These patches are about a number of CVEs files against the application:
CVE-2025-63649, CVE-2025-63650, CVE-2025-63651, CVE-2025-63652, CVE-2025-63653, CVE-2025-63655,
CVE-2025-63656, CVE-2025-63657 and CVE-2025-63658.
These patches are taken from a pull request[1] that is referenced in the relevant bug report[2].
The patches don't target specific CVEs on separately, but they fix a number of CVEs altogether.
Based on upstream analysis (in the linked issue) a number of these CVEs are duplicates of each
other and/or not exploitable. The valid CVEs are fixed by these patches.
I haven't added specific CVE info to the patches, one hand because of the above, it is hard to
separate the patches by CVE, and secondarily because NVD tracks these CVEs with incorrect version
info: NVD considers 1.8.6 fully fixed, even though the patches are only in the master branch,
untagged at this time. After updating the recipe to 1.8.6+, the vulnerabilites will disappear
from the CVE report due to this.
[1]: https://github.com/monkey/monkey/pull/434
[2]: https://github.com/monkey/monkey/issues/426
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
- HTTP/2 support added via the nghttp2 library
(credits to Heiko Zimmermann) — noted as experimental, so
testing carefully before enabling on production servers is
recommended.
- mbed TLS updated from 4.0.0 to 4.1.0.
- ssi-cgi removed — the release notes suggest using
Hiawatha's XSLT support as a more advanced alternative.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Set ac_cv_prog_cc_c23=no to prevent autoconf from detecting C23
compiler support, avoiding potential build failures as the package
is not yet fully ported to support C23 standard.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changes:
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
*) Feature: the "multipath" parameter of the "listen" directive.
*) Feature: the "local" parameter of the "keepalive" directive in the
"upstream" block.
*) Change: now the "keepalive" directive in the "upstream" block is
enabled by default.
*) Change: now ngx_http_proxy_module supports keepalive by default; the
default value for "proxy_http_version" is "1.1"; the "Connection"
proxy header is not sent by default anymore.
*) Bugfix: an invalid HTTP/2 request might be sent after switching to
the next upstream if buffered body was used in the
ngx_http_grpc_module.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changes:
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
*) Change: now nginx limits the size and rate of QUIC stateless reset
packets.
*) Bugfix: receiving a QUIC packet by a wrong worker process could cause
the connection to terminate.
*) Bugfix: in the ngx_http_mp4_module.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The CVE is now tracked with the correct version info by NVD.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
* Feature: session affinity support; the "sticky" directive in the
"upstream" block of the "http" module; the "server" directive supports
the "route" and "drain" parameters.
* Change: now nginx limits the size and rate of QUIC stateless reset
packets.
* Bugfix: receiving a QUIC packet by a wrong worker process could cause the
connection to terminate.
* Bugfix: "[crit] cache file ... contains invalid header" messages might
appear in logs when sending a cached HTTP/2 response.
* Bugfix: proxying to scgi backends might not work when using chunked
transfer encoding and the "scgi_request_buffering" directive.
* Bugfix: in the ngx_http_mp4_module.
* Bugfix: nginx treated a comma as separator in the "Cookie" request header
line when evaluating "$cookie_..." variables.
* Bugfix: in IMAP command literal argument parsing.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
* mbed TLS updated to 4.0.0.
* Replaced strcpy() with strlcpy() and sprintf() with snprintf().
* Added OS sandbox.
* Removed DHsize option.
* Known bug: mbed TLS v4.0.0 doesn't compile in Cygwin, so building
a Windows package is not possible.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: copyright year bump.
Changelog:
1.29.5:
- Security: an attacker might inject plain text data in the response
from an SSL backend (CVE-2026-1642).
- Bugfix: use-after-free might occur after switching to the next gRPC
or HTTP/2 backend.
- Bugfix: an invalid HTTP/2 request might be sent after switching to
the next upstream.
- Bugfix: a response with multiple ranges might be larger than the
source response.
- Bugfix: fixed setting HTTP_HOST when proxying to FastCGI, SCGI, and
uwsgi backends.
- Bugfix: fixed warning when compiling with MSVC 2022 x86.
- Change: the logging level of the "ech_required" SSL error has been
lowered from "crit" to "info".
