Commit Graph

102 Commits

Author SHA1 Message Date
Hitendra Prajapati 1c0f533c21 nginx: fix CVE-2026-32647
As per the advisory[1] mentioned in NVD[2], version 1.28.3 contains the fix.
Backport the commit[3] from 1.28.3 changelog matching the description.

[1] https://my.f5.com/manage/s/article/K000160366
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-32647
[3] https://github.com/nginx/nginx/commit/a172c880cb51f882a5dc999437e8b3a4f87630cc

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-04-23 20:22:41 +02:00
Hitendra Prajapati e4faf10eb1 nginx: fix multiple CVEs
Pick up patch from NVD report.

More details :
[1]: https://nvd.nist.gov/vuln/detail/CVE-2026-27651
[2]: https://nvd.nist.gov/vuln/detail/CVE-2026-27654
[3]: https://nvd.nist.gov/vuln/detail/CVE-2026-28753

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>

Debian links, referencing these commits:
https://security-tracker.debian.org/tracker/CVE-2026-27651
https://security-tracker.debian.org/tracker/CVE-2026-27654
https://security-tracker.debian.org/tracker/CVE-2026-28753

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-04-23 20:20:04 +02:00
Gyorgy Sarvari 0b90471022 nginx: set CVE_PRODUCT
nginx has a long history, and has used multiple CPEs
over time. Set CVE_PRODUCT to reflect current and historic
vendor:product pairs.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d25aadbbb5)
Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-04-17 06:36:47 +02:00
Hitendra Prajapati 00a70a727e nginx: fix CVE-2026-27784, CVE-2026-28755
Pick up patch [1] and [2] from Debian report.
[1] https://security-tracker.debian.org/tracker/CVE-2026-27784
[2] https://security-tracker.debian.org/tracker/CVE-2026-28755

More details :
[1]: https://nvd.nist.gov/vuln/detail/CVE-2026-27784
[2]: https://nvd.nist.gov/vuln/detail/CVE-2026-28755

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-04-07 10:36:44 +02:00
Peter Marko 13b25be8f8 nginx: apply patchs for CVE-2025-23419 and CVE-2026-1642 to all versions
There is no reason to apply them only to single version when they apply
properly to all versions.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-02-26 13:36:35 +01:00
Peter Marko 3c1286f8b3 nginx: patch CVE-2026-1642
Pick patch accorting to [1].

[1] https://security-tracker.debian.org/tracker/CVE-2026-1642

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-02-26 13:36:34 +01:00
Peter Marko 7d213b2366 nginx: patch CVE-2025-53859 in stable
Pick patch from nginx site which is also mentioned in [1].

[1] https://security-tracker.debian.org/tracker/CVE-2025-53859

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2025-09-06 16:27:30 +02:00
Changqing Li fedd8cf51d nginx: fix CVE-2025-23419
CVE-2025-23419:
When multiple server blocks are configured to share the same IP address
and port, an attacker can use session resumption to bypass client
certificate authentication requirements on these servers. This
vulnerability arises when TLS Session Tickets
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key
are used and/or the SSL session cache
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
are used in the default server and the default server is performing
client certificate authentication.   Note: Software versions which have
reached End of Technical Support (EoTS) are not evaluated.

Refer:
https://nvd.nist.gov/vuln/detail/CVE-2025-23419

This partially cherry picked from commit
13935cf9fdc3c8d8278c70716417d3b71c36140e, the original patch had 2
parts. One fixed problem in `http/ngx_http_request` module and the
second fixed problem in `stream/ngx_stream_ssl_module` module.  The fix
for `stream/ngx_stream_ssl_module can't be aplied because, the 'stream
virtual servers' funcionality was added later in this commit:
https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de.
Therefore only `http/ngx_http_request` part was backported.

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2025-03-06 09:48:58 -05:00
Ashish Sharma b2ad711bcf nginx: Backport fix for CVE-2024-7347
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f &
https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4]

Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-08-25 18:12:00 -04:00
Jasper Orschulko f5f4a465f7 nginx-1.20.1: Drop reference to removed patch
Follow-up to commits 38a07ce and 8e297cd.

Also remove remaining reference to removed patch in nginx 1.20.1.

Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-07-17 20:09:11 -04:00
Niko Mauno 38a07ce40e nginx-1.21.1: Drop reference to removed patch
Align to commit 8e297cdc84
("nginx: Remove obsolete patch") by removing reference to
removed patch file. By doing so we mitigate the following
BitBake complaint:

  WARNING: .../meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.21.1.bb: Unable to get checksum for nginx SRC_URI entry 0001-HTTP-2-per-iteration-stream-handling-limit.patch: file could not be found

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-06-27 11:20:56 -04:00
Jasper Orschulko 8e297cdc84 nginx: Remove obsolete patch
With the inclusion of commit 85102dd2df
the same patch was introduced again, thus this copy can be deleted
(which accidently was never used, since I originally forgot to add it to
the SRC_URI, whoops).

Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-06-02 15:16:32 -04:00
Meenali Gupta 85102dd2df nginx: fix CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption)
because request cancellation can reset many streams quickly, as exploited in
the wild in August through October 2023.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-44487

Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-05-26 15:21:47 -04:00
Jasper Orschulko 3fdd260209 nginx: Mitigate HTTP/2 Stream Resets Flood impact
Reduces the impact of HTTP/2 Stream Reset flooding in the nginx product
(CVE-2023-44487).

See: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/

This patch only reduces the impact and does not completely mitigate the CVE
in question, the latter being due to a design flaw in the HTTP/2 protocol
itself. For transparancy reasons I therefore opted to not mark the
CVE as resolved, so that integrators can decide for themselves, wheither to
enable HTTP/2 support or allow HTTP/1.1 connections only.

Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-12-13 13:35:51 -05:00
Michael Haener 8a75c61cce nginx: upgrade to 1.24.0 release
According to http://nginx.org/en/CHANGES nginx supports the openssl 3.x
component only from version 1.21.2. In Kirstone openssl 3.x is included but
all provided versions of nginx are older, so there is currently an
incompatibility. With this patch this incompatibility get removed.

Signed-off-by: Michael Haener <michael.haener@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-11-18 10:03:19 -05:00
Joe Slater 8a8ff58c2b nginx: add configure option
Support --with-http_xslt_module configure option via a PACKAGECONFIG
option.  The option is not added to the defaults.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e0ac8eec48)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-10-17 08:53:00 -04:00
Luke Schaefer 346753705e webserver: nginx: Add stream
Signed-off-by: Luke Schaefer <lukeschafer17@gmail.com>

Add stream support to nginx PACKAGECONFIG

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-07-04 10:20:46 -04:00
Hitendra Prajapati ba5ccfceb8 nginx: CVE-2022-41741, CVE-2022-41742 Memory corruption in the ngx_http_mp4_module
Upstream-Status: Backport from https://github.com/nginx/nginx/commit/6b022a5556af22b6e18532e547a6ae46b0d8c6ea

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-11-19 11:14:34 -05:00
Stefan Herbrechtsmeier ef3cc6e87b nginx: add gunzip PACKAGECONFIG
The nginx gunzip module is a filter that decompresses responses with
'Content-Encoding: gzip' for clients that do not support 'gzip' encoding
method. The module will be useful when it is desirable to store data
compressed to save space and reduce I/O costs.

Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-03-29 08:33:41 -07:00
Ross Burton ef4f5c1f33 nginx: use ln -rs
lnr is deprecated, use ln -rs directly instead.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-11-11 06:36:53 -08:00
Nathan Rossi 967fe6730c nginx: Fix off_t size passed in configure
For linux, nginx will always compile with '-D_FILE_OFFSET_BITS=64'. This
means that off_t will always be 8 bytes long, even on 32-bit targets.

This configuration change resolves some issues with nginx and handling
range headers.

Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-08-31 09:05:43 -07:00
Joe Slater f92dbcc4c2 nginx: fix CVE-2021-3618
Backport with no change a patch from version 1.21.0.  This patch
was not cherry-picked by nginx to version 1.20.1.

Information about this CVE comes from
https://ubuntu.com/security/CVE-2021-3618.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-08-20 09:26:18 -07:00
Martin Jansa c61dc077bb Convert to new override syntax
This is the result of automated script (0.9.1) conversion:

oe-core/scripts/contrib/convert-overrides.py .

converting the metadata to use ":" as the override character instead of "_".

