Updates nginx.inc to apply CVE-2025-23419.patch to both 1.24.0 and
1.25.5. However, a unique patch is provided for 1.25.5 since the
upstream patch for CVE-2025-23419 can be cleanly applied to 1.25.5.
Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Change-Id: Ia7b8e16067781776cf0a39fac757f8d25ac118fa
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
CVE-2025-23419:
When multiple server blocks are configured to share the same IP address
and port, an attacker can use session resumption to bypass client
certificate authentication requirements on these servers. This
vulnerability arises when TLS Session Tickets
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key
are used and/or the SSL session cache
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
are used in the default server and the default server is performing
client certificate authentication. Note: Software versions which have
reached End of Technical Support (EoTS) are not evaluated.
Refer:
https://nvd.nist.gov/vuln/detail/CVE-2025-23419
This partially cherry picked from commit
13935cf9fdc3c8d8278c70716417d3b71c36140e, the original patch had 2
parts. One fixed problem in `http/ngx_http_request` module and the
second fixed problem in `stream/ngx_stream_ssl_module` module. The fix
for `stream/ngx_stream_ssl_module can't be aplied because, the 'stream
virtual servers' funcionality was added later in this commit:
https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de.
Therefore only `http/ngx_http_request` part was backported.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Support --with-http_xslt_module configure option via a PACKAGECONFIG
option. The option is not added to the defaults.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2021-3618.patch
removed since it's included in 1.23.3
Changelog:
==========
*) Bugfix: an error might occur when reading PROXY protocol version 2
header with large number of TLVs.
*) Bugfix: a segmentation fault might occur in a worker process if SSI
was used to process subrequests created by other modules.
Thanks to Ciel Zhao.
*) Workaround: when a hostname used in the "listen" directive resolves
to multiple addresses, nginx now ignores duplicates within these
addresses.
*) Bugfix: nginx might hog CPU during unbuffered proxying if SSL
connections to backends were used.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
the kill utility is located in /bin/kill -> use base_bindir instead of bindir
Signed-off-by: Nicola Lunghi <nick83ola@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Restructure the main configuration file to simplify custom configuration:
* support inclusion of configuration fragments from subdirectories:
- /etc/nginx/modules-enabled/*.conf
- /etc/nginx/conf.d/*.conf
- /etc/nginx/sites-enabled/*
* default site (port 80):
- move into /etc/nginx/sites-available/default_server
and enable via symlink in /etc/nginx/sites-enabled/
- listen on IPv6
- drop unneeded example fragments
* configure and enable gzip
* update TLS settings to drop SSLv3 and enable TLSv1.3 for some safer
defaults
* update remaining bits to follow Debian standard configuration
https://salsa.debian.org/nginx-team/nginx/blob/62a54a8ba66ee6cc1b4f8a33dab9a6f27a3fdac4/debian/conf/nginx.conf
* drop unneeded example configuration bits from /etc/nginx/*.default
These changes, in particular the configuration fragment
support allow to easily customise nginx based on individual
requirements.
In addition, it is now possible for other recipes / packages
to drop fragments into the respective directories in /etc/nginx
without having to meddle with /etc/nginx/nginx.conf
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Our systemd unit doesn't follow the official
recommendation, see
https://www.nginx.com/resources/wiki/start/topics/examples/systemd/
Most importantly:
* it should start after some additional specific
targets/units
* using PrivateTmp is a useful security feature, in
particular to avoid cross domain scripting via the
temp folder
* using systemd's $MAINPID, we can distinguish between
multiple running nginx instances correctly
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
WARNING: nginx-1.12.2-r0 do_patch:
Some of the context lines in patches were ignored. This can lead to incorrectly applied patches.
The context lines in the patches can be updated with devtool:
devtool modify <recipe>
devtool finish --force-patch-refresh <recipe> <layer_path>
Then the updated patches and the source tree (in devtool's workspace)
should be reviewed to make sure the patches apply in the correct place
and don't introduce duplicate lines (which can, and does happen
when some of the context is ignored). Further information:
http://lists.openembedded.org/pipermail/openembedded-core/2018-March/148675.htmlhttps://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
Details:
Applying patch nginx-cross.patch
patching file auto/feature
patching file auto/options
Hunk #1 succeeded at 386 (offset 33 lines).
Hunk #2 succeeded at 580 (offset 35 lines).
Hunk #3 succeeded at 599 (offset 22 lines).
patching file auto/types/sizeof
patching file auto/unix
Hunk #1 succeeded at 587 (offset 194 lines).
Hunk #2 succeeded at 604 with fuzz 1 (offset 188 lines).
Hunk #3 succeeded at 620 with fuzz 2 (offset 188 lines).
Now at patch nginx-cross.patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add an inherit for siteinfo to get access to SITEINFO_ENDIANNESS
Add a patch to have nginx actually use the user provided --with-endian
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The recipe and the systemd service file use /run/nginx/nginx.pid,
while the sys v init script used /var/run/nginx/nginx.pid
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
It gets replaces with the real NGINX_USER anyway, but it confuses people
that there is a different value by default. So just make it the same as the
default NGINX_USER
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
- Call the nginx binary directly, no need to wrap the SysV init file.
- Create /var/log/nginx with tmpfiles, like volatiles without systemd.
- Run nginx with ${NGINX_USER} (user ${NGINX_USER} in nginx.conf)
Signed-off-by: Gyorgy Szombathelyi <gyurco@freemail.hu>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
The 1.8 version is now considered legacy and the stable versions 1.10.X
Updated the license checksum to reflect copyright date update to 2016
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Initial recipe created by Steve Arnold. Original build patch and 1.0.10
recipe graciously contributed by bencoh (in #oe on irc.freenode.net).
New recipe and init script contributed by this author. Built and
tested on master branches using author's fork of meta-raspberrypi.
Signed-off-by: stephen.arnold42 <stephen.arnold42@gmail.com>
Signed-off-by: Sébastien Mennetrier <s.mennetrier@innotis.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>