NGINX: Bump to OpenResty v1.25.3.2. (#13530)

2025-06-18 12:12:51 +02:00 · 2025-06-18 12:12:51 +02:00 · d01c0757d2
commit d01c0757d2
parent 045bad6733
7 changed files with 154 additions and 34 deletions
--- a/images/nginx/rootfs/patches/28_nginx-1.25.3-CVE-2025-23419.patch
+++ b/images/nginx/rootfs/patches/28_nginx-1.25.3-CVE-2025-23419.patch
@ -0,0 +1,40 @@
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index 013b7158e..a7a3ee5b0 100644
+--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
+@@ -909,6 +909,26 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+         goto done;
+     }
+ 
+    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
+
+#if (defined TLS1_3_VERSION                                                   \
+     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
+    /*
+     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
+     * but servername being negotiated in every TLSv1.3 handshake
+     * is only returned in OpenSSL 1.1.1+ as well
+     */
+    if (sscf->verify) {
+        const char  *hostname;
+        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
+        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
+            c->ssl->handshake_rejected = 1;
+            *ad = SSL_AD_ACCESS_DENIED;
+            return SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
+    }
+#endif
+
+     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
+     if (hc->ssl_servername == NULL) {
+         goto error;
+@@ -922,8 +942,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+ 
+     ngx_set_connection_log(c, clcf->error_log);
+ 
+-    sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+-
+     c->ssl->buffer_size = sscf->buffer_size;
+ 
+     if (sscf->ssl.ctx) {
--- a/images/nginx/rootfs/patches/29_nginx-1.25.3-upstream_timeout_fields.patch
+++ b/images/nginx/rootfs/patches/29_nginx-1.25.3-upstream_timeout_fields.patch
--- a/images/nginx/rootfs/patches/30_nginx-1.25.3-safe_resolver_ipv6_option.patch
+++ b/images/nginx/rootfs/patches/30_nginx-1.25.3-safe_resolver_ipv6_option.patch
--- a/images/nginx/rootfs/patches/31_nginx-1.25.3-socket_cloexec.patch
+++ b/images/nginx/rootfs/patches/31_nginx-1.25.3-socket_cloexec.patch
--- a/images/nginx/rootfs/patches/32_nginx-1.25.3-reuseport_close_unused_fds.patch
+++ b/images/nginx/rootfs/patches/32_nginx-1.25.3-reuseport_close_unused_fds.patch
--- a/images/nginx/rootfs/patches/33_nginx-1.25.3-proc_exit_handler.patch
+++ b/images/nginx/rootfs/patches/33_nginx-1.25.3-proc_exit_handler.patch
@ -0,0 +1,81 @@
+commit 29cafd35fb2b7cff759fb4c9b84fa4600875321f
+Author: lijunlong <lijunlong@openresty.com>
+Date:   Sun Apr 11 14:34:47 2021 +0800
+
+    feature: added a process exit callback point.
+
+diff --git a/src/core/ngx_cycle.c b/src/core/ngx_cycle.c
+index d7479fa4..c421e43c 100644
+--- a/src/core/ngx_cycle.c
+++ b/src/core/ngx_cycle.c
+@@ -255,6 +255,7 @@ ngx_init_cycle(ngx_cycle_t *old_cycle)
+     }
+ 
+ 
+    ngx_proc_exit_top_handler = ngx_proc_exit_def_handler;
+     conf.ctx = cycle->conf_ctx;
+     conf.cycle = cycle;
+     conf.pool = pool;
+diff --git a/src/os/unix/ngx_process.c b/src/os/unix/ngx_process.c
+index 15680237..9d2e81c5 100644
+--- a/src/os/unix/ngx_process.c
+++ b/src/os/unix/ngx_process.c
+@@ -34,6 +34,7 @@ ngx_int_t        ngx_process_slot;
+ ngx_socket_t     ngx_channel;
+ ngx_int_t        ngx_last_process;
+ ngx_process_t    ngx_processes[NGX_MAX_PROCESSES];
+ngx_proc_exit_pt ngx_proc_exit_top_handler;
+ 
+ 
+ ngx_signal_t  signals[] = {
+@@ -83,6 +84,13 @@ ngx_signal_t  signals[] = {
+ };
+ 
+ 
+void
+ngx_proc_exit_def_handler(ngx_pid_t pid)
+{
+    /* do nothing */
+}
+
+
+ ngx_pid_t
+ ngx_spawn_process(ngx_cycle_t *cycle, ngx_spawn_proc_pt proc, void *data,
+     char *name, ngx_int_t respawn)
+@@ -557,6 +565,7 @@ ngx_process_get_status(void)
+         }
+ 
+         ngx_unlock_mutexes(pid);
+        ngx_proc_exit_top_handler(pid);
+     }
+ }
+ 
+diff --git a/src/os/unix/ngx_process.h b/src/os/unix/ngx_process.h
+index 3986639b..c5972541 100644
+--- a/src/os/unix/ngx_process.h
+++ b/src/os/unix/ngx_process.h
+@@ -18,6 +18,8 @@ typedef pid_t       ngx_pid_t;
+ #define NGX_INVALID_PID  -1
+ 
+ typedef void (*ngx_spawn_proc_pt) (ngx_cycle_t *cycle, void *data);
+#define NGX_HAVE_PROC_EXIT 1
+typedef void (*ngx_proc_exit_pt)(ngx_pid_t pid);
+ 
+ typedef struct {
+     ngx_pid_t           pid;
+@@ -66,6 +67,7 @@ ngx_pid_t ngx_spawn_process(ngx_cycle_t *cycle,
+ ngx_pid_t ngx_execute(ngx_cycle_t *cycle, ngx_exec_ctx_t *ctx);
+ ngx_int_t ngx_init_signals(ngx_log_t *log);
+ void ngx_debug_point(void);
+void ngx_proc_exit_def_handler(ngx_pid_t pid);
+ 
+ 
+ #if (NGX_HAVE_SCHED_YIELD)
+@@ -85,6 +87,7 @@ extern ngx_socket_t   ngx_channel;
+ extern ngx_int_t      ngx_process_slot;
+ extern ngx_int_t      ngx_last_process;
+ extern ngx_process_t  ngx_processes[NGX_MAX_PROCESSES];
+extern ngx_proc_exit_pt  ngx_proc_exit_top_handler;
+ 
+ 
+ #endif /* _NGX_PROCESS_H_INCLUDED_ */