1.29.4:
- Feature: the ngx_http_proxy_module supports HTTP/2.
- Feature: Encrypted ClientHello TLS extension support when using
OpenSSL ECH feature branch; the "ssl_ech_file" directive.
Thanks to Stephen Farrell.
- Change: validation of host and port in the request line, "Host"
header field, and ":authority" pseudo-header field has been changed
to follow RFC 3986.
- Change: now a single LF used as a line terminator in a chunked
request or response body is considered an error.
- Bugfix: when using HTTP/3 with OpenSSL 3.5.1 or newer a segmentation
fault might occur in a worker process; the bug had appeared in
1.29.1.
Thanks to Jan Svojanovsky.
- Bugfix: a segmentation fault might occur in a worker process if the
"try_files" directive and "proxy_pass" with a URI were used.
1.29.3:
- Feature: the "add_header_inherit" and "add_trailer_inherit"
directives.
- Feature: the $request_port and $is_request_port variables.
- Feature: the $ssl_sigalg and $ssl_client_sigalg variables.
- Feature: the "volatile" parameter of the "geo" directive.
- Feature: now certificate compression is available with BoringSSL.
- Bugfix: now certificate compression is disabled with OCSP stapling.
1.29.2
- Feature: now nginx can be built with AWS-LC.
Thanks Samuel Chiang.
- Bugfix: now the "ssl_protocols" directive works in a virtual server
different from the default server when using OpenSSL 1.1.1 or newer.
- Bugfix: SSL handshake always failed when using TLSv1.3 with OpenSSL
and client certificates and resuming a session with a different SNI
value; the bug had appeared in 1.27.4.
- Bugfix: the "ignoring stale global SSL error" alerts might appear in
logs when using QUIC and the "ssl_reject_handshake" directive; the
bug had appeared in 1.29.0.
Thanks to Vladimir Homutov.
- Bugfix: in delta-seconds processing in the "Cache-Control" backend
response header line.
- Bugfix: an XCLIENT command didn't use the xtext encoding.
Thanks to Igor Morgenstern of Aisle Research.
- Bugfix: in SSL certificate caching during reconfiguration.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
- Security: an attacker might inject plain text data in the response
from an SSL backend (CVE-2026-1642).
- Bugfix: use-after-free might occur after switching to the next gRPC
or HTTP/2 backend.
- Bugfix: fixed warning when compiling with MSVC 2022 x86.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop patches that are included in this release.
Changes:
* mbed TLS updated to 3.6.4.
* Small bugfixes.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
nginx has a long history, and has used multiple CPEs
over time. Set CVE_PRODUCT to reflect current and historic
vendor:product pairs.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
352
Shown a warning if the last shutdown/reboot was unclean
Bug fixes and translation updates
351
Firewall ports can be deleted individually
350
networking: fix renaming of bridges and other groups (RHEL-117883)
bridge: fix OpenSSH_10.2p1 host key detection
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
- prevent webook from crashing in case of openapi 3.0
- deps: bump react-syntax-highlighter to 16.0.0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX to check the correct
latest stable verison.
Before the patch:
$ devtool latest-version xdebug
INFO: Current version: 3.4.6
INFO: Latest version:
After the patch:
$ devtool latest-version xdebug
INFO: Current version: 3.4.6
INFO: Latest version: 3.4.7
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Remove the patch with the fix that is already present in the new
version.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The BusyBox version of mv does not have the -Z flag for setting SELinux
security context. This results in failure
when the cockpit-certificate-helper script is executed.
Depend the package on GNU Coreutils to make sure that the proper version
of mv is installed.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The old-bridge package config option was removed from the recipe,
but the usage of this option was left in some places.
Remove any reference to old-bridge. Only the Python bridge is currently
supported by Cockpit.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The vulnerability was reported against mod_auth_openidc, which module
is a 3rd party one, and not part of the apache2 source distribution.
The affected module is not part of the meta-oe universe currently,
so ignore the CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Gyorgy Sarvari
Khem Raj
Wang Mingyu
Jason Schonberg
Alper Ak
Khem Raj
Ankur Tyagi
Liu Yiding
Peter Marko
Valeria Petrov
Hongxu Jia
Yi Zhao
Daniel Semkowicz