upg lighttpd nginx

2023-10-12 13:12:22 +03:00 · 2023-10-12 13:12:22 +03:00 · f0cb12aa03
parent 9e1bc78851
commit f0cb12aa03
6 changed files with 101 additions and 19 deletions
--- a/lighttpd/PKGBUILD
+++ b/lighttpd/PKGBUILD
@ -6,7 +6,7 @@
 #-----------------------------------------| DESCRIPTION |---------------------------------------

 pkgname=lighttpd
-pkgver=1.4.71
+pkgver=1.4.72
 pkgrel=01
 pkgdesc='A secure, fast, compliant and very flexible web-server w/o systemd'
 url="https://www.lighttpd.net/"
@ -76,10 +76,10 @@ validpgpkeys=('C7CA1E9E29DC77F5480894B2E0E7D0171E95BAD7'
              '649D0DD767FF206202A76C5158F14A786FE198C8'
              'EAAF41A8BE3BB8D001CACD136DE62CA242909B84')

-sha256sums=(b8b6915da20396fdc354df3324d5e440169b2e5ea7859e3a775213841325afac  # lighttpd-1.4.71.tar.xz
-	686a78f6f1ec7fc759d4864c9ca1e41addd96645047f8b6b9f5f7cf9405e45f7  # lighttpd-1.4.71.tar.xz.asc
+sha256sums=(f7cade4d69b754a0748c01463c33cd8b456ca9cc03bb09e85a71bcbcd54e55ec  # lighttpd-1.4.72.tar.xz
+	a4bba500e8665ffad599e0362627efff5791122772af42b85e4903fc349356aa  # lighttpd-1.4.72.tar.xz.asc
 	41f6c0042bb61021553779f861910e335834f6c15e4411756cdc6233b31076fe  # lighttpd.logrotate.d
 	fece4581bebf39768571962dedce176b2b5f487c0abb5c1cfb35395de216c01f  # lighttpd.conf
 	d8a185145a7c08b4fd8c8e6c12dae3e176389dd9b1c66e239757b2ba5108c871) # lighttpd.tmpfiles

-##  6bf02943b314c63eb41a30fa1f6eb152e963e03193e7ebeb536338129a05cbf7  lighttpd-1.4.71-01-x86_64.pkg.tar.lz
+##  c60fe1e24295ccf7a35764df281899dfde0f8f27fd52dd4e88e12bd6cbddbc14  lighttpd-1.4.72-01-x86_64.pkg.tar.lz
--- a/lighttpd/PKGBUILD-arch
+++ b/lighttpd/PKGBUILD-arch
@ -1,7 +1,7 @@
 # Maintainer: Pierre Schmitz <pierre@archlinux.de>

 pkgname=lighttpd
-pkgver=1.4.71
+pkgver=1.4.72
 pkgrel=1
 pkgdesc='A secure, fast, compliant and very flexible web-server'
 license=('custom')
@ -17,7 +17,7 @@ backup=('etc/lighttpd/lighttpd.conf' 'etc/logrotate.d/lighttpd')
 options=('emptydirs')
 source=("https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${pkgver}.tar.xz"{,.asc}
        'lighttpd.logrotate.d' 'lighttpd.conf' 'lighttpd.tmpfiles' 'lighttpd.service')
-sha256sums=('b8b6915da20396fdc354df3324d5e440169b2e5ea7859e3a775213841325afac'
+sha256sums=('f7cade4d69b754a0748c01463c33cd8b456ca9cc03bb09e85a71bcbcd54e55ec'
            'SKIP'
            '41f6c0042bb61021553779f861910e335834f6c15e4411756cdc6233b31076fe'
            'fece4581bebf39768571962dedce176b2b5f487c0abb5c1cfb35395de216c01f'
--- a/nginx/HTTP2_per-iteration-stream-handling-limit.patch
+++ b/nginx/HTTP2_per-iteration-stream-handling-limit.patch
@ -0,0 +1,71 @@
+
+# HG changeset patch
+# User Maxim Dounin <mdounin@mdounin.ru>
+# Date 1696940019 -10800
+# Node ID cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc
+# Parent  3db945fda515014d220151046d02f3960bcfca0a
+HTTP/2: per-iteration stream handling limit.
+
+To ensure that attempts to flood servers with many streams are detected
+early, a limit of no more than 2 * max_concurrent_streams new streams per one
+event loop iteration was introduced.  This limit is applied even if
+max_concurrent_streams is not yet reached - for example, if corresponding
+streams are handled synchronously or reset.
+
+Further, refused streams are now limited to maximum of max_concurrent_streams
+and 100, similarly to priority_limit initial value, providing some tolerance
+to clients trying to open several streams at the connection start, yet
+low tolerance to flooding attempts.
+
+diff -r 3db945fda515 -r cdda286c0f1b src/http/v2/ngx_http_v2.c
+--- a/src/http/v2/ngx_http_v2.c	Fri Sep 22 19:23:57 2023 +0400
+++ b/src/http/v2/ngx_http_v2.c	Tue Oct 10 15:13:39 2023 +0300
+@@ -347,6 +347,7 @@
+     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler");
+ 
+     h2c->blocked = 1;
+    h2c->new_streams = 0;
+ 
+     if (c->close) {
+         c->close = 0;
+@@ -1284,6 +1285,14 @@
+         goto rst_stream;
+     }
+ 
+    if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) {
+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+                      "client sent too many streams at once");
+
+        status = NGX_HTTP_V2_REFUSED_STREAM;
+        goto rst_stream;
+    }
+
+     if (!h2c->settings_ack
+         && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG)
+         && h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW)
+@@ -1349,6 +1358,12 @@
+ 
+ rst_stream:
+ 
+    if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) {
+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+                      "client sent too many refused streams");
+        return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR);
+    }
+
+     if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) {
+         return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
+     }
+diff -r 3db945fda515 -r cdda286c0f1b src/http/v2/ngx_http_v2.h
+--- a/src/http/v2/ngx_http_v2.h	Fri Sep 22 19:23:57 2023 +0400
+++ b/src/http/v2/ngx_http_v2.h	Tue Oct 10 15:13:39 2023 +0300
+@@ -131,6 +131,8 @@
+     ngx_uint_t                       processing;
+     ngx_uint_t                       frames;
+     ngx_uint_t                       idle;
+    ngx_uint_t                       new_streams;
+    ngx_uint_t                       refused_streams;
+     ngx_uint_t                       priority_limit;
+ 
+     size_t                           send_window;
+
--- a/nginx/PKGBUILD
+++ b/nginx/PKGBUILD
@ -7,7 +7,7 @@

 pkgname=nginx
 pkgver=1.24.0
-pkgrel=02
+pkgrel=03
 # update tests revision too
 pkgdesc="Lightweight HTTP server and IMAP/POP3 proxy server w/o systemd or ipv6"
 provides=("nginx=${pkgver}")
@ -26,10 +26,12 @@ backup=(etc/nginx/fastcgi.conf
        etc/nginx/uwsgi_params
        etc/nginx/win-utf
        etc/logrotate.d/nginx)
-install=nginx.install
+#install=nginx.install
 source=($url/download/${pkgname}-${pkgver}.tar.gz{,.asc}
-		hg+https://hg.nginx.org/nginx-tests#revision=24482e311749
-		logrotate)
+	hg+https://hg.nginx.org/nginx-tests#revision=24482e311749
+	logrotate
+        # https://hg.nginx.org/nginx/rev/cdda286c0f1b CVE-2023-44487
+        HTTP2_per-iteration-stream-handling-limit.patch::https://hg.nginx.org/nginx/raw-rev/cdda286c0f1b)

