tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom

nginx: apply patches from 1.16.1 for HTTP/2 vulnerabilities

When using HTTP/2 a client might cause excessive memory consumption
and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). The
problems have been patched upstream in 1.16.1 and 1.17.2, but no patch
is available for 1.14.2 and 1.15.10. The patches from 1.16.1 applies
without any issue.

See #66582 for the update in master.

Vincent Bernat d16d7384 65729e08

+17 -1
unified split
+17 -1
pkgs/servers/http/nginx/generic.nix
··· 64 64 65 65 preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules); 66 66 67 - patches = stdenv.lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ 67 + patches = [ 68 + # HTTP/2: reject zero length headers with PROTOCOL_ERROR (from 1.16.1) 69 + (fetchpatch { 70 + url = https://github.com/nginx/nginx/commit/dbdd9ffea81d9db46fb88b5eba828f2ad080d388.patch; 71 + sha256 = "a481901729be3ada3ac86f200772f326ef655b3ed0f55a0b1355e16fd4698adc"; 72 + }) 73 + # HTTP/2: limited number of DATA frames (from 1.16.1) 74 + (fetchpatch { 75 + url = https://github.com/nginx/nginx/commit/94c5eb142e58a86f81eb1369fa6fcb96c2f23d6b.patch; 76 + sha256 = "af591ae3c711fc7c58f53ad493899f986dd5dabf3a154f9f597f3059e752c601"; 77 + }) 78 + # HTTP/2: limited number of PRIORITY frames (from 1.16.1) 79 + (fetchpatch { 80 + url = https://github.com/nginx/nginx/commit/39bb3b9d4a33bd03c8ae0134dedc8a7700ae7b2b.patch; 81 + sha256 = "1ad8fecdb343d40224de0f63724a21a691c141f52274439d13eca6d53f0a9128"; 82 + }) 83 + ] ++ stdenv.lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ 68 84 (fetchpatch { 69 85 url = "https://raw.githubusercontent.com/openwrt/packages/master/net/nginx/patches/102-sizeof_test_fix.patch"; 70 86 sha256 = "0i2k30ac8d7inj9l6bl0684kjglam2f68z8lf3xggcc2i5wzhh8a";