1 问题背景

nginx 安全漏洞(CVE-2019-9511)
nginx 安全漏洞(CVE-2019-9513)
nginx 安全漏洞(CVE-2019-9516)

http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201908-924

https://github.com/httpwg/http2-spec/wiki/Implementations

https://www.sohu.com/a/335416469_120149005 nginx 1.16.1 稳定版和 nginx 1.17.3 主线版发布 修复安全问题

https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ Nginx官方的修复建议

http://nginx.org/en/CHANGES

https://blog.csdn.net/join_gonner/article/details/109239053 升级nginx的参考博客(仅作思路参考，但不推荐按照此博客的做，该博客存在非常多问题，例如: 直接执行 ./configure)

最终结论:升级到 Nginx 1.17.5

Nginx官方建议：

http://nginx.org/en/CHANGES

https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/

NGINX 1.16.1 (stable)

NGINX 1.17.3 (mainline)

NGINX Plus R18 P1

2 环境信息

服务器及操作系统版本

# cat /etc/redhat-release

CentOS release 6.8 (Final)

Nginx原版本

# ps -ef | grep -i nginx

root      31044      1  0 Jun04 ?        00:00:00 nginx: master process /usr/local/nginx/sbin/nginx

root      31045  31044  0 Jun04 ?        00:00:02 nginx: worker process

root     714299 714269  0 12:33 pts/4    00:00:00 grep -i nginx

# ll /proc/31044 | grep -i CWD

lrwxrwxrwx 1 root root 0 6月  15 16:52 cwd -> /usr/local/nginx/sbin

# /usr/local/nginx/sbin/nginx -v

nginx version: nginx/1.15.12

3 升级步骤

step1 Nginx 备份

cp -r /usr/local/nginx /usr/local/nginx.202106161252.bak

mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.202106161252.old.bak

step2 下载、上传、解压Nginx新版本安装包

下载地址

http://www.nginx.org/download/nginx-1.17.5.tar.gz

上传安装包到如下指定目录

mkdir -p /opt/SDCUpgrades/20210615/servers/nginx

/opt/SDCUpgrades/20210615/servers/nginx/nginx-1.17.5.tar.gz

解压

tar -xvf /opt/SDCUpgrades/20210615/servers/nginx/nginx-1.17.5.tar.gz -C /opt/SDCUpgrades/20210615/servers/nginx/

step3 编译前配置

cd /opt/SDCUpgrades/20210615/servers/nginx/nginx-1.17.5

./configure --prefix=/usr/local/nginx \

--with-http_stub_status_module

【高危警告】 configure的参数必须与 .../sbin/nginx -V中显示的参数一模一样，切记！！

--conf-path=/usr/local/nginx/conf : 此时不会对 /usr/local/nginx 产生 任何影响；尚不会在 /usr/local/nginx 目录下产生任何文件

step4 编译(只编译不安装)

/usr/local/nginx/sbin/nginx -s stop

cd /opt/SDCUpgrades/20210615/servers/nginx/nginx-1.17.5

make

step5 升级(覆盖)

cp /opt/SDCUpgrades/20210615/servers/nginx/nginx-1.17.5/objs/nginx /usr/local/nginx/sbin/

step6 测试新版本nginx是否正常

/usr/local/nginx/sbin/nginx -t

step7 如果测试正常，则：立即启动 nginx

/usr/local/nginx/sbin/nginx

step8 查验版本(确认nginx是否升级成功)

显示最新编译的版本信息即更新成功

/usr/local/nginx/sbin/nginx -V

X 参考文献

HTTP/2 资源管理错误漏洞 - 国家信息安全漏洞库
记一次nginx 平滑升级 到1.17.5解决(CVE-2019-9511)、(CVE-2019-9513)、(CVE-2019-9516) - CSDN

[Nginx/Linux]Nginx从1.15.12平滑升级到1.17.5的相关教程结束。