From: "Lars Wendler" <polynomial-c@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: www-servers/nginx/, www-servers/nginx/files/
Date: Tue, 26 Jul 2016 09:51:32 +0000 (UTC) [thread overview]
Message-ID: <1469526682.c4b897dc39a939d0f409e1bcd9f6bd9c75679cf9.polynomial-c@gentoo> (raw)
commit: c4b897dc39a939d0f409e1bcd9f6bd9c75679cf9
Author: Thomas Deutschmann <whissi <AT> whissi <DOT> de>
AuthorDate: Tue Jul 19 23:16:33 2016 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Jul 26 09:51:22 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c4b897dc
www-servers/nginx: HTTPoxy mitigation added
Package-Manager: portage-2.3.0
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
.../nginx/files/nginx-httpoxy-mitigation.patch | 33 ++++++++++++++++++++++
...{nginx-1.11.2.ebuild => nginx-1.10.1-r1.ebuild} | 23 +++++++++------
www-servers/nginx/nginx-1.11.2.ebuild | 13 +++++++++
3 files changed, 61 insertions(+), 8 deletions(-)
diff --git a/www-servers/nginx/files/nginx-httpoxy-mitigation.patch b/www-servers/nginx/files/nginx-httpoxy-mitigation.patch
new file mode 100644
index 0000000..7e9618b
--- /dev/null
+++ b/www-servers/nginx/files/nginx-httpoxy-mitigation.patch
@@ -0,0 +1,33 @@
+httpoxy mitigation
+
+See https://httpoxy.org/ and https://www.nginx.com/blog/?p=41962 for details.
+---
+ conf/fastcgi.conf | 3 +++
+ conf/fastcgi_params | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/conf/fastcgi.conf b/conf/fastcgi.conf
+index 091738c..9f7e192 100644
+--- a/conf/fastcgi.conf
++++ b/conf/fastcgi.conf
+@@ -24,3 +24,6 @@ fastcgi_param SERVER_NAME $server_name;
+
+ # PHP only, required if PHP was built with --enable-force-cgi-redirect
+ fastcgi_param REDIRECT_STATUS 200;
++
++# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962)
++fastcgi_param HTTP_PROXY "";
+diff --git a/conf/fastcgi_params b/conf/fastcgi_params
+index 28decb9..3be3a95 100644
+--- a/conf/fastcgi_params
++++ b/conf/fastcgi_params
+@@ -23,3 +23,6 @@ fastcgi_param SERVER_NAME $server_name;
+
+ # PHP only, required if PHP was built with --enable-force-cgi-redirect
+ fastcgi_param REDIRECT_STATUS 200;
++
++# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962)
++fastcgi_param HTTP_PROXY "";
+--
+2.9.2
+
diff --git a/www-servers/nginx/nginx-1.11.2.ebuild b/www-servers/nginx/nginx-1.10.1-r1.ebuild
similarity index 97%
copy from www-servers/nginx/nginx-1.11.2.ebuild
copy to www-servers/nginx/nginx-1.10.1-r1.ebuild
index 9bfdddd..5912230 100644
--- a/www-servers/nginx/nginx-1.11.2.ebuild
+++ b/www-servers/nginx/nginx-1.10.1-r1.ebuild
@@ -171,7 +171,7 @@ LICENSE="BSD-2 BSD SSLeay MIT GPL-2 GPL-2+
nginx_modules_http_security? ( Apache-2.0 )
nginx_modules_http_push_stream? ( GPL-3 )"
-SLOT="mainline"
+SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux"
NGINX_MODULES_STD="access auth_basic autoindex browser charset empty_gif
@@ -269,7 +269,7 @@ CDEPEND="
nginx_modules_http_auth_ldap? ( net-nds/openldap[ssl?] )"
RDEPEND="${CDEPEND}
selinux? ( sec-policy/selinux-nginx )
- !www-servers/nginx:0"
+ !www-servers/nginx:mainline"
DEPEND="${CDEPEND}
arm? ( dev-libs/libatomic_ops )
libatomic? ( dev-libs/libatomic_ops )"
@@ -319,12 +319,7 @@ pkg_setup() {
src_prepare() {
eapply "${FILESDIR}/${PN}-1.4.1-fix-perl-install-path.patch"
-
- if use nginx_modules_http_sticky; then
- cd "${HTTP_STICKY_MODULE_WD}" || die
- eapply "${FILESDIR}"/http-sticky-nginx-1.11.2.patch
- cd "${S}" || die
- fi
+ eapply "${FILESDIR}/${PN}-httpoxy-mitigation.patch"
if use nginx_modules_http_upstream_check; then
eapply -p0 "${HTTP_UPSTREAM_CHECK_MODULE_WD}/check_1.9.2+".patch
@@ -758,4 +753,16 @@ pkg_postinst() {
ewarn "'rx' permissions on /var/log/nginx (default on a fresh install)"
ewarn "Otherwise you end up with empty log files after a logrotate."