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2021-08-03 10:21:25 -07:00
Salman Ahmed 5a9eef2f53 nginx: upgrade 1.19.6 -> 1.21.1
Signed-off-by: Salman Ahmed <salman.ahmed@weidmueller.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-07-30 10:42:35 -07:00
Salman Ahmed 13e9518c18 nginx: upgrade 1.18.0 -> 1.20.1
Signed-off-by: Salman Ahmed <salman.ahmed@weidmueller.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-07-30 10:42:35 -07:00
changqing.li@windriver.com 5af79fb5f1 nginx: upgrade 1.17.8 -> 1.19.6
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-12-30 22:26:30 -08:00
changqing.li@windriver.com b647b9566a nginx: upgrade 1.16.1 -> 1.18.0
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-12-30 22:26:30 -08:00
Yi Zhao 6e9f393605 nginx: remove /var/log/nginx when do_install
Remove directory /var/log/nginx when do_install because it is created by
volatiles file.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-05-06 12:51:39 -07:00
Changqing Li fc8f28c611 nginx: fix error during service startup
fix below error:
nginx.service: failed to parse pid from file /run/nginx/nginx.pid:
invalid argument

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-02-26 07:17:58 -08:00
Derek Straka 4cc894ad99 nginx: update to the latest development version (1.17.8)
See Changelog: https://nginx.org/en/CHANGES

Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-02-09 22:31:31 -08:00
Derek Straka 7e37a79e24 nginx: update to the latest stable version (1.16.1)
See changlog here: https://nginx.org/en/CHANGES-1.16
  * Fixes CVE-2019-9511, CVE-2019-9513, CVE-2019-9516

Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-02-09 22:31:31 -08:00
Gaylord Charles 35dddf62f5 nginx: fix install paths
This patch fixes Nginx install paths. I tried to build the native variant
for testing purpose and had errors.

- Use path variable instead of /usr
- Replace the absolute path symlink with a relative one

Signed-off-by: Gaylord CHARLES <gaylord.charles@veo-labs.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2019-11-17 12:34:21 -08:00
nick83ola dd5622ef2b nginx: fix kill path in nginx systemd unit file
the kill utility is located in /bin/kill -> use base_bindir instead of bindir

Signed-off-by: Nicola Lunghi <nick83ola@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2019-05-27 09:48:07 -07:00
nick83ola acb604775e nginx: add PACKAGECONFIG[http-auth-request]
Signed-off-by: Nicola Lunghi <nick83ola@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2019-05-27 09:48:07 -07:00
nick83ola 17f6abb622 nginx: update stable version to 1.16.0
The LIC_FILES_CHKSUM needs also to be updated due to the updated year in the
LICENSE file

  - * Copyright (C) 2002-2018 Igor Sysoev
  - * Copyright (C) 2011-2018 Nginx, Inc.
  + * Copyright (C) 2002-2019 Igor Sysoev
  + * Copyright (C) 2011-2019 Nginx, Inc.

Signed-off-by: Nicola Lunghi <nick83ola@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2019-05-27 09:48:07 -07:00
nick83ola 0ea5589b40 nginx: update to version 1.17.0
The LIC_FILES_CHKSUM needs also to be updated due to the updated year in the
LICENSE file

  - * Copyright (C) 2002-2018 Igor Sysoev
  - * Copyright (C) 2011-2018 Nginx, Inc.
  + * Copyright (C) 2002-2019 Igor Sysoev
  + * Copyright (C) 2011-2019 Nginx, Inc.

Signed-off-by: Nicola Lunghi <nick83ola@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2019-05-27 09:48:07 -07:00
André Draszik eaedfa5e0e nginx: add default proxy_params
As per Debian packaging - to use it, see
    https://wiki.debian.org/Nginx/DirectoryStructure#Extra_Parameters

    This file is most commonly included when Nginx is acting
    as a reverse proxy:
        include /etc/nginx/proxy_params;
        proxy_pass http://localhost:8000;

Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2019-01-19 10:06:20 -08:00
André Draszik 22e17bb10c nginx: configuration update
Restructure the main configuration file to simplify custom configuration:
* support inclusion of configuration fragments from subdirectories:
  - /etc/nginx/modules-enabled/*.conf
  - /etc/nginx/conf.d/*.conf
  - /etc/nginx/sites-enabled/*
* default site (port 80):
  - move into /etc/nginx/sites-available/default_server
    and enable via symlink in /etc/nginx/sites-enabled/
  - listen on IPv6
  - drop unneeded example fragments
* configure and enable gzip
* update TLS settings to drop SSLv3 and enable TLSv1.3 for some safer
  defaults
* update remaining bits to follow Debian standard configuration
  https://salsa.debian.org/nginx-team/nginx/blob/62a54a8ba66ee6cc1b4f8a33dab9a6f27a3fdac4/debian/conf/nginx.conf
* drop unneeded example configuration bits from /etc/nginx/*.default

These changes, in particular the configuration fragment
support allow to easily customise nginx based on individual
requirements.
In addition, it is now possible for other recipes / packages
to drop fragments into the respective directories in /etc/nginx
without having to meddle with /etc/nginx/nginx.conf

Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2019-01-19 10:06:20 -08:00
André Draszik a0eadda910 nginx: update systemd unit using nginx recommendation
Our systemd unit doesn't follow the official
recommendation, see
    https://www.nginx.com/resources/wiki/start/topics/examples/systemd/

Most importantly:
* it should start after some additional specific
  targets/units
* using PrivateTmp is a useful security feature, in
  particular to avoid cross domain scripting via the
  temp folder
* using systemd's $MAINPID, we can distinguish between
  multiple running nginx instances correctly

Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2019-01-19 10:06:20 -08:00
Andrej Valek 6356e84d6b nginx: update stable version to 1.14.2
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2018-12-11 22:13:55 -08:00
Andrej Valek ace39a5ed1 nginx: update to version 1.15.7
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2018-12-10 09:31:27 -08:00
Max Kellermann 4e389f64d7 nginx: add PACKAGECONFIG[ssl]
Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2018-09-24 11:49:45 -07:00
Khem Raj f0acce20d4 nginx: Upgrade to 1.15.2
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2018-08-15 08:20:06 -07:00
Derek Straka 715eac320f nginx: remove the 1.13 recipe in favor of the new dev branch of 1.5.x
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2018-07-12 07:19:42 -07:00
Derek Straka 7cb4eb4a95 nginx: enable thread pools by default
The thread pool feature can be enabled without significant extra binary size.  Thread pools can increase performance by an order of magnitude on some configurations

Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2018-07-12 07:19:42 -07:00
Derek Straka f51ba94d3a nginx: update latest development version to 1.13.12
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-05-17 08:17:50 -07:00
Derek Straka c94bc52ed9 nginx: update stable version to 1.14.0
License-Update: Update license file for latest copyright date

Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-05-17 08:17:49 -07:00
Armin Kuster cf2be348ae nginx: refresh patches
WARNING: nginx-1.12.2-r0 do_patch:
Some of the context lines in patches were ignored. This can lead to incorrectly applied patches.
The context lines in the patches can be updated with devtool:

    devtool modify <recipe>
    devtool finish --force-patch-refresh <recipe> <layer_path>

Then the updated patches and the source tree (in devtool's workspace)
should be reviewed to make sure the patches apply in the correct place
and don't introduce duplicate lines (which can, and does happen
when some of the context is ignored). Further information:
http://lists.openembedded.org/pipermail/openembedded-core/2018-March/148675.html
https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
Details:
Applying patch nginx-cross.patch
patching file auto/feature
patching file auto/options
Hunk #1 succeeded at 386 (offset 33 lines).
Hunk #2 succeeded at 580 (offset 35 lines).
Hunk #3 succeeded at 599 (offset 22 lines).
patching file auto/types/sizeof
patching file auto/unix
Hunk #1 succeeded at 587 (offset 194 lines).
Hunk #2 succeeded at 604 with fuzz 1 (offset 188 lines).
Hunk #3 succeeded at 620 with fuzz 2 (offset 188 lines).

Now at patch nginx-cross.patch

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-04-13 12:43:42 -07:00
Derek Straka 939c85fd90 nginx: update development version to 1.13.9
Update license checksum for copyright changes

Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-03-16 19:12:26 -07:00
Martin Jansa 99aa19ff53 recipes: use oe.utils.conditional instead of deprecated base_conditional
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2018-02-01 13:48:27 +00:00