2026 年 5 月 13 日,F5 和安全研究员 depthfirst 公布了一个 Nginx ngx_http_rewrite_module 模块中的堆缓冲区溢出漏洞,编号 CVE-2026-42945,被命名为"NGINX Rift"。攻击者只需发送一个精心构造的 HTTP 请求,就能在未认证的情况下执行任意代码或导致服务崩溃。修改该漏洞需要更新nginx的版本到1.30.2以上版本。
由于作者维护了几百个nginx实例,操作系统相对比较固定,基本都是OpenEuler2203,OpenEuler2403,UOSV20, KylinosV10这几个固定版本的系统,则可以将nginx编译生成nginx的rpm包,将打包的nginx软件分发到服务器上执行升级命令即可,这样节省了大量的编译时间
因此本文主要介绍基于UOS V20 1070A系统编译nginx1.30.2生成rpm包
一、安装编译环境
bash
dnf -y install gcc gcc-c++ make cmake zlib zlib-devel openssl openssl-devel pcre-devel vim net-tools man wget tar二、 准备软件包构建环境
安装构建依赖
bash
# 安装构建rpm包依赖
dnf install -y rpm-build rpmdevtools
# 初始化构建目录结构
rpmdev-setuptree目录结构
bash
rpmbuild/
├── BUILD
├── BUILDROOT
├── RPMS
│ └── x86_64
├── SOURCES
│ ├── nginx-1.30.2.tar.gz
│ └── nginx.service
├── SPECS
│ └── nginx.spec
└── SRPMS三、准备构建文件
准备nginx编译构建文件
bash
cat > rpmbuild/SPECS/nginx.spec << EOF
Name: nginx
Version: 1.30.2
Release: 0%{?dist}
Summary: omstack
License: GPL
URL: http://www.omfox.cn
Source0: nginx-1.30.2.tar.gz
Source1: nginx.service
BuildRequires: gettext
%description
Garena omstack-build .
%prep
%setup -q
%build
./configure --prefix=/etc/nginx \
--sbin-path=/usr/sbin/ \
--modules-path=/usr/lib/nginx/modules \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/run/nginx.lock \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--with-compat \
--with-threads \
--with-http_addition_module \
--with-http_auth_request_module \
--with-http_dav_module \
--add-module=/opt/src/nginx-rtmp-module \
--with-http_flv_module --with-http_gunzip_module \
--with-http_gzip_static_module \
--with-http_mp4_module \
--with-http_random_index_module \
--with-http_realip_module \
--with-http_secure_link_module \
--with-http_slice_module \
--with-http_ssl_module \
--with-openssl=/opt/src/openssl-3.0.30 \
--with-http_stub_status_module \
--with-http_sub_module \
--with-http_v2_module \
--with-mail \
--with-mail_ssl_module \
--with-stream \
--with-stream_realip_module \
--with-stream_ssl_module \
--with-stream_ssl_preread_module \
--with-cc-opt='-static -static-libgcc' \
--with-ld-opt=-static
make %{?_smp_mflags}
%install
rm -rf %{buildroot}
mkdir -p %{buildroot}/etc/nginx
mkdir -p %{buildroot}/usr/sbin
mkdir -p %{buildroot}/var/log/nginx
mkdir -p %{buildroot}/var/cache/nginx/{client_temp,proxy_temp,fastcgi_temp,uwsgi_temp,scgi_temp}
mkdir -p %{buildroot}/etc/nginx/{conf.d,sites-enabled}
mkdir -p %{buildroot}/usr/share/nginx/html
make install DESTDIR=%{buildroot}
install -D -m 0644 %{SOURCE1} %{buildroot}/%{_unitdir}/nginx.service
%post
mkdir -p /var/log/nginx
mkdir -p /var/cache/nginx/{client_temp,proxy_temp,astcgi_temp,uwsgi_temp,scgi_temp}
mkdir -p /etc/nginx/{conf.d,sites-enabled}
mkdir -p /usr/share/nginx/html/
%preun
systemctl --quiet is-active && systemctl stop >/dev/null || :
%postun
/usr/sbin/userdel >/dev/null 2>&1 || :
%files
%defattr(-,root,root,-)
/etc/nginx/fastcgi.conf
/etc/nginx/fastcgi.conf.default
/etc/nginx/fastcgi_params
/etc/nginx/fastcgi_params.default
/etc/nginx/html/50x.html
/etc/nginx/html/index.html
/etc/nginx/koi-utf
/etc/nginx/koi-win
/etc/nginx/mime.types
/etc/nginx/mime.types.default
/etc/nginx/nginx.conf
/etc/nginx/nginx.conf.default
/etc/nginx/scgi_params
/etc/nginx/scgi_params.default
/etc/nginx/uwsgi_params
/etc/nginx/uwsgi_params.default
/etc/nginx/win-utf
/usr/sbin/nginx
%{_unitdir}/nginx.service
%changelog
* Wed May 20 2026 omstack <omstack@163.com> - 1.30.2
- Initial release of Nginx 1.30.2 for ARM64 with static OpenSSL 3.0.20
EOF添加 systemd方式管理
bash
cat > rpmbuild/SOURCES/nginx.service <<EOF
[Unit]
Description= - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
User=root
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target
EOF准备nginx编译源码包
bash
wget https://nginx.org/download/nginx-1.30.2.tar.gz -O $HOME/rpmbuild/SOURCES/nginx-1.30.2.tar.gz
mkdir -p /opt/src/
wget "https://release-assets.githubusercontent.com/github-production-release-asset/7634677/bc462459-fa7e-49c8-ac75-d5b1e6815328?sp=r&sv=2018-11-09&sr=b&spr=https&se=2026-05-22T04%3A52%3A52Z&rscd=attachment%3B+filename%3Dopenssl-3.0.20.tar.gz&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2026-05-22T03%3A52%3A04Z&sks=b&skv=2018-11-09&sig=jC5XGMKptToXNxO7ewNdqA%2BggQx4EnGdG796LE5l6b8%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc3OTQyMzkwOSwibmJmIjoxNzc5NDIyMTA5LCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.AljDjwz9q-AQGSJZjPNuFjsjPq5Rl8Uo5JftwEPZukY&response-content-disposition=attachment%3B%20filename%3Dopenssl-3.0.20.tar.gz&response-content-type=application%2Foctet-stream" -O /opt/src/openssl-3.0.20.tar.gz四、构建RPM包
bash
cd /root/rpmbuild/SPECS
rpmbuild -bb nginx.spec五、获取rpm包
编译后的rpm包位于${HOME}/rpmbuild/RPMS/x86_64 目录下。
注意: 尽量在相同内核版本的操作系统中安装,可以避免因glibc或者其他系统依赖差别过大导致的安装胡总启动报错。