From c5b32dfc4cd5d6efdaa68004ea478bf98b4dca54 Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Wed, 16 Dec 2020 15:47:02 +0100
Subject: [PATCH] fix CVE-2020-1971 again

---
 Dockerfile                    |  2 +-
 Dockerfile-amd64              |  2 +-
 Dockerfile-arm32v7            |  2 +-
 Dockerfile-arm64v8            |  2 +-
 Dockerfile-i386               |  2 +-
 autoconf/Dockerfile           |  2 +-
 autoconf/Dockerfile-amd64     |  2 +-
 autoconf/Dockerfile-arm32v7   |  2 +-
 autoconf/Dockerfile-arm64v8   |  2 +-
 autoconf/Dockerfile-i386      |  2 +-
 scripts/certbot-renew-hook.sh |  1 +
 scripts/certbot-renew.sh      | 11 +----------
 scripts/referrers.sh          |  1 -
 scripts/user-agents.sh        |  1 -
 ui/Dockerfile                 |  2 +-
 ui/Dockerfile-amd64           |  2 +-
 ui/Dockerfile-arm32v7         |  2 +-
 ui/Dockerfile-arm64v8         |  2 +-
 ui/Dockerfile-i386            |  2 +-
 19 files changed, 17 insertions(+), 27 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index badf48fa5..daca78375 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -23,7 +23,7 @@ COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
 
 # Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
-RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0"
+RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 
diff --git a/Dockerfile-amd64 b/Dockerfile-amd64
index 4a2389fd4..50fed53eb 100644
--- a/Dockerfile-amd64
+++ b/Dockerfile-amd64
@@ -23,7 +23,7 @@ COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
 
 # Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
-RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0"
+RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 
diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7
index 021e626d9..4f8ffc943 100644
--- a/Dockerfile-arm32v7
+++ b/Dockerfile-arm32v7
@@ -30,7 +30,7 @@ COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
 
 # Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
-RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0"
+RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 
diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8
index 898767197..6f85a362e 100644
--- a/Dockerfile-arm64v8
+++ b/Dockerfile-arm64v8
@@ -30,7 +30,7 @@ COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
 
 # Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
-RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0"
+RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 
diff --git a/Dockerfile-i386 b/Dockerfile-i386
index 6eb0fb841..664d57a9c 100644
--- a/Dockerfile-i386
+++ b/Dockerfile-i386
@@ -23,7 +23,7 @@ COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
 
 # Fix CVE-2020-28928, CVE-2020-8231 & CVE-2020-1971
-RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0"
+RUN apk --no-cache add "musl-utils>1.1.24-r2" "curl>7.67.0-r1" "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache
 
diff --git a/autoconf/Dockerfile b/autoconf/Dockerfile
index d2eba0149..2de9053fb 100644
--- a/autoconf/Dockerfile
+++ b/autoconf/Dockerfile
@@ -11,7 +11,7 @@ COPY autoconf/* /opt/entrypoint/
 RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
 
 # Fix CVE-2020-1971
-RUN apk add "libcrypto1.1>1.1.1g-r0"
+RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /etc/nginx
 
diff --git a/autoconf/Dockerfile-amd64 b/autoconf/Dockerfile-amd64
index 2cf31d4ed..664de80b2 100644
--- a/autoconf/Dockerfile-amd64
+++ b/autoconf/Dockerfile-amd64
@@ -11,7 +11,7 @@ COPY autoconf/* /opt/entrypoint/
 RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
 
 # Fix CVE-2020-1971
-RUN apk add "libcrypto1.1>1.1.1g-r0"
+RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /etc/nginx
 
diff --git a/autoconf/Dockerfile-arm32v7 b/autoconf/Dockerfile-arm32v7
index a9a182723..1590b3553 100644
--- a/autoconf/Dockerfile-arm32v7
+++ b/autoconf/Dockerfile-arm32v7
@@ -18,7 +18,7 @@ COPY autoconf/* /opt/entrypoint/
 RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
 
 # Fix CVE-2020-1971
-RUN apk add "libcrypto1.1>1.1.1g-r0"
+RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /etc/nginx
 
diff --git a/autoconf/Dockerfile-arm64v8 b/autoconf/Dockerfile-arm64v8
index ec4bc840c..5f6f6b08e 100644
--- a/autoconf/Dockerfile-arm64v8
+++ b/autoconf/Dockerfile-arm64v8
@@ -18,7 +18,7 @@ COPY autoconf/* /opt/entrypoint/
 RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
 
 # Fix CVE-2020-1971
-RUN apk add "libcrypto1.1>1.1.1g-r0"
+RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /etc/nginx
 
diff --git a/autoconf/Dockerfile-i386 b/autoconf/Dockerfile-i386
index 45b60b20b..d79cf6e44 100644
--- a/autoconf/Dockerfile-i386
+++ b/autoconf/Dockerfile-i386
@@ -11,7 +11,7 @@ COPY autoconf/* /opt/entrypoint/
 RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
 
