Preface
Nginx denial of service vulnerability (CVE-2019-9513, CVE-2019-9511)
- Upgrade Nginx to 1.16.1, 1.17.3 and above, download address: /en/
- If there is a vulnerability repair version in the vulnerability detection result, upgrade the package in the vulnerability detection result to the corresponding vulnerability repair version or above.
Upgrade with reference to the repair command of this vulnerability in the security patch function, or the following repair commands:
CentOS/RHEL/Oracle Linux: sudo yum update -y The package name that needs to be upgraded (refer to the detection result)
SUSE: sudo zypper update -y The package name that needs to be upgraded (refer to the detection result)
Ubuntu/Debian: sudo apt-get update && sudo apt-get install --only-upgrade -y The package name that needs to be upgraded (refer to the detection result)
Example: If the host system in the vulnerability detection result is Ubuntu 16.04, the package name is nginx, the current installation version is 1.10.3-0ubuntu0.16.04.4, and the corresponding vulnerability repair version is 1.10.3-0ubuntu0.16.04.5, the vulnerability repair command is sudo apt-get update && sudo apt-get install --only-upgrade -y nginx-core nginx
1. CentOS 7 Nginx1.12.2 smoothly upgrade to the new version nginx-1.21.5
nginx download: /download/
2. Operation steps
1. Check the current Nginx version information
[root@web ~]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-pcre --with-openssl=/tmp/openssl-1.1.0e --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_image_filter_module --with-mail --with-threads --with-mail_ssl_module --with-stream_ssl_module
2. Download nginx-1.21.5 version to /usr/local/, decompress and enter the decompressed directory
[root@nginx ~]# cd /usr/local/ [root@nginx ~]# wget /download/nginx-1.21. [root@nginx ~]# tar xf nginx-1.21. [root@nginx ~]# cd nginx-1.21.5
3. Configure nginx
When viewing the nginx version, there is a large number of modules behind the configure arguments. This is also the module you specified when you first installed nginx. You must also specify it during upgrades, and you can also add other modules.
[root@nginx nginx-1.21.5]# ./configure \ --prefix=/usr/local/nginx \ --user=nginx \ --group=nginx \ --with-pcre \ --with-openssl=/tmp/openssl-1.1.0e \ --with-http_ssl_module \ --with-http_v2_module \ --with-http_realip_module \ --with-http_addition_module \ --with-http_sub_module \ --with-http_dav_module \ --with-http_flv_module \ --with-http_mp4_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_random_index_module \ --with-http_secure_link_module \ --with-http_stub_status_module \ --with-http_auth_request_module \ --with-http_image_filter_module \ --with-mail \ --with-threads \ --with-mail_ssl_module \ --with-stream_ssl_module \ && make
After making, you do not need to execute make install, otherwise the installation will be overwritten, and various problems will occur in nginx service.
The normal operation of nginx web server is called smooth upgrade. First rename the previous nginx binary file.
[root@nginx nginx-1.21.5]# mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/
Copy the newly compiled Nginx binary file to /usr/local/nginx/sbin/ directory
[root@nginx nginx-1.21.5]# cp /usr/local/nginx-1.21.5/objs/nginx /usr/local/nginx/sbin/
4. Start executing the upgrade
[root@web nginx-1.21.5]# make upgrade /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/ syntax is ok nginx: configuration file /usr/local/nginx/conf/ test is successful kill -USR2 `cat /usr/local/nginx/logs/` sleep 1 test -f /usr/local/nginx/logs/ kill -QUIT `cat /usr/local/nginx/logs/`
5. View nginx version information
[root@web nginx-1.13.3]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.21.5 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) built with OpenSSL 1.1.0e 16 Feb 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-pcre --with-openssl=/tmp/openssl-1.1.0e --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_image_filter_module --with-mail --with-threads --with-mail_ssl_module --with-stream_ssl_module
Summarize
Report an error of 0
nginx unknown directive “stream”
The stream module is not loaded when nginx is installed by default
The source file needs to be recompiled and installed, and the stream module is installed by adding the --with-stream parameter.
./configure --with-stream
make & make install
Check the configuration file again and confirm that there is no syntax error in the configuration, try starting the service again.
nginx -t Check if the configuration file is correct
nginx -c Specifies the configuration file to start
Report an error 1
./configure: error: the HTTP XSLT module requires the libxml2/libxslt
libraries. You can either do not enable the module or install the libraries.
Reason: Lack of dependencies
solve:
[root@vm-3 nginx-1.21.5]# yum -y install libxml2 libxslt-devel
Configure again
Error 2
./configure: error: the HTTP image filter module requires the GD library.
You can either do not enable the module or install the libraries.
Solution: Installation dependencies
yum -y install gd-devel
Configure again
Error 3
./configure: error: perl module ExtUtils::Embed is required
solve:
yum -y install perl-devel perl-ExtUtils-Embed
Configure again
Error 4
./configure: error: the GeoIP module requires the GeoIP library. You can either do not enable the module or install the library.
solve:
yum -y install GeoIP GeoIP-devel GeoIP-data
Configure again
Error 5
./configure: error: the Google perftools module requires the Google perftools
library. You can either do not enable the module or install the library.
This is the end of this article about the implementation of Nginx smooth upgrade (denlection vulnerability). For more related content on Nginx smooth upgrade, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!