Commit Graph

312 Commits

Author SHA1 Message Date
Peter Marko 3eb5952ed1 apache2: ignore disputed CVE CVE-2007-0086
This CVE is officially disputed by Redhat with official statement in
https://nvd.nist.gov/vuln/detail/CVE-2007-0086

Red Hat does not consider this issue to be a security vulnerability.
The pottential attacker has to send acknowledgement packets periodically
to make server generate traffic. Exactly the same effect could be
achieved by simply downloading the file. The statement that setting the
TCP window size to arbitrarily high value would permit the attacker to
disconnect and stop sending ACKs is false, because Red Hat Enterprise
Linux limits the size of the TCP send buffer to 4MB by default.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit da2b5e8b93)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2025-01-16 09:17:32 -05:00
Peter Marko 3e066952da monkey: ignore CVE-2013-1771
This is gentoo specific CVE.
NVD tracks this as version-less CVE.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 36a7e409d8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2025-01-16 09:17:32 -05:00
Peter Marko caed65ef73 apache2: remove old version references from CVEs
These were not updated on recipe upgrade.
To make maintenance easier, remove exact versions.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0e7733f1b8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2025-01-16 09:17:32 -05:00
Peter Marko 158e1ae385 apache2: ignore CVE-1999-0678 and CVE-1999-1412
These CVEs are specific to Debian and MAC OS X respectively.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1b86a60f62)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2025-01-16 09:17:32 -05:00
Derek Straka f1a8f14706 nginx: Upgrade mainline release version 1.27.1 -> 1.27.3
License-Update: License file negative and empty space changes

Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1f4b413ebe)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2025-01-16 09:17:32 -05:00
Valeria Petrov 03443b8fb1 apache2: do not depend on zlib header and libs from host
This commit modifies the PACKAGECONFIG entry for zlib to ensure that the
mod_deflate module is enabled with the appropriate zlib configuration.
By adding the --with-zlib=${STAGING_LIBDIR}/../ option, we direct the
configure script to use the zlib library from the staging directory
instead of relying on the host system's zlib installation.

Without that configure will search the host for zlib headers and lib.

This change resolves build failures related to zlib dependency when
mod_deflate is enabled and ensures a consistent build environment across
different host configurations.

Signed-off-by: Valeria Petrov <valeria.petrov@spinetix.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ac5855c74d)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-11-19 13:13:27 -08:00
Peter Marko 12a36136fe nginx: Upgrade mainline 1.25.3 -> 1.27.1
Solves:
* CVE-2024-7347
* CVE-2024-24989
* CVE-2024-24990
* CVE-2024-31079
* CVE-2024-32760
* CVE-2024-34161
* CVE-2024-35200

License-Update: copyright year refreshed

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-09-17 15:46:33 -07:00
Peter Marko d6504f150b nginx: Upgrade stable 1.26.0 -> 1.26.2
Solves:
* CVE-2024-7347
* CVE-2024-31079
* CVE-2024-32760
* CVE-2024-34161
* CVE-2024-35200

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-09-17 15:46:33 -07:00
Wang Mingyu ff8cc5ddf9 apache2: upgrade 2.4.61 -> 2.4.62
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-08-09 14:25:12 -07:00
Maxin John a944926d19 nginx: add PACKAGECONFIG knobs for fastcgi, scgi and uwsgi
fastcgi, scgi and uwsgi are enabled by default in nginx. Provide an
option to disable these features (that reduces binary size by 8%).

Signed-off-by: Maxin John <maxin.john@gehealthcare.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-07-23 08:41:14 -07:00
Trevor Woerner 99800d24c5 apache2: use update-alternatives for httpd
Busybox can optionally provide an httpd server, but by default The Yocto
Project defconfig for busybox does not enable it. If it is enabled,
busybox puts the resulting /usr/sbin/httpd object under the control of
update-alternatives.

apache2, on the other hand, does not put /usr/sbin/httpd under the control
of update-alternatives. Therefore, in the off chance a user enables the
busybox httpd server, it does not play well with apache2.

Add update-alternatives information to apache2 so that it plays nicely with
busybox which can optionally provide an httpd server at /usr/sbin/httpd.

Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-07-18 20:24:06 -07:00
Archana Polampalli 7cfaa76200 apache2: Upgrade 2.4.60 -> 2.4.61
Security fixes:
CVE-2024-39884 Apache HTTP Server: source code disclosure with handlers configured via AddType

Changelog:
https://github.com/apache/httpd/blob/2.4.61/CHANGES
https://httpd.apache.org/security/vulnerabilities_24.html

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-07-16 08:24:26 -07:00
alba@thehoodiefirm.com 46b2eef28b apache2:apache2-native: sort CVE status
Signed-off-by: Alba Herrerías <alba@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-07-04 08:45:54 -07:00
Ninette Adhikari a1441be529 apache2: Update CVE status
Update CVE status for: CVE-1999-0289, CVE-2007-0450, CVE-2010-0425

The current version (2.4.6) is not affected. It only applies for Windows.

Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-07-03 20:20:18 -07:00
Ninette Adhikari 17bcf478a5 monkey: Update status for CVE-2013-2183
Current version (1.6.9) is not affected. Issue was addressed in version 1.3.0

Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-07-03 20:20:17 -07:00
Siddharth Doshi 8c5860f22d apache2: Upgrade 2.4.59 -> 2.4.60
CVE's Fixed by upgrade:
CVE-2024-36387 apache2/httpd: DoS by null pointer in websocket over HTTP/2
CVE-2024-38472 apache2/httpd: UNC SSRF on WIndows
CVE-2024-38473 apache2/httpd: Encoding problem in mod_proxy
CVE-2024-38474 apache2/httpd: Substitution encoding issue in mod_rewrite
CVE-2024-38475 apache2/httpd: Improper escaping of output in mod_rewrite
CVE-2024-38476 apache2/httpd: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
CVE-2024-38477 apache2/httpd: null pointer dereference in mod_proxy
CVE-2024-39573 apache2/httpd: Potential SSRF in mod_rewrite

Other Changes between 2.4.59 -> 2.4.60
======================================
https://github.com/apache/httpd/blob/2.4.60/CHANGES

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-07-02 16:59:02 -07:00
Ninette Adhikari a9741a9d9c apache2:apache2-native: CVE status update
Update status for:
CVE-2007-6421, CVE-2007-6422, CVE-2007-6423, CVE-2008-2168

CPE is incorrect, the current version (2.4.59) is not affected.

Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-06-28 11:22:04 -07:00
Kai Kang e77507a898 apache2: fix multilib file conflicts
There are file conflicts of apache2 when multilib enabled:

Error: Transaction test error:
  file /usr/share/apache2/build/config.nice conflicts between attempted
    installs of apache2-dev-2.4.58-r0.cortexa57 and lib32-apache2-dev-2.4.58-r0.armv7vet2hf_vfp
  file /usr/share/apache2/build/config_vars.mk conflicts between
    attempted installs of apache2-dev-2.4.58-r0.cortexa57 and lib32-apache2-dev-2.4.58-r0.armv7vet2hf_vfp

Install the 'build' directory to ${libexecdir} by setting
'installbuilddir' to fix the conflicts. ${libexecdir} is not populated
to sysroot by default, but command apxs requires these files, then add
the dir to SYSROOT_DIRS to populate them.

And inherit bbclasses multilib_script and multilib_header to fix
follow-up conflicts:

  file /usr/bin/apxs conflicts between attempted installs of
    apache2-dev-2.4.58-r0.cortexa57 and lib32-apache2-dev-2.4.58-r0.armv7vet2hf_vfp
  file /usr/include/apache2/ap_config_layout.h conflicts between
    attempted installs of apache2-dev-2.4.58-r0.cortexa57 and lib32-apache2-dev-2.4.58-r0.armv7vet2hf_vfp

Since multilib_script inherits update-alternatives, remove it from
inherit line for beautification.

Fix buildpaths warning as well:

  WARNING: lib32-apache2-2.4.58-r0 do_package_qa: QA Issue: File /usr/share/apache2/build/config.nice
           in package lib32-apache2-dev contains reference to TMPDIR [buildpaths]

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-05-23 16:17:11 -07:00
Khem Raj ffc64e9c6f recipes: Start WORKDIR -> UNPACKDIR transition
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-05-23 08:44:44 -07:00
Peter Marko d0fd84b7df nginx: Upgrade stable 1.24.0 -> 1.26.0
nginx-1.26.0 stable version has been released, incorporating new
features and bug fixes from the 1.25.x mainline branch -
including experimental HTTP/3 support, HTTP/2 on a per-server basis
virtual servers in the stream module, passing stream connections to
listen sockets, and more.

