From patchwork Fri Nov  9 10:08:19 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Korsgaard <peter@korsgaard.com>
X-Patchwork-Id: 995417
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=busybox.net
	(client-ip=140.211.166.133; helo=hemlock.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=korsgaard.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="mMsQrSqe"; dkim-atps=neutral
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42rwpY5wghz9sC7
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Fri,  9 Nov 2018 21:08:36 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 13FCA88738;
	Fri,  9 Nov 2018 10:08:32 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id RgVrOWDJlOew; Fri,  9 Nov 2018 10:08:30 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by hemlock.osuosl.org (Postfix) with ESMTP id 5FF69886F3;
	Fri,  9 Nov 2018 10:08:30 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	by ash.osuosl.org (Postfix) with ESMTP id A59EE1C073A
	for <buildroot@lists.busybox.net>;
	Fri,  9 Nov 2018 10:08:28 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id 9F5E687AE8
	for <buildroot@lists.busybox.net>;
	Fri,  9 Nov 2018 10:08:28 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id SzCMLz70+lo8 for <buildroot@lists.busybox.net>;
	Fri,  9 Nov 2018 10:08:27 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-ed1-f66.google.com (mail-ed1-f66.google.com
	[209.85.208.66])
	by whitealder.osuosl.org (Postfix) with ESMTPS id 255CF8284D
	for <buildroot@buildroot.org>; Fri,  9 Nov 2018 10:08:27 +0000 (UTC)
Received: by mail-ed1-f66.google.com with SMTP id n19-v6so1271355edq.11
	for <buildroot@buildroot.org>; Fri, 09 Nov 2018 02:08:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id;
	bh=VfPMyy+Cn0De1V/H9M2P+sy+tJaF75nhlqRlzAXBjm8=;
	b=mMsQrSqe37peuWsZ8388hOXtzMQy60LfLNnZx8uokaH7Q3wVxN/ZXhxoksXpjibYEj
	UY4SZigEymK0tvT2wFPK8nKlaCo+aDJziCi+MSYnJu/iUQbpvNXCKVRu4OmFDw6nlYyJ
	GqKW2NFSZwu//CdDOznk+8xI4yWmKYv5PEMBWb84dlodQaUILe3iXZhiktHP2EGV3GAO
	4kgt90r9kPVMdzcPxbUUHnFQWAPjPLv0Fh+LiTBQxCHHRqbtix1V/i6Vfw2l1FFaElT+
	iQyzgg3yKCwxiPy26GiFo+VxhI5PlGMajrVD0D03nlN31pW6AYStclP72gFlykHRNWv8
	qgVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
	bh=VfPMyy+Cn0De1V/H9M2P+sy+tJaF75nhlqRlzAXBjm8=;
	b=uFpfvYJdxQWFOggOOzXm6lhVEvkYWDASmfrZS205yvhhNoPtpxLN1Rgoo7DiT1w+ax
	SVPOagoGRZovg86YahGbQhZJUlSzjLMbNmBL8r+NnSL8wygsnOOcwImioDPcQFhhvi/5
	2vZ90TX/yS02bBa6lOB4OQPl2fNASYiso2th8IBb0cEyvBzjYxJSGNOmfAiRQOgN6W3k
	L2JUn619HUvXLY3bvZmv4BrKiRj54NKgr+TgcpSUfpGEejDx6jArYgxoaJL3GQhpkJUA
	XZnIj7QPwsUCT1gvVDk6cJ5Vd1GLPbSrCi9xo57iVmgbuEPdX3ngVzRyWl+X4mzpj1T+
	IeeA==
X-Gm-Message-State: AGRZ1gIr6Svb2UQ0BfsKy7DgVF2IJ9wRNszv0GEkFET6toNZ//hdwEc3
	OxP87/SAmYifjphy61B3WLEcRoe8
X-Google-Smtp-Source: 
 AJdET5fW82g4D25pk6wG4NnSKnyGi33uSCjNY51c3Owg/rfuQVF5tEsVPSD9fsV9TY5CZT+MOHsvaQ==
X-Received: by 2002:a50:c241:: with SMTP id
	t1-v6mr1824786edf.162.1541758104853;
	Fri, 09 Nov 2018 02:08:24 -0800 (PST)
Received: from dell.be.48ers.dk (d51A5BC31.access.telenet.be.
	[81.165.188.49]) by smtp.gmail.com with ESMTPSA id
	h4-v6sm1769515edd.33.2018.11.09.02.08.23
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Fri, 09 Nov 2018 02:08:24 -0800 (PST)
Received: from peko by dell.be.48ers.dk with local (Exim 4.89)
	(envelope-from <peko@dell.be.48ers.dk>)
	id 1gL3iA-0002hp-W3; Fri, 09 Nov 2018 11:08:23 +0100
From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Date: Fri,  9 Nov 2018 11:08:19 +0100
Message-Id: <20181109100820.10293-1-peter@korsgaard.com>
X-Mailer: git-send-email 2.11.0
Subject: [Buildroot] [PATCH] nginx: security bump to 1.15.6
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Peter Korsgaard <peter@korsgaard.com>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Fixes the following security issues:

