Merge branch 'main' into issue-2766

build/Dockerfile

@@ -16,8 +16,8 @@ FROM nginx:1.23.0 AS debian
 RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
 	apt-get update \
 	&& apt-get install --no-install-recommends --no-install-suggests -y libcap2-bin \
-	# temp fix for  CVE-2022-2068
-	&& apt-get install --no-install-recommends --no-install-suggests -y libssl1.1 openssl \
+	# temp fix for CVE-2022-2068, CVE-2021-4209, CVE-2022-34903, CVE-2022-27404
+	&& apt-get install --no-install-recommends --no-install-suggests -y libssl1.1 openssl libgnutls30 gpgv libfreetype6 \
 	&& rm -rf /var/lib/apt/lists/* \
 	&& cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
 	&& cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \
@@ -31,8 +31,8 @@ FROM docker.io/library/nginx:1.23.0-alpine AS alpine
 
 RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
 	apk add --no-cache libcap libstdc++ \
-	# temp fix for CVE-2022-27405, CVE-2022-1586
-	&& apk upgrade --no-cache freetype pcre2 \
+	# temp fix for CVE-2022-27405, CVE-2022-1586, CVE-2022-32205, CVE-2022-2097, CVE-2022-32205, CVE-2022-2097
+	&& apk upgrade --no-cache freetype pcre2 curl libcrypto1.1 libcurl libssl1.1 \
 	&& cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
 	&& cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \
 	&& ldconfig /usr/local/lib/
@@ -45,7 +45,9 @@ ARG NGINX_PLUS_VERSION
 RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
 	--mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \
 	--mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
-	wget -nv -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \
+	# temp fix for CVE-2022-2097
+	apk upgrade --no-cache libcrypto1.1 libssl1.1 \
+	&& wget -nv -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \
 	&& printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
 	&& apk add --no-cache libcap nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing libcurl \
 	&& cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
@@ -64,8 +66,8 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	--mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
 	apt-get update \
 	&& apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg curl apt-transport-https libcap2-bin \
-	# temp fix for  CVE-2022-2068
-	&& apt-get install --no-install-recommends --no-install-suggests -y libssl1.1 openssl \
+	# temp fix for  CVE-2022-2068, CVE-2021-4209
+	&& apt-get install --no-install-recommends --no-install-suggests -y libssl1.1 openssl libgnutls30 \
 	&& curl -fsSL https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor > /etc/apt/trusted.gpg.d/nginx_signing.gpg \
 	&& curl -fsSL -o /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx \
 	&& DEBIAN_VERSION=$(awk -F '=' '/^VERSION_CODENAME=/ {print $2}' /etc/os-release) \
@@ -127,8 +129,8 @@ LABEL name="NGINX Ingress Controller" \
 	io.openshift.tags="nginx,ingress-controller,ingress,controller,kubernetes,openshift"
 
 RUN dnf --nodocs install -y shadow-utils ca-certificates \
-	# temp fix for CVE-2022-1271
-	&& dnf --nodocs upgrade -y xz-libs \
+	# temp fix for CVE-2022-1271, CVE-2022-22576, CVE-2022-25313, CVE-2022-22576, CVE-2021-40528, CVE-2021-3634, CVE-2022-29824, CVE-2021-4189, CVE-2021-4189, CVE-2022-29824, CVE-2022-1621
+	&& dnf --nodocs upgrade -y xz-libs curl expat libcurl libgcrypt libssh libssh-config libxml2 platform-python python3-libs python3-libxml2 vim-minimal \
 	&& groupadd --system --gid 101 nginx \
 	&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx
 

docs/content/configuration/global-configuration/command-line-arguments.md

@@ -211,7 +211,7 @@ Enable support for NGINX Plus.
 
 Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start.
 
-Default is 4000. Default is 20000 instead if `enable-app-protect` is true.
+Default is 60000.
  
 <a name="cmdoption-nginx-status"></a>
 

docs/content/installation/installation-with-helm.md

@@ -149,7 +149,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |``controller.name`` | The name of the Ingress Controller daemonset or deployment. | Autogenerated |
 |``controller.kind`` | The kind of the Ingress Controller installation - deployment or daemonset. | deployment |
 |``controller.nginxplus`` | Deploys the Ingress Controller for NGINX Plus. | false |
-|``controller.nginxReloadTimeout`` | The timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. The default is 4000 (or 20000 if `controller.appprotect.enable` is true). If set to 0, the default value will be used. | 0 |
+|``controller.nginxReloadTimeout`` | The timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. | 60000 |
 |``controller.appprotect.enable`` | Enables the App Protect module in the Ingress Controller. | false |
 |``controller.appprotectdos.enable`` | Enables the App Protect DoS module in the Ingress Controller. | false |
 |``controller.appprotectdos.debug`` | Enables App Protect DoS debug logs. | false |