 _common_flags=(
  --with-compat
@ -69,6 +71,8 @@ _stable_flags=(

 prepare() {
  cp -r $pkgbase-$pkgver{,-src}
+  cd $pkgbase-$pkgver
+  patch -Np1 -i "$srcdir/HTTP2_per-iteration-stream-handling-limit.patch"
 }

 build() {
@ -155,6 +159,8 @@ validpgpkeys=(B0F4253373F8F6F510D42178520A9993A1C052F8 # Maxim Dounin <mdounin@m
 sha256sums=(77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d  # nginx-1.24.0.tar.gz
 	91ed170a5e8745fcd32eb60aefa6d60dfd572ac3e4c9bdbfc4bedd78c24f213c  # nginx-1.24.0.tar.gz.asc
 	SKIP  # nginx tests (directory)
-	06ebe161af3e761f2e2e35a67c6c0af27bf61aea7cd4ba8b28372ced5e3b3175) # logrotate
+	06ebe161af3e761f2e2e35a67c6c0af27bf61aea7cd4ba8b28372ced5e3b3175  # logrotate
+	af8e804540e808c7b07b324394ae0d782f46fe6dc67808b3bc978d01dce90b28) # HTTP2_per-iteration-stream-handling-limit.patch

-##  ad3a8638121b6aa63721eba44e6794e11587f279296f264a93a3ef5e5aae5836  nginx-1.24.0-02-x86_64.pkg.tar.lz
+
+##  d35644efcaa928a83335cd5219b8263976dd25ec3eac3f0378f644a8f8243722  nginx-1.24.0-03-x86_64.pkg.tar.lz
--- a/nginx/PKGBUILD-arch
+++ b/nginx/PKGBUILD-arch
@ -11,7 +11,7 @@ pkgbase=nginx
 pkgname=(nginx nginx-src)
 # update tests revision too
 pkgver=1.24.0
-pkgrel=2
+pkgrel=3
 arch=(x86_64)
 url='https://nginx.org'
 license=(custom)
@ -27,11 +27,12 @@ backup=(etc/nginx/fastcgi.conf
        etc/nginx/uwsgi_params
        etc/nginx/win-utf
        etc/logrotate.d/nginx)
-install=nginx.install
 source=($url/download/nginx-$pkgver.tar.gz{,.asc}
        hg+https://hg.nginx.org/nginx-tests#revision=24482e311749
        nginx.service
-        logrotate)
+        logrotate
+        # https://hg.nginx.org/nginx/rev/cdda286c0f1b CVE-2023-44487
+        HTTP2_per-iteration-stream-handling-limit.patch::https://hg.nginx.org/nginx/raw-rev/cdda286c0f1b)
 # https://nginx.org/en/pgp_keys.html
 validpgpkeys=('B0F4253373F8F6F510D42178520A9993A1C052F8' # Maxim Dounin <mdounin@mdounin.ru>
              '13C82A63B603576156E30A4EA0EA981B66B0D967') # Konstantin Pavlov <thresh@nginx.com>
@ -39,7 +40,8 @@ sha512sums=('1114e37de5664a8109c99cfb2faa1f42ff8ac63c932bcf3780d645e5ed32c0b2ac4
            'SKIP'
            'SKIP'
            'ca7d8666177d31b6c4924e9ab44ddf3d5b596b51da04d38da002830b03bd176d49354bbdd2a496617d57f44111ad59833296af87d03ffe3fca6b99327a7b4c3c'
-            '2f4dfcfa711b8bcbc5918ba635f5e430ef7132e66276261ade62bb1cba016967432c8dce7f84352cb8b07dc7c6b18f09177aa3eb92c8e358b2a106c8ca142fe9')
+            '2f4dfcfa711b8bcbc5918ba635f5e430ef7132e66276261ade62bb1cba016967432c8dce7f84352cb8b07dc7c6b18f09177aa3eb92c8e358b2a106c8ca142fe9'
+            '18b69643648119dfab45101bb9404be667aeb9d550aa3bc9706e63e7da1c2806106e9a6bbfb2d10bd57ef56b9b5b0b524059353ec30a51469b44641cb7dbd8a6')

 _common_flags=(
  --with-compat
@ -78,6 +80,8 @@ _stable_flags=(

 prepare() {
  cp -r $pkgbase-$pkgver{,-src}
+  cd $pkgbase-$pkgver
+  patch -Np1 -i "$srcdir/HTTP2_per-iteration-stream-handling-limit.patch"
 }

 build() {
--- a/nginx/time
+++ b/nginx/time
@ -1,5 +1,6 @@

-real	7m56.248s
-user	2m55.472s
-sys	0m18.013s

+real	1m14.251s
+user	1m7.433s
+sys	0m7.364s
+