Bot Updating Package Versions

Merge pull request #130 from linuxserver/authelia-patch
2026-03-05 18:03:33 +09:00 · 2021-06-03 06:57:42 +00:00 · 2021-05-28 23:05:08 +00:00 · 2021-05-28 18:49:04 -04:00 · 2021-05-28 18:24:23 -04:00 · 2021-05-28 18:19:22 -04:00
5 changed files with 35 additions and 25 deletions
--- a/README.md
+++ b/README.md
@@ -330,6 +330,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64

 ## Versions

+* **28.05.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Use `resolver.conf` and patch for `CVE-2021-32637`.
 * **20.05.21:** - Modify resolver.conf generation to detect and ignore ipv6.
 * **14.05.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later.
 * **21.04.21:** - [Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method.
--- a/package_versions.txt
+++ b/package_versions.txt
@@ -12,7 +12,7 @@ c-client-2007f-r11
 ca-certificates-20191127-r5
 ca-certificates-bundle-20191127-r5
 coreutils-8.32-r2
-curl-7.76.1-r0
+curl-7.77.0-r0
 expat-2.2.10-r1
 fail2ban-0.11.1-r4
 freetype-2.10.4-r1
@@ -35,7 +35,7 @@ libbz2-1.0.8-r1
 libc-utils-0.7.2-r3
 libcap-2.46-r0
 libcrypto1.1-1.1.1k-r0
-libcurl-7.76.1-r0
+libcurl-7.77.0-r0
 libedit-20191231.3.1-r1
 libevent-2.1.12-r1
 libffi-3.3-r2
@@ -94,26 +94,26 @@ ncurses-libs-6.2_p20210109-r0
 ncurses-terminfo-base-6.2_p20210109-r0
 nettle-3.7.2-r0
 nghttp2-libs-1.42.0-r1
-nginx-1.18.0-r14
-nginx-mod-devel-kit-1.18.0-r14
-nginx-mod-http-brotli-1.18.0-r14
-nginx-mod-http-dav-ext-1.18.0-r14
-nginx-mod-http-echo-1.18.0-r14
-nginx-mod-http-fancyindex-1.18.0-r14
-nginx-mod-http-geoip2-1.18.0-r14
-nginx-mod-http-headers-more-1.18.0-r14
-nginx-mod-http-image-filter-1.18.0-r14
-nginx-mod-http-nchan-1.18.0-r14
-nginx-mod-http-perl-1.18.0-r14
-nginx-mod-http-redis2-1.18.0-r14
-nginx-mod-http-set-misc-1.18.0-r14
-nginx-mod-http-upload-progress-1.18.0-r14
-nginx-mod-http-xslt-filter-1.18.0-r14
-nginx-mod-mail-1.18.0-r14
-nginx-mod-rtmp-1.18.0-r14
-nginx-mod-stream-1.18.0-r14
-nginx-mod-stream-geoip2-1.18.0-r14
-nginx-vim-1.18.0-r14
+nginx-1.18.0-r15
+nginx-mod-devel-kit-1.18.0-r15
+nginx-mod-http-brotli-1.18.0-r15
+nginx-mod-http-dav-ext-1.18.0-r15
+nginx-mod-http-echo-1.18.0-r15
+nginx-mod-http-fancyindex-1.18.0-r15
+nginx-mod-http-geoip2-1.18.0-r15
+nginx-mod-http-headers-more-1.18.0-r15
+nginx-mod-http-image-filter-1.18.0-r15
+nginx-mod-http-nchan-1.18.0-r15
+nginx-mod-http-perl-1.18.0-r15
+nginx-mod-http-redis2-1.18.0-r15
+nginx-mod-http-set-misc-1.18.0-r15
+nginx-mod-http-upload-progress-1.18.0-r15
+nginx-mod-http-xslt-filter-1.18.0-r15
+nginx-mod-mail-1.18.0-r15
+nginx-mod-rtmp-1.18.0-r15
+nginx-mod-stream-1.18.0-r15
+nginx-mod-stream-geoip2-1.18.0-r15
+nginx-vim-1.18.0-r15
 npth-1.6-r0
 oniguruma-6.9.6-r0
 openssl-1.1.1k-r0
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -151,6 +151,7 @@ app_setup_nginx_reverse_proxy_block: ""