CVE-2018-16843: Excessive memory usage in HTTP/2

CVE-2018-16844: Excessive CPU usage in HTTP/2

CVE-2018-16845: Memory disclosure in the ngx_http_mp4_module

Refreshed patch 0004 + 0007 as they no longer applied cleanly.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 .../nginx/0004-auto-lib-libxslt-conf-use-pkg-config.patch  | 14 ++++++++------
 .../nginx/0007-auto-lib-libgd-conf-use-pkg-config.patch    | 12 +++++++-----
 package/nginx/nginx.hash                                   |  2 +-
 package/nginx/nginx.mk                                     |  2 +-
 4 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/package/nginx/0004-auto-lib-libxslt-conf-use-pkg-config.patch b/package/nginx/0004-auto-lib-libxslt-conf-use-pkg-config.patch
index 103f90b305..09e708b73c 100644
--- a/package/nginx/0004-auto-lib-libxslt-conf-use-pkg-config.patch
+++ b/package/nginx/0004-auto-lib-libxslt-conf-use-pkg-config.patch
@@ -1,4 +1,4 @@
-From 211b9f19a3a62826fadef55d2f89d6f66fbf4aa6 Mon Sep 17 00:00:00 2001
+From 7783d63c87f94797aa134786214b0a84c000be75 Mon Sep 17 00:00:00 2001
 From: Samuel Martin <s.martin49@gmail.com>
 Date: Thu, 29 May 2014 19:22:27 +0200
 Subject: [PATCH] auto/lib/libxslt/conf: use pkg-config
@@ -7,12 +7,14 @@ Change to using pkg-config to find the path to libxslt and its
 dependencies.
 
 Signed-off-by: Martin Bark <martin@barkynet.com>
+[Peter: updated for 1.15.6]
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 ---
- auto/lib/libxslt/conf | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
+ auto/lib/libxslt/conf | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
 
 diff --git a/auto/lib/libxslt/conf b/auto/lib/libxslt/conf
-index 3a0f37b..3c2a60e 100644
+index 3063ac7c..3209e364 100644
 --- a/auto/lib/libxslt/conf
 +++ b/auto/lib/libxslt/conf
 @@ -12,8 +12,9 @@
@@ -26,7 +28,7 @@ index 3a0f37b..3c2a60e 100644
 +    ngx_feature_libs="$(${PKG_CONFIG:=pkg-config} --libs libxslt)"
      ngx_feature_test="xmlParserCtxtPtr    ctxt = NULL;
                        xsltStylesheetPtr   sheet = NULL;
-                       xmlDocPtr           doc;
+                       xmlDocPtr           doc = NULL;
 -- 
-2.8.2
+2.11.0
 
diff --git a/package/nginx/0007-auto-lib-libgd-conf-use-pkg-config.patch b/package/nginx/0007-auto-lib-libgd-conf-use-pkg-config.patch
index 34e7981c8f..cea68035e1 100644
--- a/package/nginx/0007-auto-lib-libgd-conf-use-pkg-config.patch
+++ b/package/nginx/0007-auto-lib-libgd-conf-use-pkg-config.patch
@@ -1,4 +1,4 @@
-From fd9885fe5fef5826034547ca6be7299863f99769 Mon Sep 17 00:00:00 2001
+From 0551f2e5eb4143be0aacc0185cdc4afc9ca80204 Mon Sep 17 00:00:00 2001
 From: Martin Bark <martin@barkynet.com>
 Date: Fri, 6 May 2016 14:48:49 +0100
 Subject: [PATCH] auto/lib/libgd/conf: use pkg-config
@@ -7,12 +7,14 @@ Change to using pkg-config to find the path to libgd and its
 dependencies.
 
 Signed-off-by: Martin Bark <martin@barkynet.com>
+[Peter: updated for 1.15.6]
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 ---
  auto/lib/libgd/conf | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/auto/lib/libgd/conf b/auto/lib/libgd/conf
-index 6e4e91c..1c536a2 100644
+index 67863976..1a4379a5 100644
 --- a/auto/lib/libgd/conf
 +++ b/auto/lib/libgd/conf
 @@ -7,8 +7,8 @@
@@ -23,9 +25,9 @@ index 6e4e91c..1c536a2 100644
 -    ngx_feature_libs="-lgd"
 +    ngx_feature_path="$(${GDLIB_CONFIG:=gdlib-config} --includedir)"
 +    ngx_feature_libs="$(${GDLIB_CONFIG:=gdlib-config} --libs)"
-     ngx_feature_test="gdImagePtr img = gdImageCreateFromGifPtr(1, NULL);"
+     ngx_feature_test="gdImagePtr img = gdImageCreateFromGifPtr(1, NULL);
+                       (void) img"
      . auto/feature
- 
 -- 
-2.8.2
+2.11.0
 
diff --git a/package/nginx/nginx.hash b/package/nginx/nginx.hash
index 51284aefbe..c3e6b6a720 100644
--- a/package/nginx/nginx.hash
+++ b/package/nginx/nginx.hash
@@ -1,4 +1,4 @@
 # Locally calculated after checking pgp signature
-sha256	b0b58c9a3fd73aa8b89edf5cfadc6641a352e0e6d3071db1eb3215d72b7fb516	nginx-1.15.0.tar.gz
+sha256	a3d8c67c2035808c7c0d475fffe263db8c353b11521aa7ade468b780ed826cc6	nginx-1.15.6.tar.gz
 # License files, locally calculated
 sha256	e18f05bcaad47528f8b21861d4a0fb9815ca1bbb4be946c51a51d36623758bcc	LICENSE
diff --git a/package/nginx/nginx.mk b/package/nginx/nginx.mk
index 23cf2b46d5..5253174478 100644
--- a/package/nginx/nginx.mk
+++ b/package/nginx/nginx.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-NGINX_VERSION = 1.15.0
+NGINX_VERSION = 1.15.6
 NGINX_SITE = http://nginx.org/download
 NGINX_LICENSE = BSD-2-Clause
 NGINX_LICENSE_FILES = LICENSE