diff --git a/images/nginx/Makefile b/images/nginx/Makefile index 97d9c67275..f5b23525ad 100644 --- a/images/nginx/Makefile +++ b/images/nginx/Makefile @@ -13,7 +13,7 @@ # limitations under the License. # 0.0.0 shouldn't clobber any released builds -TAG ?= 0.91 +TAG ?= 0.92 REGISTRY ?= quay.io/kubernetes-ingress-controller ARCH ?= $(shell go env GOARCH) DOCKER ?= docker diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index abc8b2b370..8187853a2f 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -21,7 +21,7 @@ set -o pipefail export DEBIAN_FRONTEND=noninteractive -export OPENRESTY_VERSION=1.15.8.1 +export OPENRESTY_VERSION=1.15.8.2 export NGINX_DIGEST_AUTH=cd8641886c873cf543255aeda20d23e4cd603d05 export NGINX_SUBSTITUTIONS=bc58cb11844bc42735bbaef7085ea86ace46d05b export NGINX_OPENTRACING_VERSION=0.8.0 @@ -376,12 +376,6 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTE # build nginx cd "$BUILD_PATH/openresty-$OPENRESTY_VERSION" -echo "Patching NGINX for CVE-2018-16843, CVE-2018-16844, CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516" -# Upstream change https://github.com/openresty/openresty/pull/515 -# TODO: remove after openresty release -cat /patches/patch.2019.h2.txt | patch -d bundle/nginx-1.15.8/ -p0 -rm -rf /patches - WITH_FLAGS="--with-debug \ --with-compat \ --with-pcre-jit \ diff --git a/images/nginx/rootfs/patches/patch.2019.h2.txt b/images/nginx/rootfs/patches/patch.2019.h2.txt deleted file mode 100644 index 9dd0e88b5f..0000000000 --- a/images/nginx/rootfs/patches/patch.2019.h2.txt +++ /dev/null @@ -1,136 +0,0 @@ ---- src/http/v2/ngx_http_v2.c -+++ src/http/v2/ngx_http_v2.c -@@ -1546,6 +1546,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos, - header->name.len = h2c->state.field_end - h2c->state.field_start; - header->name.data = h2c->state.field_start; - -+ if (header->name.len == 0) { -+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, -+ "client sent zero header name length"); -+ -+ return ngx_http_v2_connection_error(h2c, -+ NGX_HTTP_V2_PROTOCOL_ERROR); -+ } -+ - return ngx_http_v2_state_field_len(h2c, pos, end); - } - -@@ -3249,10 +3257,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header) - ngx_uint_t i; - ngx_http_core_srv_conf_t *cscf; - -- if (header->name.len == 0) { -- return NGX_ERROR; -- } -- - r->invalid_header = 0; - - cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); ---- src/http/v2/ngx_http_v2.c -+++ src/http/v2/ngx_http_v2.c -@@ -4369,6 +4369,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc) - */ - pool = stream->pool; - -+ h2c->frames -= stream->frames; -+ - ngx_http_free_request(stream->request, rc); - - if (pool != h2c->state.pool) { ---- src/http/v2/ngx_http_v2.h -+++ src/http/v2/ngx_http_v2.h -@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s { - - ngx_buf_t *preread; - -+ ngx_uint_t frames; -+ - ngx_http_v2_out_frame_t *free_frames; - ngx_chain_t *free_frame_headers; - ngx_chain_t *free_bufs; ---- src/http/v2/ngx_http_v2_filter_module.c -+++ src/http/v2/ngx_http_v2_filter_module.c -@@ -1669,22 +1669,34 @@ static ngx_http_v2_out_frame_t * - ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, - size_t len, ngx_chain_t *first, ngx_chain_t *last) - { -- u_char flags; -- ngx_buf_t *buf; -- ngx_chain_t *cl; -- ngx_http_v2_out_frame_t *frame; -+ u_char flags; -+ ngx_buf_t *buf; -+ ngx_chain_t *cl; -+ ngx_http_v2_out_frame_t *frame; -+ ngx_http_v2_connection_t *h2c; - - frame = stream->free_frames; -+ h2c = stream->connection; - - if (frame) { - stream->free_frames = frame->next; - -- } else { -+ } else if (h2c->frames < 10000) { - frame = ngx_palloc(stream->request->pool, - sizeof(ngx_http_v2_out_frame_t)); - if (frame == NULL) { - return NULL; - } -+ -+ stream->frames++; -+ h2c->frames++; -+ -+ } else { -+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, -+ "http2 flood detected"); -+ -+ h2c->connection->error = 1; -+ return NULL; - } - - flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; ---- src/http/v2/ngx_http_v2.c -+++ src/http/v2/ngx_http_v2.c -@@ -273,6 +273,7 @@ ngx_http_v2_init(ngx_event_t *rev) - h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); - - h2c->concurrent_pushes = h2scf->concurrent_pushes; -+ h2c->priority_limit = h2scf->concurrent_streams; - - h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); - if (h2c->pool == NULL) { -@@ -1804,6 +1805,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos, - return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); - } - -+ if (--h2c->priority_limit == 0) { -+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, -+ "client sent too many PRIORITY frames"); -+ -+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM); -+ } -+ - if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) { - return ngx_http_v2_state_save(h2c, pos, end, - ngx_http_v2_state_priority); -@@ -3120,6 +3128,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c, ngx_uint_t push) - h2c->processing++; - } - -+ h2c->priority_limit += h2scf->concurrent_streams; -+ - return stream; - } - ---- src/http/v2/ngx_http_v2.h -+++ src/http/v2/ngx_http_v2.h -@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s { - ngx_uint_t processing; - ngx_uint_t frames; - ngx_uint_t idle; -+ ngx_uint_t priority_limit; - - ngx_uint_t pushing; - ngx_uint_t concurrent_pushes; -