8 && PASSENGER_NGINX_MICRO_VERSION < 38) || \ -- (PASSENGER_NGINX_MINOR_VERSION == 7 && PASSENGER_NGINX_MICRO_VERSION < 66) -- if (r->zero_in_uri) { -- return NGX_DECLINED; -- } -- #endif -- - log = r->connection->log; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, log, 0, -Index: passenger/lib/phusion_passenger/common_library.rb -=================================================================== ---- passenger.orig/lib/phusion_passenger/common_library.rb -+++ passenger/lib/phusion_passenger/common_library.rb -@@ -101,7 +101,7 @@ class CommonLibraryBuilder - end - - def define_tasks(extra_compiler_flags = nil) -- flags = "-Iext -Iext/common #{LIBEV_CFLAGS} #{extra_compiler_flags} " -+ flags = "-Iext -Iext/common #{LIBEV_CFLAGS} #{extra_compiler_flags} -fPIC #{ENV['RPM_OPT_FLAGS']} " - flags << "#{PlatformInfo.portability_cflags} #{EXTRA_CXXFLAGS}" - flags.strip! - diff --git a/nginx-1.8.0-passenger-4.0.18.patch b/nginx-1.8.0-passenger-4.0.18.patch deleted file mode 100644 index c97ce0f..0000000 --- a/nginx-1.8.0-passenger-4.0.18.patch +++ /dev/null @@ -1,131 +0,0 @@ -Index: passenger/ext/nginx/Configuration.c -=================================================================== ---- passenger.orig/ext/nginx/Configuration.c 2015-06-24 23:29:12.725985654 +0800 -+++ passenger/ext/nginx/Configuration.c 2015-06-24 23:02:39.654901783 +0800 -@@ -261,7 +261,11 @@ - conf->upstream_config.pass_request_body = NGX_CONF_UNSET; - - #if (NGX_HTTP_CACHE) -- conf->upstream_config.cache = NGX_CONF_UNSET_PTR; -+ #if NGINX_VERSION_NUM >= 1007009 -+ conf->upstream_config.cache = NGX_CONF_UNSET_PTR; -+ #else -+ conf->upstream_config.cache = NGX_CONF_UNSET; -+ #endif - conf->upstream_config.cache_min_uses = NGX_CONF_UNSET_UINT; - conf->upstream_config.cache_bypass = NGX_CONF_UNSET_PTR; - conf->upstream_config.no_cache = NGX_CONF_UNSET_PTR; -@@ -270,6 +274,9 @@ - conf->upstream_config.cache_lock = NGX_CONF_UNSET; - conf->upstream_config.cache_lock_timeout = NGX_CONF_UNSET_MSEC; - #endif -+ #if NGINX_VERSION_NUM >= 1007008 -+ conf->upstream_config.cache_lock_age = NGX_CONF_UNSET_MSEC; -+ #endif - #endif - - conf->upstream_config.intercept_errors = NGX_CONF_UNSET; -@@ -374,15 +381,34 @@ - /******************************/ - /******************************/ - -- if (conf->upstream_config.store != 0) { -- ngx_conf_merge_value(conf->upstream_config.store, -- prev->upstream_config.store, 0); -+ #if (NGX_HTTP_CACHE) && NGINX_VERSION_NUM >= 1007009 -+ if (conf->upstream_config.store > 0) { -+ conf->upstream_config.cache = 0; -+ } -+ if (conf->upstream_config.cache > 0) { -+ conf->upstream_config.store = 0; -+ } -+ #endif -+ -+ #if NGINX_VERSION_NUM >= 1007009 -+ if (conf->upstream_config.store == NGX_CONF_UNSET) { -+ ngx_conf_merge_value(conf->upstream_config.store, -+ prev->upstream_config.store, 0); - -- if (conf->upstream_config.store_lengths == NULL) { - conf->upstream_config.store_lengths = prev->upstream_config.store_lengths; - conf->upstream_config.store_values = prev->upstream_config.store_values; - } -- } -+ #else -+ if (conf->upstream_config.store != 0) { -+ ngx_conf_merge_value(conf->upstream_config.store, -+ prev->upstream_config.store, 0); -+ -+ if (conf->upstream_config.store_lengths == NULL) { -+ conf->upstream_config.store_lengths = prev->upstream_config.store_lengths; -+ conf->upstream_config.store_values = prev->upstream_config.store_values; -+ } -+ } -+ #endif - - ngx_conf_merge_uint_value(conf->upstream_config.store_access, - prev->upstream_config.store_access, 0600); -@@ -526,20 +552,42 @@ - - #if (NGX_HTTP_CACHE) - -- ngx_conf_merge_ptr_value(conf->upstream_config.cache, -- prev->upstream_config.cache, NULL); -+ #if NGINX_VERSION_NUM >= 1007009 -+ if (conf->upstream_config.cache == NGX_CONF_UNSET) { -+ ngx_conf_merge_value(conf->upstream_config.cache, -+ prev->upstream_config.cache, 0); -+ -+ conf->upstream_config.cache_zone = prev->upstream_config.cache_zone; -+ conf->upstream_config.cache_value = prev->upstream_config.cache_value; -+ } - -- if (conf->upstream_config.cache && conf->upstream_config.cache->data == NULL) { -- ngx_shm_zone_t *shm_zone; -+ if (conf->upstream_config.cache_zone && conf->upstream_config.cache_zone->data == NULL) { -+ ngx_shm_zone_t *shm_zone; - -- shm_zone = conf->upstream_config.cache; -+ shm_zone = conf->upstream_config.cache_zone; - - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -- "\"scgi_cache\" zone \"%V\" is unknown", -- &shm_zone->shm.name); -+ "\"scgi_cache\" zone \"%V\" is unknown", -+ &shm_zone->shm.name); - -- return NGX_CONF_ERROR; -- } -+ return NGX_CONF_ERROR; -+ } -+ #else -+ ngx_conf_merge_ptr_value(conf->upstream_config.cache, -+ prev->upstream_config.cache, NULL); -+ -+ if (conf->upstream_config.cache && conf->upstream_config.cache->data == NULL) { -+ ngx_shm_zone_t *shm_zone; -+ -+ shm_zone = conf->upstream_config.cache; -+ -+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, -+ "\"scgi_cache\" zone \"%V\" is unknown", -+ &shm_zone->shm.name); -+ -+ return NGX_CONF_ERROR; -+ } -+ #endif - - ngx_conf_merge_uint_value(conf->upstream_config.cache_min_uses, - prev->upstream_config.cache_min_uses, 1); -@@ -585,6 +633,11 @@ - prev->upstream_config.cache_lock_timeout, 5000); - #endif - -+ #if NGINX_VERSION_NUM >= 1007008 -+ ngx_conf_merge_msec_value(conf->upstream_config.cache_lock_age, -+ prev->upstream_config.cache_lock_age, 5000); -+ #endif -+ - #endif - - ngx_conf_merge_value(conf->upstream_config.pass_request_headers, diff --git a/nginx-1.8.0.tar.gz b/nginx-1.8.0.tar.gz deleted file mode 100644 index 8288adf..0000000 --- a/nginx-1.8.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:23cca1239990c818d8f6da118320c4979aadf5386deda691b1b7c2c96b9df3d5 -size 832104 diff --git a/nginx-1.8.1.tar.gz b/nginx-1.8.1.tar.gz new file mode 100644 index 0000000..904d138 --- /dev/null +++ b/nginx-1.8.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8f4b3c630966c044ec72715754334d1fdf741caa1d5795fb4646c27d09f797b7 +size 833473 diff --git a/nginx.changes b/nginx.changes index a51a51f..b509558 100644 --- a/nginx.changes +++ b/nginx.changes @@ -1,3 +1,60 @@ +------------------------------------------------------------------- +Thu Jan 28 01:36:01 UTC 2016 - i@marguerite.su + +- update version 1.8.1 stable + * Security: invalid pointer dereference might occur during DNS server + response processing if the "resolver" directive was used, allowing an + attacker who is able to forge UDP packets from the DNS server to + cause segmentation fault in a worker process (CVE-2016-0742). boo#963781 + * Security: use-after-free condition might occur during CNAME response + processing if the "resolver" directive was used, allowing an attacker + who is able to trigger name resolution to cause segmentation fault in + a worker process, or might have potential other impact + (CVE-2016-0746). boo#963778 + * Security: CNAME resolution was insufficiently limited if the + "resolver" directive was used, allowing an attacker who is able to + trigger arbitrary name resolution to cause excessive resource + consumption in worker processes (CVE-2016-0747). boo#963775 + * Bugfix: the "proxy_protocol" parameter of the "listen" directive did + not work if not specified in the first "listen" directive for a + listen socket. + * Bugfix: nginx might fail to start on some old Linux variants; the bug + had appeared in 1.7.11. + * Bugfix: a segmentation fault might occur in a worker process if the + "try_files" and "alias" directives were used inside a location given + by a regular expression; the bug had appeared in 1.7.1. + * Bugfix: the "try_files" directive inside a nested location given by a + regular expression worked incorrectly if the "alias" directive was + used in the outer location. + * Bugfix: "header already sent" alerts might appear in logs when using + cache; the bug had appeared in 1.7.5. + * Bugfix: a segmentation fault might occur in a worker process if + different ssl_session_cache settings were used in different virtual + servers. + * Bugfix: the "expires" directive might not work when using variables. + * Bugfix: if nginx was built with the ngx_http_spdy_module it was + possible to use the SPDY protocol even if the "spdy" parameter of the + "listen" directive was not specified. + +------------------------------------------------------------------- +Fri Oct 16 15:17:30 UTC 2015 - mrueckert@suse.de + +- use libGeoIP-devel everywhere + +------------------------------------------------------------------- +Fri Oct 16 15:08:28 UTC 2015 - mrueckert@suse.de + +- replace custom "kill -QUIT" with the kill signal setting in + the service file + +------------------------------------------------------------------- +Fri Oct 16 15:01:17 UTC 2015 - mrueckert@suse.de + +- clean up conditionals and use bcond_with* everywhere +- drop passenger support for now + * drop nginx-1.8.0-passenger-4.0.18.patch + * drop nginx-1.4.2-passenger-4.0.18.patch + ------------------------------------------------------------------- Thu Jun 11 14:55:50 UTC 2015 - i@marguerite.su diff --git a/nginx.service b/nginx.service index ee6679d..579d7df 100644 --- a/nginx.service +++ b/nginx.service @@ -3,11 +3,14 @@ Description=The nginx HTTP and reverse proxy server After=network.target remote-fs.target nss-lookup.target [Service] +PIDFile=/run/nginx.pid ExecStartPre=/usr/sbin/nginx -t ExecStart=/usr/sbin/nginx -g "daemon off;" ExecReload=/bin/kill -s HUP $MAINPID -ExecStop=/bin/kill -s QUIT $MAINPID +KillSignal=SIGQUIT +TimeoutStopSec=5 +KillMode=mixed PrivateTmp=true [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/nginx.spec b/nginx.spec index fa02b49..5e1dd17 100644 --- a/nginx.spec +++ b/nginx.spec @@ -1,7 +1,7 @@ # # spec file for package nginx # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,6 +16,28 @@ # +%bcond_with cpp_test +%bcond_with google_perftools +%bcond_without fancyindex + +%if 0%{?suse_version} != 1315 +%bcond_without libatomic +%else +%bcond_with libatomic +%endif + +%if 0%{?suse_version} > 1220 +%bcond_without http2 +%else +%bcond_with http2 +%endif + +%if 0%{?suse_version} >= 1210 +%bcond_without systemd +%else +%bcond_with systemd +%endif + %define pkg_name nginx %define ngx_prefix %{_prefix} %define ngx_sbin_path %{_sbindir}/nginx @@ -31,36 +53,19 @@ %define ngx_tmp_scgi %{ngx_home}/scgi/ %define ngx_tmp_uwsgi %{ngx_home}/uwsgi/ %define ngx_user_group nginx -%define with_cpp_test 0 -%define with_google_perftools 0 -%define with_fancyindex 1 -%define fancyindex_version 0.3.5 -%if 0%{?suse_version} <= 1310 +# +%if %{with systemd} +%define ngx_pid_path /run/nginx.pid +%define ngx_lock_path /run/nginx.lock +%else %define ngx_pid_path %{_localstatedir}/run/nginx.pid %define ngx_lock_path %{_localstatedir}/run/nginx.lock -%else -%define ngx_pid_path /run/nginx.pid -%define ngx_lock_path /run/nginx.lock -%endif -%if 0%{?suse_version} != 1315 -%define with_libatomic 1 -%endif -%if 0%{?suse_version} >= 1220 -# passenger is required by webyast -%if 0%{?suse_version} > 1310 -%define with_passenger 0 -%else -%define with_passenger 1 -%endif -%endif -%if 0%{?suse_version} >= 1210 -%define with_systemd 1 -BuildRequires: systemd -%{?systemd_requires} %endif +# Name: nginx -Version: 1.8.0 +Version: 1.8.1 Release: 0 +%define fancyindex_version 0.3.5 Summary: A HTTP server and IMAP/POP3 proxy server License: BSD-2-Clause Group: Productivity/Networking/Web/Proxy @@ -91,35 +96,28 @@ BuildRequires: pcre-devel BuildRequires: pkgconfig BuildRequires: zlib-devel %requires_eq perl -Requires(pre): %fillup_prereq +Requires(pre): %fillup_prereq Requires(pre): %insserv_prereq Requires(pre): pwdutils Recommends: logrotate -Conflicts: otherproviders(nginx) +Conflicts: otherproviders(nginx) Provides: http_daemon Provides: httpd BuildRoot: %{_tmppath}/%{name}-%{version}-build -%if 0%{?suse_version} == 1310 -Patch7: nginx-1.4.2-passenger-4.0.18.patch -Patch8: nginx-1.8.0-passenger-4.0.18.patch -%endif -%if 0%{?suse_version} <= 1310 -BuildRequires: GeoIP-devel -%else +# BuildRequires: libGeoIP-devel -%endif -%if 0%{?with_google_perftools} +# +%if %{with google_perftools} BuildRequires: google-perftools-devel %endif -%if 0%{?with_libatomic} +# +%if %{with libatomic} BuildRequires: libatomic-ops-devel %endif -%if 0%{?with_passenger} -BuildRequires: curl-devel -BuildRequires: ruby-devel -BuildRequires: rubygem-passenger -BuildRequires: rubygem-passenger-devel-static -Recommends: packageand(rubygem-passenger:rubygem-passenger-nginx) +# +%if %{with systemd} +BuildRequires: systemd +%{?systemd_requires} %endif %description @@ -127,7 +125,7 @@ nginx [engine x] is a HTTP server and IMAP/POP3 proxy server written by Igor Sys It has been running on many heavily loaded Russian sites for more than two years. %prep -%if 0%{?with_fancyindex} +%if %{with fancyindex} %setup -q -n %{pkg_name}-%{version} -b4 %else %setup -q -n %{pkg_name}-%{version} @@ -141,26 +139,14 @@ It has been running on many heavily loaded Russian sites for more than two years perl -pi -e 's|\r\n|\n|g' contrib/geo2nginx.pl -%if 0%{?with_passenger} -cp -a %{_libdir}/ruby/gems/%{rb_ver}/gems/passenger-* passenger -%if 0%{?suse_version} < 1310 -if [[ -f "passenger/ext/common/libpassenger_common.a" ]] || \ - [[ -f "passenger/ext/common/libboost_oxt.a" ]]; then - rm -r passenger/ext/common/libboost_oxt* passenger/ext/common/libpassenger_common* -fi -%endif -%patch7 -%patch8 -%endif - -%if 0%{with_fancyindex} +%if %{with fancyindex} mkdir -p ngx-fancyindex-%{fancyindex_version} pushd ../ngx-fancyindex-%{fancyindex_version} cp -r template* LICENSE *.rst $RPM_BUILD_DIR/%{pkg_name}-%{version}/ngx-fancyindex-%{fancyindex_version}/ popd %endif -%if 0%{?suse_version} > 1310 +%if %{with systemd} sed -i "s/\/var\/run/\/run/" %{_sourcedir}/nginx.init %endif @@ -181,13 +167,13 @@ sed -i "s/\/var\/run/\/run/" %{_sourcedir}/nginx.init --user=nginx --group=nginx \ --without-select_module \ --without-poll_module \ - --with-file-aio \ --with-threads \ + --with-file-aio \ --with-ipv6 \ --with-http_ssl_module \ -%if 0%{?suse_version} > 1220 + %if %{with http2} --with-http_spdy_module \ -%endif + %endif --with-http_realip_module \ --with-http_addition_module \ --with-http_xslt_module \ @@ -209,19 +195,16 @@ sed -i "s/\/var\/run/\/run/" %{_sourcedir}/nginx.init --with-mail \ --with-mail_ssl_module \ --with-pcre \ - %if 0%{?with_libatomic} + %if %{with libatomic} --with-libatomic \ %endif - %if 0%{?with_passenger} - --add-module=passenger/ext/nginx \ - %endif - %if 0%{?with_google_perftools} + %if %{with google_perftools} --with-google_perftools_module \ %endif - %if 0%{?with_cpp_test} + %if %{with cpp_test} --with-cpp_test_module \ %endif - %if 0%{with_fancyindex} + %if %{with fancyindex} --add-module=../ngx-fancyindex-%{fancyindex_version} \ %endif --with-md5=%{_prefix} \ @@ -242,7 +225,7 @@ install -d -m 0750 %{buildroot}%{ngx_home}/{,tmp,proxy,fastcgi,scgi,uwsgi} install -D -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/logrotate.d/%{pkg_name} -%if 0%{?with_systemd} +%if %{with systemd} install -D -m 0644 %{SOURCE3} %{buildroot}%{_unitdir}/nginx.service ln -s -f %{_sbindir}/service %{buildroot}%{_sbindir}/rcnginx %else @@ -253,21 +236,21 @@ ln -s -f %{_sysconfdir}/init.d/%{pkg_name} %{buildroot}%{_sbindir}/rc%{pkg_name} rm %{buildroot}/srv/www/htdocs/index.html %post -%if 0%{?with_systemd} +%if %{with systemd} %service_add_post nginx.service %else %fillup_and_insserv %{pkg_name} %endif %preun -%if 0%{?with_systemd} +%if %{with systemd} %service_del_preun nginx.service %else %stop_on_removal %{pkg_name} %endif %postun -%if 0%{?with_systemd} +%if %{with systemd} %service_del_postun nginx.service %else %restart_on_update %{pkg_name} @@ -278,7 +261,7 @@ rm %{buildroot}/srv/www/htdocs/index.html %{_sbindir}/groupadd -r %{ngx_user_group} &>/dev/null ||: %{_sbindir}/useradd -g %{ngx_user_group} -s /bin/false -r -c "user for %{ngx_user_group}" -d %{ngx_home} %{ngx_user_group} &>/dev/null ||: -%if 0%{?with_systemd} +%if %{with systemd} %service_add_pre nginx.service %endif @@ -319,10 +302,10 @@ rm %{buildroot}/srv/www/htdocs/index.html %dir %attr(750,%{ngx_user_group},%{ngx_user_group}) %{ngx_tmp_uwsgi} %doc CHANGES* %doc conf/ contrib/ -%if 0%{with_fancyindex} +%if %{with fancyindex} %doc ngx-fancyindex-%{fancyindex_version}/ %endif -%if 0%{?with_systemd} +%if %{with systemd} %{_unitdir}/nginx.service %else %{_sysconfdir}/init.d/%{pkg_name}