diff options
author | Joe Slater <joe.slater@windriver.com> | 2021-08-19 14:25:18 -0700 |
---|---|---|
committer | Armin Kuster <akuster@mvista.com> | 2021-08-21 12:16:49 -0700 |
commit | 4a0d93d250576177e1237fa559f55c4f9d371809 (patch) | |
tree | 677c48699a21753105b178268ba9e2c4643047c2 | |
parent | a64eec177151a7076a2fd6937e4abdb8e2264a59 (diff) | |
download | meta-openembedded-4a0d93d250576177e1237fa559f55c4f9d371809.tar.gz |
nginx: fix CVE-2021-3618
Source: meta-openembedded.ort
MR: 112731
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-webserver/recipes-httpd/nginx?id=f92dbcc4c2723e6ff4e308c8a2e6dc228a6cd7d5
ChangeID: dd3295b606d73e01dd09291d85d529dea17a1a9e
Description:
Backport with no change a patch from version 1.21.0. This patch
was not cherry-picked by nginx to version 1.20.1.
Information about this CVE comes from
https://ubuntu.com/security/CVE-2021-3618.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f92dbcc4c2723e6ff4e308c8a2e6dc228a6cd7d5)
[refesh patch for Dunfell context]
Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r-- | meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch | 89 | ||||
-rw-r--r-- | meta-webserver/recipes-httpd/nginx/nginx.inc | 1 |
2 files changed, 90 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch new file mode 100644 index 0000000000..3fab8bac6c --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch @@ -0,0 +1,89 @@ +From 6dafcdebde58577f4fcb190be46a0eb910cf1b96 Mon Sep 17 00:00:00 2001 +From: Maxim Dounin <mdounin@mdounin.ru> +Date: Wed, 19 May 2021 03:13:31 +0300 +Subject: [PATCH 1/1] Mail: max_errors directive. + +Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands +in Exim, specifies the number of errors after which the connection is closed. +Index: nginx-1.16.1/src/mail/ngx_mail.h +=================================================================== +--- nginx-1.16.1.orig/src/mail/ngx_mail.h ++++ nginx-1.16.1/src/mail/ngx_mail.h +@@ -113,6 +113,8 @@ typedef struct { + ngx_msec_t timeout; + ngx_msec_t resolver_timeout; + ++ ngx_uint_t max_errors; ++ + ngx_str_t server_name; + + u_char *file_name; +@@ -225,6 +227,7 @@ typedef struct { + ngx_uint_t command; + ngx_array_t args; + ++ ngx_uint_t errors; + ngx_uint_t login_attempt; + + /* used to parse POP3/IMAP/SMTP command */ +Index: nginx-1.16.1/src/mail/ngx_mail_core_module.c +=================================================================== +--- nginx-1.16.1.orig/src/mail/ngx_mail_core_module.c ++++ nginx-1.16.1/src/mail/ngx_mail_core_module.c +@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_comm + offsetof(ngx_mail_core_srv_conf_t, resolver_timeout), + NULL }, + ++ { ngx_string("max_errors"), ++ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_num_slot, ++ NGX_MAIL_SRV_CONF_OFFSET, ++ offsetof(ngx_mail_core_srv_conf_t, max_errors), ++ NULL }, ++ + ngx_null_command + }; + +@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t + cscf->timeout = NGX_CONF_UNSET_MSEC; + cscf->resolver_timeout = NGX_CONF_UNSET_MSEC; + ++ cscf->max_errors = NGX_CONF_UNSET_UINT; ++ + cscf->resolver = NGX_CONF_UNSET_PTR; + + cscf->file_name = cf->conf_file->file.name.data; +@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t + ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout, + 30000); + ++ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5); + + ngx_conf_merge_str_value(conf->server_name, prev->server_name, ""); + +Index: nginx-1.16.1/src/mail/ngx_mail_handler.c +=================================================================== +--- nginx-1.16.1.orig/src/mail/ngx_mail_handler.c ++++ nginx-1.16.1/src/mail/ngx_mail_handler.c +@@ -753,7 +753,20 @@ ngx_mail_read_command(ngx_mail_session_t + return NGX_MAIL_PARSE_INVALID_COMMAND; + } + +- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) { ++ ++ s->errors++; ++ ++ if (s->errors >= cscf->max_errors) { ++ ngx_log_error(NGX_LOG_INFO, c->log, 0, ++ "client sent too many invalid commands"); ++ s->quit = 1; ++ } ++ ++ return rc; ++ } ++ ++ if (rc == NGX_IMAP_NEXT) { + return rc; + } + diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc index a4583ed8f8..903a62b3d7 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc @@ -23,6 +23,7 @@ SRC_URI = " \ file://nginx.service \ file://nginx-fix-pidfile.patch \ file://CVE-2021-23017.patch \ + file://CVE-2021-3618.patch \ " inherit siteinfo update-rc.d useradd systemd |