 # Fix CVE-2020-1971
-RUN apk add "libcrypto1.1>1.1.1g-r0"
+RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /etc/nginx
 
diff --git a/scripts/certbot-renew-hook.sh b/scripts/certbot-renew-hook.sh
index c16ff04b3..7e5a889e1 100644
--- a/scripts/certbot-renew-hook.sh
+++ b/scripts/certbot-renew-hook.sh
@@ -1,5 +1,6 @@
 #!/bin/sh
 
+# load some functions
 . /opt/scripts/utils.sh
 
 job_log "[CERTBOT] certificates have been renewed"
diff --git a/scripts/certbot-renew.sh b/scripts/certbot-renew.sh
index a63fd76c8..996b900ca 100644
--- a/scripts/certbot-renew.sh
+++ b/scripts/certbot-renew.sh
@@ -1,5 +1,6 @@
 #!/bin/sh
 
+# load some functions
 . /opt/scripts/utils.sh
 
 # ask new certificates if needed
@@ -10,13 +11,3 @@ if [ "$?" -eq 0 ] ; then
 else
 	job_log "[CERTBOT] renew operation failed"
 fi
-
-# fix rights
-chown -R root:nginx /etc/letsencrypt
-chmod -R 740 /etc/letsencrypt
-find /etc/letsencrypt -type d -exec chmod 750 {} \;
-
-# reload nginx
-if [ -f /tmp/nginx.pid ] ; then
-	/usr/sbin/nginx -s reload > /dev/null 2>&1
-fi
diff --git a/scripts/referrers.sh b/scripts/referrers.sh
index cee35adf8..b4996ed6f 100755
--- a/scripts/referrers.sh
+++ b/scripts/referrers.sh
@@ -38,7 +38,6 @@ if [ "$lines" -gt 1 ] ; then
 	fi
 else
 	job_log "[BLACKLIST] can't update referrers list"
-
 fi
 
 rm -f /tmp/map-referrer.conf 2> /dev/null
diff --git a/scripts/user-agents.sh b/scripts/user-agents.sh
index fa0f187c3..5541495d9 100755
--- a/scripts/user-agents.sh
+++ b/scripts/user-agents.sh
@@ -40,7 +40,6 @@ if [ "$lines" -gt 1 ] ; then
 	fi
 else
 	job_log "[BLACKLIST] can't update user-agent list"
-
 fi
 
 rm -f /tmp/map-user-agent.conf 2> /dev/null
diff --git a/ui/Dockerfile b/ui/Dockerfile
index 2d5b81394..537cc2b8d 100644
--- a/ui/Dockerfile
+++ b/ui/Dockerfile
@@ -11,7 +11,7 @@ COPY ui/ /opt/entrypoint/
 RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
 
 # Fix CVE-2020-1971
-RUN apk add "libcrypto1.1>1.1.1g-r0"
+RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /etc/nginx
 
diff --git a/ui/Dockerfile-amd64 b/ui/Dockerfile-amd64
index 811b19dee..42d089092 100644
--- a/ui/Dockerfile-amd64
+++ b/ui/Dockerfile-amd64
@@ -11,7 +11,7 @@ COPY ui/ /opt/entrypoint/
 RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
 
 # Fix CVE-2020-1971
-RUN apk add "libcrypto1.1>1.1.1g-r0"
+RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /etc/nginx
 
diff --git a/ui/Dockerfile-arm32v7 b/ui/Dockerfile-arm32v7
index 55e072ed5..fcfe52078 100644
--- a/ui/Dockerfile-arm32v7
+++ b/ui/Dockerfile-arm32v7
@@ -18,7 +18,7 @@ COPY ui/ /opt/entrypoint/
 RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
 
 # Fix CVE-2020-1971
-RUN apk add "libcrypto1.1>1.1.1g-r0"
+RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /etc/nginx
 
diff --git a/ui/Dockerfile-arm64v8 b/ui/Dockerfile-arm64v8
index 738f3c554..b0941124d 100644
--- a/ui/Dockerfile-arm64v8
+++ b/ui/Dockerfile-arm64v8
@@ -18,7 +18,7 @@ COPY ui/ /opt/entrypoint/
 RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
 
 # Fix CVE-2020-1971
-RUN apk add "libcrypto1.1>1.1.1g-r0"
+RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /etc/nginx
 
diff --git a/ui/Dockerfile-i386 b/ui/Dockerfile-i386
index adb645700..ec60ddd3a 100644
--- a/ui/Dockerfile-i386
+++ b/ui/Dockerfile-i386
@@ -11,7 +11,7 @@ COPY ui/ /opt/entrypoint/
 RUN chmod +x /opt/entrypoint/*.py /opt/entrypoint/*.sh
 
 # Fix CVE-2020-1971
-RUN apk add "libcrypto1.1>1.1.1g-r0"
+RUN apk add "libcrypto1.1>1.1.1g-r0" "libssl1.1>1.1.1g-r0"
 
 VOLUME /etc/nginx