nginx with OpenSSL 1.1.1l on CentOS 6 with CVE-2021-23017 fix

nginx-openssl-1.1.1l.el6.txt

#useradd -m -U -s /bin/bash builder
#yum -y groupinstall 'Development Tools'
#yum -y install wget openssl-devel libxml2-devel libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel rpmdevtools pcre-devel libedit-devel
#rpm -Uvh rpm -ivh https://archives.fedoraproject.org/pub/archive/epel/6/x86_64/Packages/g/GeoIP-devel-1.6.5-1.el6.x86_64.rpm https://archives.fedoraproject.org/pub/archive/epel/6/x86_64/Packages/g/GeoIP-1.6.5-1.el6.x86_64.rpm https://archives.fedoraproject.org/pub/archive/epel/6/x86_64/Packages/g/GeoIP-GeoLite-data-2018.04-1.el6.noarch.rpm https://archives.fedoraproject.org/pub/archive/epel/6/x86_64/Packages/g/GeoIP-GeoLite-data-extra-2018.04-1.el6.noarch.rpm https://archives.fedoraproject.org/pub/archive/epel/6/x86_64/Packages/g/geoipupdate-3.1.1-2.el6.x86_64.rpm
#useradd -U -m -r -s /sbin/nologin builder

OPENSSL="openssl-1.1.1l"
NGINX_VERSION="1.19.5-1"
NJS_VERSION="1.19.5+0.5.0-1"
MODULE_STICKY_VERSION="08a395c66e42" # master 2016-08-09

rpm -ivh http://nginx.org/packages/mainline/centos/6/SRPMS/nginx-$NGINX_VERSION.el6.ngx.src.rpm
rpm -ivh http://nginx.org/packages/mainline/centos/6/SRPMS/nginx-module-geoip-$NGINX_VERSION.el6.ngx.src.rpm
rpm -ivh http://nginx.org/packages/mainline/centos/6/SRPMS/nginx-module-image-filter-$NGINX_VERSION.el6.ngx.src.rpm
rpm -ivh http://nginx.org/packages/mainline/centos/6/SRPMS/nginx-module-njs-$NJS_VERSION.el6.ngx.src.rpm
rpm -ivh http://nginx.org/packages/mainline/centos/6/SRPMS/nginx-module-perl-$NGINX_VERSION.el6.ngx.src.rpm
rpm -ivh http://nginx.org/packages/mainline/centos/6/SRPMS/nginx-module-xslt-$NGINX_VERSION.el6.ngx.src.rpm

sed -i "/Source13: .*/a Source101: https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng/get/$MODULE_STICKY_VERSION.tar.gz" ~/rpmbuild/SPECS/nginx.spec
sed -i "/Source13: .*/a Source100: https://www.openssl.org/source/$OPENSSL.tar.gz" ~/rpmbuild/SPECS/nginx.spec
sed -i "s|--with-http_ssl_module|--with-http_ssl_module --with-openssl=$OPENSSL|g" ~/rpmbuild/SPECS/nginx.spec
sed -i "s|--with-http_addition_module|--with-http_addition_module --add-module=nginx-goodies-nginx-sticky-module-ng-$MODULE_STICKY_VERSION|g" ~/rpmbuild/SPECS/nginx.spec
sed -i '/%setup -q/a tar -zxf %{SOURCE101}' ~/rpmbuild/SPECS/nginx.spec
sed -i '/%setup -q/a tar -zxf %{SOURCE100}' ~/rpmbuild/SPECS/nginx.spec
sed -i '/.*Requires: openssl.*/d' ~/rpmbuild/SPECS/nginx.spec
# hardening whatnots since 1.11.9
sed -i 's|%define WITH_LD_OPT .*|%define WITH_LD_OPT ""|g' ~/rpmbuild/SPECS/nginx.spec
sed -i 's| -fPIC||g' ~/rpmbuild/SPECS/nginx.spec

# Fix CVE-2021-23017 (patch.2021.resolver)
sed -i "/%setup -q/a sed -i '3995a\\\\            if (dst != name->data) {\\\\\\n                *dst++ = '"'"'"'"'.'"'"'"'"';\\\\\\n            }\\\\\\n' src/core/ngx_resolver.c" ~/rpmbuild/SPECS/nginx.spec
sed -i "/%setup -q/a sed -i '4001,4004d' src/core/ngx_resolver.c" ~/rpmbuild/SPECS/nginx.spec
sed -i "/tar --strip-components=1 -zxf %{SOURCE0}/a sed -i '3995a\\\\            if (dst != name->data) {\\\\\\n                *dst++ = '"'"'"'"'.'"'"'"'"';\\\\\\n            }\\\\\\n' src/core/ngx_resolver.c" ~/rpmbuild/SPECS/*.spec
sed -i "/tar --strip-components=1 -zxf %{SOURCE0}/a sed -i '4001,4004d' src/core/ngx_resolver.c" ~/rpmbuild/SPECS/*.spec

spectool -g -R ~/rpmbuild/SPECS/nginx.spec
# if '.rpmmacros' contains "%_sourcedir    %{_topdir}/SOURCES/%{name}"
#spectool -g -C ~/rpmbuild/SOURCES/nginx/ ~/rpmbuild/SPECS/nginx.spec

rpmbuild -ba ~/rpmbuild/SPECS/nginx.spec
rpmbuild -ba ~/rpmbuild/SPECS/nginx-module-geoip.spec
rpmbuild -ba ~/rpmbuild/SPECS/nginx-module-image-filter.spec
rpmbuild -ba ~/rpmbuild/SPECS/nginx-module-njs.spec
rpmbuild -ba ~/rpmbuild/SPECS/nginx-module-perl.spec
rpmbuild -ba ~/rpmbuild/SPECS/nginx-module-xslt.spec

#rpm -Uvh ~/rpmbuild/RPMS/x86_64/nginx-$NGINX_VERSION.el6*.x86_64.rpm