fi
+
+ # HTTPoxy mitigation
+ ewarn ""
+ ewarn "This nginx installation comes with a mitigation for the HTTPoxy"
+ ewarn "vulnerability for FastCGI applications by setting the HTTP_PROXY FastCGI"
+ ewarn "parameter to an empty string per default when you are sourcing the default"
+ ewarn "'fastcgi_params' or 'fastcgi.conf' in your server block(s)."
+ ewarn ""
+ ewarn "If this is causing any problems for you make sure that you are sourcing the"
+ ewarn "default parameters _before_ you set your own values."
+ ewarn "If you are relying on user-supplied proxy values you have to remove the"
+ ewarn "correlating lines from 'fastcgi_params' and or 'fastcgi.conf'."
}
diff --git a/www-servers/nginx/nginx-1.11.2.ebuild b/www-servers/nginx/nginx-1.11.2.ebuild
index 9bfdddd..0a7e068 100644
--- a/www-servers/nginx/nginx-1.11.2.ebuild
+++ b/www-servers/nginx/nginx-1.11.2.ebuild
@@ -319,6 +319,7 @@ pkg_setup() {
src_prepare() {
eapply "${FILESDIR}/${PN}-1.4.1-fix-perl-install-path.patch"
+ eapply "${FILESDIR}/${PN}-httpoxy-mitigation.patch"
if use nginx_modules_http_sticky; then
cd "${HTTP_STICKY_MODULE_WD}" || die
@@ -758,4 +759,16 @@ pkg_postinst() {
ewarn "'rx' permissions on /var/log/nginx (default on a fresh install)"
ewarn "Otherwise you end up with empty log files after a logrotate."
fi
+
+ # HTTPoxy mitigation
+ ewarn ""
+ ewarn "This nginx installation comes with a mitigation for the HTTPoxy"
+ ewarn "vulnerability for FastCGI applications by setting the HTTP_PROXY FastCGI"
+ ewarn "parameter to an empty string per default when you are sourcing the default"
+ ewarn "'fastcgi_params' or 'fastcgi.conf' in your server block(s)."
+ ewarn ""
+ ewarn "If this is causing any problems for you make sure that you are sourcing the"
+ ewarn "default parameters _before_ you set your own values."
+ ewarn "If you are relying on user-supplied proxy values you have to remove the"
+ ewarn "correlating lines from 'fastcgi_params' and or 'fastcgi.conf'."
}
next reply other threads:[~2016-07-26 9:51 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-26 9:51 Lars Wendler [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-07-07 11:46 [gentoo-commits] repo/gentoo:master commit in: www-servers/nginx/, www-servers/nginx/files/ Louis Sautier
2024-10-17 7:35 Joonas Niilola
2022-12-03 0:07 Conrad Kostecki
2022-10-19 14:43 Conrad Kostecki
2020-05-26 18:41 Thomas Deutschmann
2018-11-06 16:04 Thomas Deutschmann
2018-04-17 16:37 Thomas Deutschmann
2018-04-17 16:37 Thomas Deutschmann
2017-10-24 18:53 Thomas Deutschmann
2017-01-10 15:34 Thomas Deutschmann
2017-01-07 23:30 Thomas Deutschmann
2016-11-15 21:49 Thomas Deutschmann
2016-10-20 14:03 Thomas Deutschmann
2016-08-10 22:13 Thomas Deutschmann
2016-06-16 6:56 Patrice Clement
2016-06-13 18:36 Kristian Fiskerstrand
2016-05-04 13:20 Manuel Rüger
2016-02-06 13:55 Manuel Rüger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1469526682.c4b897dc39a939d0f409e1bcd9f6bd9c75679cf9.polynomial-c@gentoo \
--to=polynomial-c@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox