rpms/nginx/EL-4 nginx-cve-2009-3555.patch, NONE, 1.1 nginx.spec, 1.23, 1.24
jjh
jjh at fedoraproject.org
Fri Dec 4 21:20:52 UTC 2009
Author: jjh
Update of /cvs/pkgs/rpms/nginx/EL-4
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29110
Modified Files:
nginx.spec
Added Files:
nginx-cve-2009-3555.patch
Log Message:
update to fix CVE-2009-3555
nginx-cve-2009-3555.patch:
ngx_event_openssl.c | 40 ++++++++++++++++++++++++++++++++++++++++
ngx_event_openssl.h | 1 +
2 files changed, 41 insertions(+)
--- NEW FILE nginx-cve-2009-3555.patch ---
--- src/event/ngx_event_openssl.c
+++ src/event/ngx_event_openssl.c
@@ -15,6 +15,8 @@
static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
+static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
+ int ret);
static void ngx_ssl_handshake_handler(ngx_event_t *ev);
static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
static void ngx_ssl_write_handler(ngx_event_t *wev);
@@ -175,6 +177,8 @@
SSL_CTX_set_read_ahead(ssl->ctx, 1);
+ SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+
return NGX_OK;
}
@@ -350,6 +354,22 @@
}
+static void
+ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
+{
+ ngx_connection_t *c;
+
+ if (where & SSL_CB_HANDSHAKE_START) {
+ c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
+
+ if (c->ssl->handshaked) {
+ c->ssl->renegotiation = 1;
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
+ }
+ }
+}
+
+
ngx_int_t
ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl)
{
@@ -587,6 +607,11 @@
c->recv_chain = ngx_ssl_recv_chain;
c->send_chain = ngx_ssl_send_chain;
+ /* initial handshake done, disable renegotiation (CVE-2009-3555) */
+ if (c->ssl->connection->s3) {
+ c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+ }
+
return NGX_OK;
}
@@ -789,6 +814,21 @@
int sslerr;
ngx_err_t err;
+ if (c->ssl->renegotiation) {
+ /*
+ * disable renegotiation (CVE-2009-3555):
+ * OpenSSL (at least up to 0.9.8l) does not handle disabled
+ * renegotiation gracefully, so drop connection here
+ */
+
+ ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled");
+
+ c->ssl->no_wait_shutdown = 1;
+ c->ssl->no_send_shutdown = 1;
+
+ return NGX_ERROR;
+ }
+
if (n > 0) {
if (c->ssl->saved_write_handler) {
--- src/event/ngx_event_openssl.h
+++ src/event/ngx_event_openssl.h
@@ -41,6 +41,7 @@
ngx_event_handler_pt saved_write_handler;
unsigned handshaked:1;
+ unsigned renegotiation:1;
unsigned buffer:1;
unsigned no_wait_shutdown:1;
unsigned no_send_shutdown:1;
Index: nginx.spec
===================================================================
RCS file: /cvs/pkgs/rpms/nginx/EL-4/nginx.spec,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -p -r1.23 -r1.24
--- nginx.spec 14 Sep 2009 20:03:52 -0000 1.23
+++ nginx.spec 4 Dec 2009 21:20:51 -0000 1.24
@@ -8,7 +8,7 @@
Name: nginx
Version: 0.6.39
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Robust, small and high performance http and reverse proxy server
Group: System Environment/Daemons
@@ -37,6 +37,9 @@ Patch0: nginx-auto-cc-gcc.patch
# etc.
Patch1: nginx-conf.patch
+# patch for http://www.kb.cert.org/vuls/id/120541
+Patch2: nginx-cve-2009-3555.patch
+
%description
Nginx [engine x] is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3
proxy server written by Igor Sysoev.
@@ -46,6 +49,7 @@ proxy server written by Igor Sysoev.
%patch0 -p0
%patch1 -p0
+%patch2 -p0
%build
# nginx does not utilize a standard configure script. It has its own
@@ -152,6 +156,9 @@ fi
%changelog
+* Fri Dec 04 2009 Jeremy Hinegardner <jeremy at hinegardner dot org> - 0.6.39-2
+- fixes CVE-2009-3555
+
* Mon Sep 14 2009 Jeremy Hinegardner <jeremy at hinegardner dot org> - 0.6.39-1
- update to 0.6.39
- fixes CVE-2009-2629
More information about the fedora-extras-commits
mailing list