 # changelog
 changelogs:
+  - { date: "28.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf - Use `resolver.conf` and patch for `CVE-2021-32637`." }
  - { date: "20.05.21:", desc: "Modify resolver.conf generation to detect and ignore ipv6." }
  - { date: "14.05.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) nginx.conf, ssl.conf, proxy.conf, and the default site-conf - Rework nginx.conf to be inline with alpine upstream and relocate lines from other files. Use linuxserver.io wheel index for pip packages. Switch to using [ffdhe4096](https://ssl-config.mozilla.org/ffdhe4096.txt) for `dhparams.pem` per [RFC7919](https://datatracker.ietf.org/doc/html/rfc7919). Added `worker_processes.conf`, which sets the number of nginx workers, and `resolver.conf`, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later." }
  - { date: "21.04.21:", desc: "[Existing users should update:](https://github.com/linuxserver/docker-swag/blob/master/README.md#updating-configs) authelia-server.conf and authelia-location.conf - Add remote name/email headers and pass http method." }
--- a/root/defaults/authelia-server.conf
+++ b/root/defaults/authelia-server.conf
@@ -1,16 +1,19 @@
-## Version 2021/04/21 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf
+## Version 2021/05/28 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/authelia-server.conf
 # Make sure that your authelia container is in the same user defined bridge network and is named authelia

 location ^~ /authelia {
    include /config/nginx/proxy.conf;
-    resolver 127.0.0.11 valid=30s;
+    include /config/nginx/resolver.conf;
    set $upstream_authelia authelia;
    proxy_pass http://$upstream_authelia:9091;
 }

 location = /authelia/api/verify {
    internal;
-    resolver 127.0.0.11 valid=30s;
+    if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) {
+        return 401;
+    }
+    include /config/nginx/resolver.conf;
    set $upstream_authelia authelia;
    proxy_pass_request_body off;
    proxy_pass http://$upstream_authelia:9091;
--- a/root/etc/cont-init.d/50-config
+++ b/root/etc/cont-init.d/50-config
@@ -109,6 +109,11 @@ if ! grep -q '#Removed lua' /config/nginx/nginx.conf; then
    sed -i 's|\tlua_load_resty_core off;|\t#Removed lua. Do not remove this comment|g' /config/nginx/nginx.conf
 fi

+# patch authelia-server.conf for CVE-2021-32637
+if ! grep -q 'if ($request_uri ~' /config/nginx/authelia-server.conf; then
+    sed -i '/internal;/a \ \ \ \ if ($request_uri ~ [^a-zA-Z0-9_+-=\\!@$%&*?~.:#'\''\\;\\(\\)\\[\\]]) { return 401; }' /config/nginx/authelia-server.conf
+fi
+
 # copy pre-generated dhparams or generate if needed
 [[ ! -f /config/nginx/dhparams.pem ]] && \
    cp /defaults/dhparams.pem /config/nginx/dhparams.pem
Author	SHA1	Message	Date
LinuxServer-CI	cc003df158	Bot Updating Package Versions	2021-06-03 06:57:42 +00:00
LinuxServer-CI	0546211470	Bot Updating Package Versions	2021-05-28 23:05:08 +00:00
aptalca	056f27437e	Merge pull request #130 from linuxserver/authelia-patch update and patch authelia-server.conf for resolver and CVE	2021-05-28 18:49:04 -04:00
aptalca	7437478c3a	use single quotes	2021-05-28 18:24:23 -04:00
aptalca	020ab44638	force patch authelia-server.conf	2021-05-28 18:19:22 -04:00
aptalca	224abb686d	update authelia-server.conf for resolver and CVE	2021-05-28 17:40:28 -04:00