Merge branch 'update-nginx' into 'master'

Bump nginx to 1.24.0

Closes #7058

See merge request gitlab-org/omnibus-gitlab!6900



Merged-by: Balasankar 'Balu' C <balasankar@gitlab.com>
Approved-by: Balasankar 'Balu' C <balasankar@gitlab.com>
Approved-by: Dustin Collins <714871-dustinmm80@users.noreply.gitlab.com>
Co-authored-by: Clemens Beck <cbeck@gitlab.com>

config/patches/nginx/CVE-2021-3618.patch

-Patch for CVE-2021-3618
-Adapted from https://salsa.debian.org/nginx-team/nginx/-/blob/debian/1.20.2-2/debian/patches/CVE-2021-3618.patch
-
---- a/src/mail/ngx_mail.h
-+++ b/src/mail/ngx_mail.h
-@@ -115,6 +115,8 @@
-     ngx_msec_t              timeout;
-     ngx_msec_t              resolver_timeout;
- 
-+    ngx_uint_t              max_errors;
-+
-     ngx_str_t               server_name;
- 
-     u_char                 *file_name;
-@@ -231,6 +233,7 @@
-     ngx_uint_t              command;
-     ngx_array_t             args;
- 
-+    ngx_uint_t              errors;
-     ngx_uint_t              login_attempt;
- 
-     /* used to parse POP3/IMAP/SMTP command */
---- a/src/mail/ngx_mail_core_module.c
-+++ b/src/mail/ngx_mail_core_module.c
-@@ -85,6 +85,13 @@
-       offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
-       NULL },
- 
-+    { ngx_string("max_errors"),
-+      NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
-+      ngx_conf_set_num_slot,
-+      NGX_MAIL_SRV_CONF_OFFSET,
-+      offsetof(ngx_mail_core_srv_conf_t, max_errors),
-+      NULL },
-+
-       ngx_null_command
- };
- 
-@@ -163,6 +170,8 @@
-     cscf->timeout = NGX_CONF_UNSET_MSEC;
-     cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
- 
-+    cscf->max_errors = NGX_CONF_UNSET_UINT;
-+
-     cscf->resolver = NGX_CONF_UNSET_PTR;
- 
-     cscf->file_name = cf->conf_file->file.name.data;
-@@ -182,6 +191,7 @@
-     ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
-                               30000);
- 
-+    ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
- 
-     ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
- 
---- a/src/mail/ngx_mail_handler.c
-+++ b/src/mail/ngx_mail_handler.c
-@@ -871,7 +871,20 @@
-         return NGX_MAIL_PARSE_INVALID_COMMAND;
-     }
- 
--    if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
-+    if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
-+
-+        s->errors++;
-+
-+        if (s->errors >= cscf->max_errors) {
-+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
-+                          "client sent too many invalid commands");
-+            s->quit = 1;
-+        }
-+
-+        return rc;
-+    }
-+
-+    if (rc == NGX_IMAP_NEXT) {
-         return rc;
-     }
- 
-

config/software/nginx.rb

@@ -18,7 +18,7 @@
 
 name 'nginx'
 
-version = Gitlab::Version.new('nginx', 'release-1.20.2')
+version = Gitlab::Version.new('nginx', 'release-1.24.0')
 default_version version.print(false)
 display_version version.print(false).delete_prefix('release-')
 
@@ -43,9 +43,6 @@ dependency 'ngx_security_headers'
 build do
   cwd = "#{Omnibus::Config.source_dir}/nginx"
 
-  # Patch against CVE-2021-3618
-  patch source: 'CVE-2021-3618.patch'
-
   command ['./auto/configure',
            "--prefix=#{install_dir}/embedded",
            '--with-http_ssl_module',

deps.yml

@@ -107,6 +107,12 @@ dependencies:
         replace_in_files:
         - filename: config/software/nginx-module-vts.rb
           pattern: "Gitlab::Version.new\\('nginx-module-vts', '(\\S+)'\\)"
+      # nginx
+      https://github.com/nginx/nginx.git:
+        replace_in_files:
+        - filename: config/software/nginx.rb
+          pattern: "Gitlab::Version.new\\('nginx', 'release-(\\S+)'\\)"
+          tag_prefix: 'release-'
       # openssl
       https://github.com/openssl/openssl.git:
         replace_in_files: