Skip to content
Permalink
Browse files

Merge pull request #66605 (nginx security fixes)

This applies a series of patches to fix CVE-2019-9511, CVE-2019-9513 and
CVE-2019-9516 affecting HTTP/2 protocol, all of those can possibly lead
to DoS.

Details about these vulnerabilities can be found at:

https://github.com/Netflix/security-bulletins/blob/216433296d3bc542496a8edae5b4ca39cfd892b1/advisories/third-party/2019-002.md

I haven't extensively tested this, but from a quick test, nginx is still
working and the NixOS tests also succeed.

Thanks to @vincentbernat for the pull request.
  • Loading branch information...
aszlig committed Aug 14, 2019
2 parents 364e1a8 + d16d738 commit 1a6eb4677170b5e829c332f63125fec187e7172f
Showing with 17 additions and 1 deletion.
  1. +17 −1 pkgs/servers/http/nginx/generic.nix
@@ -64,7 +64,23 @@ stdenv.mkDerivation {

preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules);

patches = stdenv.lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
patches = [
# HTTP/2: reject zero length headers with PROTOCOL_ERROR (from 1.16.1)
(fetchpatch {
url = https://github.com/nginx/nginx/commit/dbdd9ffea81d9db46fb88b5eba828f2ad080d388.patch;
sha256 = "a481901729be3ada3ac86f200772f326ef655b3ed0f55a0b1355e16fd4698adc";
})
# HTTP/2: limited number of DATA frames (from 1.16.1)
(fetchpatch {
url = https://github.com/nginx/nginx/commit/94c5eb142e58a86f81eb1369fa6fcb96c2f23d6b.patch;
sha256 = "af591ae3c711fc7c58f53ad493899f986dd5dabf3a154f9f597f3059e752c601";
})
# HTTP/2: limited number of PRIORITY frames (from 1.16.1)
(fetchpatch {
url = https://github.com/nginx/nginx/commit/39bb3b9d4a33bd03c8ae0134dedc8a7700ae7b2b.patch;
sha256 = "1ad8fecdb343d40224de0f63724a21a691c141f52274439d13eca6d53f0a9128";
})
] ++ stdenv.lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
(fetchpatch {
url = "https://raw.githubusercontent.com/openwrt/packages/master/net/nginx/patches/102-sizeof_test_fix.patch";
sha256 = "0i2k30ac8d7inj9l6bl0684kjglam2f68z8lf3xggcc2i5wzhh8a";

0 comments on commit 1a6eb46

Please sign in to comment.
You can’t perform that action at this time.