From a94ecb7568e61f2a8663c6f7e2653009b0147a47 Mon Sep 17 00:00:00 2001
From: Aapo Talvensaari <aapo.talvensaari@gmail.com>
Date: Wed, 8 Nov 2023 11:56:03 +0200
Subject: [PATCH] chore(deps): bump openresty from 1.21.4.2 to 1.21.4.3
 (#11952)

### Summary

- bugfix: applied the patch for security advisory to NGINX cores. (CVE-2023-44487).

Kong already had the patch, but well, now that it is packaged, we can remove ours,
and get to the latest OpenResty

KAG-3033

Signed-off-by: Aapo Talvensaari <aapo.talvensaari@gmail.com>
---
 .requirements                                 |  2 +-
 ...pid-reset-ddos-attack-cve-2023-44487.patch | 53 -------------------
 build/openresty/repositories.bzl              |  2 +-
 .../kong/bump-openresty-1.21.4.3.yml          |  3 ++
 changelog/unreleased/kong/bump_openresty.yml  |  6 ---
 kong/meta.lua                                 |  2 +-
 6 files changed, 6 insertions(+), 62 deletions(-)
 delete mode 100644 build/openresty/patches/nginx-1.21.4_09-http2-rapid-reset-ddos-attack-cve-2023-44487.patch
 create mode 100644 changelog/unreleased/kong/bump-openresty-1.21.4.3.yml
 delete mode 100644 changelog/unreleased/kong/bump_openresty.yml

diff --git a/.requirements b/.requirements
index 6cbe6412a4f0..e81e2d985b9d 100644
--- a/.requirements
+++ b/.requirements
@@ -1,6 +1,6 @@
 KONG_PACKAGE_NAME=kong
 
-OPENRESTY=1.21.4.2
+OPENRESTY=1.21.4.3
 LUAROCKS=3.9.2
 OPENSSL=3.1.4
 PCRE=8.45
diff --git a/build/openresty/patches/nginx-1.21.4_09-http2-rapid-reset-ddos-attack-cve-2023-44487.patch b/build/openresty/patches/nginx-1.21.4_09-http2-rapid-reset-ddos-attack-cve-2023-44487.patch
deleted file mode 100644
index 1ab586cfcdcf..000000000000
--- a/build/openresty/patches/nginx-1.21.4_09-http2-rapid-reset-ddos-attack-cve-2023-44487.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-diff --git a/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.c b/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.c
-index 3afa8b6..228b060 100644
---- a/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.c
-+++ b/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.c
-@@ -361,6 +361,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev)
-     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler");
- 
-     h2c->blocked = 1;
-+    h2c->new_streams = 0;
- 
-     if (c->close) {
-         c->close = 0;
-@@ -1321,6 +1322,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
-         goto rst_stream;
-     }
- 
-+    if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) {
-+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
-+                      "client sent too many streams at once");
-+
-+        status = NGX_HTTP_V2_REFUSED_STREAM;
-+        goto rst_stream;
-+    }
-+
-     if (!h2c->settings_ack
-         && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG)
-         && h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW)
-@@ -1386,6 +1395,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
- 
- rst_stream:
- 
-+    if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) {
-+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
-+                      "client sent too many refused streams");
-+        return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR);
-+    }
-+
-     if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) {
-         return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
-     }
-diff --git a/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.h b/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.h
-index 0eceae3..aef40bb 100644
---- a/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.h
-+++ b/bundle/nginx-1.21.4/src/http/v2/ngx_http_v2.h
-@@ -124,6 +124,8 @@ struct ngx_http_v2_connection_s {
-     ngx_uint_t                       processing;
-     ngx_uint_t                       frames;
-     ngx_uint_t                       idle;
-+    ngx_uint_t                       new_streams;
-+    ngx_uint_t                       refused_streams;
-     ngx_uint_t                       priority_limit;
- 
-     ngx_uint_t                       pushing;
diff --git a/build/openresty/repositories.bzl b/build/openresty/repositories.bzl
index 4c29e63a6de1..e2611126b8d7 100644
--- a/build/openresty/repositories.bzl
+++ b/build/openresty/repositories.bzl
@@ -30,7 +30,7 @@ def openresty_repositories():
         openresty_http_archive_wrapper,
         name = "openresty",
         build_file = "//build/openresty:BUILD.openresty.bazel",
-        sha256 = "5b1eded25c1d4ed76c0336dfae50bd94d187af9c85ead244135dd5ae363b2e2a",
+        sha256 = "33a84c63cfd9e46b0e5c62eb2ddc7b8068bda2e1686314343b89fc3ffd24cdd3",
         strip_prefix = "openresty-" + openresty_version,
         urls = [
             "https://openresty.org/download/openresty-" + openresty_version + ".tar.gz",
diff --git a/changelog/unreleased/kong/bump-openresty-1.21.4.3.yml b/changelog/unreleased/kong/bump-openresty-1.21.4.3.yml
new file mode 100644
index 000000000000..bb7510e76231
--- /dev/null
+++ b/changelog/unreleased/kong/bump-openresty-1.21.4.3.yml
@@ -0,0 +1,3 @@
+message: "Bumped OpenResty from 1.21.4.1 to 1.21.4.3"
+type: dependency
+scope: Core
diff --git a/changelog/unreleased/kong/bump_openresty.yml b/changelog/unreleased/kong/bump_openresty.yml
deleted file mode 100644
index de509539f623..000000000000
--- a/changelog/unreleased/kong/bump_openresty.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-message: "Bumped OpenResty from 1.21.4.1 to 1.21.4.2"
-type: dependency
-prs:
-  - 11360
-jiras:
-  - "KAG-2140"
diff --git a/kong/meta.lua b/kong/meta.lua
index e723d40c9b3c..8d4eb0a17fa9 100644
--- a/kong/meta.lua
+++ b/kong/meta.lua
@@ -24,6 +24,6 @@ return {
   -- third-party dependencies' required version, as they would be specified
   -- to lua-version's `set()` in the form {from, to}
   _DEPENDENCIES = {
-    nginx = { "1.21.4.2" },
+    nginx = { "1.21.4.3" },
   }
 }