From d61678c2277cff67c3d1f142539c60b191789bb3 Mon Sep 17 00:00:00 2001 From: lizhao2025 Date: Tue, 16 Dec 2025 22:36:56 +0800 Subject: [PATCH] Update code from upstream --- 1-bugfix-for-CVE-2025-23419.patch | 45 ------------------------------- nginx.spec | 13 ++++++--- 2 files changed, 10 insertions(+), 48 deletions(-) delete mode 100644 1-bugfix-for-CVE-2025-23419.patch diff --git a/1-bugfix-for-CVE-2025-23419.patch b/1-bugfix-for-CVE-2025-23419.patch deleted file mode 100644 index bee1c1c..0000000 --- a/1-bugfix-for-CVE-2025-23419.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c -index 684fabd..404aa77 100644 ---- a/src/http/ngx_http_request.c -+++ b/src/http/ngx_http_request.c -@@ -921,6 +921,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) - goto done; - } - -+ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); -+ -+#if (defined TLS1_3_VERSION \ -+ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) -+ -+ /* -+ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, -+ * but servername being negotiated in every TLSv1.3 handshake -+ * is only returned in OpenSSL 1.1.1+ as well -+ */ -+ -+ if (sscf->verify) { -+ const char *hostname; -+ -+ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); -+ -+ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { -+ c->ssl->handshake_rejected = 1; -+ *ad = SSL_AD_ACCESS_DENIED; -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+ } -+ -+#endif -+ - hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); - if (hc->ssl_servername == NULL) { - goto error; -@@ -934,8 +959,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) - - ngx_set_connection_log(c, clcf->error_log); - -- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); -- - c->ssl->buffer_size = sscf->buffer_size; - - if (sscf->ssl.ctx) { diff --git a/nginx.spec b/nginx.spec index 36d96e1..e645063 100644 --- a/nginx.spec +++ b/nginx.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 1 %global _hardened_build 1 %global nginx_user nginx @@ -27,7 +27,7 @@ Name: nginx Epoch: 1 -Version: 1.26.2 +Version: 1.26.3 Release: %{anolis_release}%{?dist} Summary: A high performance web server and reverse proxy server @@ -50,7 +50,6 @@ Source200: README.dynamic Source210: UPGRADE-NOTES-1.6-to-1.10 -Patch1: 1-bugfix-for-CVE-2025-23419.patch BuildRequires: make gcc %if 0%{with gperftools} BuildRequires: gperftools-devel @@ -245,6 +244,7 @@ can help you achieve your goals with ease. Summary: Nginx XSLT module BuildRequires: libxslt-devel Requires: nginx(abi) = %{nginx_abiversion} +BuildRequires: zlib-ng-devel %description mod-http-xslt-filter Nginx mod-http-xslt-filter is a module that allows you to transform XML @@ -685,6 +685,13 @@ fi %doc CHANGES README README.dynamic %changelog +* Mon Apr 05 2025 Upstream Sync - 1.26.3-1 +- Sync upstream changes from commit 90d4dba563ff4b5a259bd035e7b4d87ecc333ee9 +- Upgrade to version 1.26.3 +- Replace zlib with zlib-ng for improved performance and security +- Remove obsolete 1.26.2-zlib-ng.patch (now integrated upstream) +- Add BuildRequires: zlib-ng-devel + * Fri Jul 04 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 1.26.2-2 - Fix CVE-2025-23419 -- Gitee