License-Update: copyright years refreshed

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-04-30 17:02:36 -07:00
Ninette Adhikari 996d111343 sthttpd: Update status for CVE-2017-10671
Current version 2.27.1 is not affected by the issue.
Affected versions: Up to (excl.) 2.27.1

Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-04-29 11:11:52 -07:00
Soumya Sambu c341cdb58c apache2: Upgrade v2.4.58 -> v2.4.59
This upgrade incorporates the fixes for CVE-2024-27316,
CVE-2024-24795,CVE-2023-38709 and other bugfixes.

Adjusted 0004-apache2-log-the-SELinux-context-at-startup.patch
and 0007-apache2-allow-to-disable-selinux-support.patch to
align with upgraded version.

Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.59

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-04-19 14:31:32 -07:00
Maxim Perevozchikov c6a34cad53 nginx: Disable login for www user
Signed-off-by: Maxim Perevozchikov <m.perevozchikov@yadro.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-04-11 23:32:35 -07:00
Markus Volk 0586dd9f13 gnome-user-share: add recipe
- add it as runtime dependency to gnome-control-center because without it,
  the file sharing options are hidden.
- configure the paths to fit to openembedded env
- add mod_dnssd runtime dependency for apache2 as this is a requirement

To enable the feature, PACKAGECONFIG httpd needs to be added.
This is not done by default to avoid apache2 runtime dependency just by
including this recipe.
NOTE: Apache2 httpd doesn't need to be running. It'll get
      started and stopped on demand by systemd.

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-03-28 11:45:02 -07:00
Markus Volk 6665650b2a apache2: preset mpm=prefork by default
currently this is chosen depending on machine at do_configure

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-03-28 11:45:02 -07:00
Martin Jansa 21f956598d recipes: drop ${SRCPV} usage
* Drop SRCPV similarly like oe-core did in:
  https://git.openembedded.org/openembedded-core/commit/?h=nanbield&id=843f82a246a535c353e08072f252d1dc78217872

* SRCPV is deferred now from PV to PKGV since:
  https://git.openembedded.org/openembedded-core/commit/?h=nanbield&id=a8e7b0f932b9ea69b3a218fca18041676c65aba0

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
2024-02-09 09:52:12 -08:00
Michael Haener b29195ce4c nginx: add http sub module feature
Providing the http sub module feature. The module works as a filter which
replaces a specific character string in a response with another character
string.

Signed-off-by: Michael Haener <michael.haener@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-01-19 09:51:05 -08:00
alperak 9d0d7d9d62 nginx: fix CVE-2023-44487
Upstream-Status: Backport from [https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9]

WARNING: nginx-1.24.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-44487)

This vulnerability exists between the following versions -> From(including) 1.9.5 Up to(including) 1.25.2

Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-01-11 12:11:36 -08:00
Derek Straka 8dc77ebf92 nginx: update versions for both the stable branch and mainline
Stable: None -> 1.24.0
Legacy Mainline 1.21.1 -> Removed

Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-12-14 15:47:21 -08:00
Meenali Gupta dc4bef4648 nginx: upgrade 1.25.2 -> 1.25.3
Changelog:
===========
https://nginx.org/en/CHANGES

*) Change: improved detection of misbehaving clients when using HTTP/2.

*) Feature: startup speedup when using a large number of locations.
       Thanks to Yusuke Nojima.

*) Bugfix: a segmentation fault might occur in a worker process when
       using HTTP/2 without SSL; the bug had appeared in 1.25.1.

*) Bugfix: the "Status" backend response header line with an empty
       reason phrase was handled incorrectly.

*) Bugfix: memory leak during reconfiguration when using the PCRE2
       library.
       Thanks to ZhenZhong Wu.

*) Bugfixes and improvements in HTTP/3.

Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-12-14 07:53:24 -08:00
Dylan Turner 9f0b505341 apache2: v2.4.57 to v2.4.58 to fix CVE-2023-43622
Note that patch 0011-modules... is no longer needed as it's included in
the upgrade as well.

CVE: CVE-2023-43622

Signed-off-by: Dylan Turner <dylan.turner@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-11-27 13:39:53 -08:00
Jeffrey Pautler 51f70eaaa5 apache2: add vendor to product name used for CVE checking
This recipe sets the product name used for CVE checking to
"http_server". However, the cve-check logic matches that name to all
products in the CVE database regardless of vendor. Currently, it is
matching to products from vendors other than apache. As a result,
CVE checking incorrectly reports CVEs for those vendors' products for
this package.

Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-11-10 09:13:40 -08:00
Joe Slater e0ac8eec48 nginx: add configure option
Support --with-http_xslt_module configure option via a PACKAGECONFIG
option.  The option is not added to the defaults.

Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-10-04 13:10:06 -07:00
Martin Jansa a1c3c7f4e8 gnome-tweaks, networkmanager-fortisslvpn, libesmtp, json-schema-validator, python3-pybluez, python3-pynetlinux, apache2: Fix Malformed Upstream-Status
* Accepted was replaced with Backport in gatesgarth:
  https://docs.yoctoproject.org/migration-guides/migration-3.2.html#miscellaneous-changes

* as detected with oe-core/scripts/contrib/patchreview.py:

meta-openembedded $ grep -A 3 Malformed *qa-patches
meta-gnome.qa-patches:Malformed Upstream-Status 'Malformed Upstream-Status in patch
meta-gnome.qa-patches-/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch
meta-gnome.qa-patches-Please correct according to https://docs.yoctoproject.org/contributor-guide/recipe-style-guide.html#patch-upstream-status :
meta-gnome.qa-patches-Upstream-Status: Accepted [https://gitlab.gnome.org/GNOME/gnome-tweaks/-/commit/dc9701e18775c01d0b69fabaa350147f70096da8]' (/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-09-27 14:22:09 -07:00
Wang Mingyu 79b2c772d4 nginx: upgrade 1.25.1 -> 1.25.2
Changelog:
===========
 *) Feature: path MTU discovery when using HTTP/3.
 *) Feature: TLS_AES_128_CCM_SHA256 cipher suite support when using
    HTTP/3.
 *) Change: now nginx uses appname "nginx" when loading OpenSSL
    configuration.
 *) Change: now nginx does not try to load OpenSSL configuration if the
    --with-openssl option was used to built OpenSSL and the OPENSSL_CONF
    environment variable is not set.
 *) Bugfix: in the $body_bytes_sent variable when using HTTP/3.
 *) Bugfix: in HTTP/3.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-08-26 17:32:44 -07:00
Ross Burton 21ffd6f33f cherokee: add CVE_PRODUCT
As per https://nvd.nist.gov/vuln/detail/CVE-2019-1010218, Cherokee uses
to use cherokee-project:cherokee_web_server.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-07-20 19:08:57 -07:00
Wang Mingyu 99d6fd5c0f nginx: upgrade 1.24.0 -> 1.25.1
Changelog:
==========
*) Feature: the "http2" directive, which enables HTTP/2 on a per-server
   basis; the "http2" parameter of the "listen" directive is now
   deprecated.
*) Change: HTTP/2 server push support has been removed.
*) Change: the deprecated "ssl" directive is not supported anymore.
*) Bugfix: in HTTP/3 when using OpenSSL.
*) Feature: experimental HTTP/3 support.

License-Update: Copyright year updated to 2023.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-07-20 19:08:57 -07:00
Michael Haener d7d987e01d nginx: upgrade to 1.24.0 release
Brings nginx to the current stable version.

Signed-off-by: Michael Haener <michael.haener@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-07-11 14:20:18 -07:00
Luke Schaefer 01884aeb0b nginx: Add stream Signed-off-by: Luke Schaefer <lukeschafer17@gmail.com>
Add stream support to nginx PACKAGECONFIG

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-27 13:44:47 -07:00
Khem Raj 1b7655c46c monkey: Remove buildpaths from generated mk_env.h
It has paths to compiler and assembler which are technically cross
compilers in OE. We do have these names symlinked on target too but
paths needs to be removed.

Fixes
WARNING: monkey-1.6.9-r0 do_package_qa: QA Issue: File /usr/include/monkey/mk_env.h in package monkey-dev contains reference to TMPDIR [buildpaths]

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-05-28 16:35:00 -07:00
Martin Jansa b67942fbe2 monkey: remove unused patch file
* it was removed from SRC_URI in:
  https://git.openembedded.org/meta-openembedded/commit/?id=45b327ba1620febf3dd8a8b415d601c9c9e78bc5

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-05-24 07:23:54 -07:00
Valeria Petrov 0b9305faa2 apache2: upgrade 2.4.56 -> 2.4.57
Changelog:
Changes with Apache 2.4.57

  *) mod_proxy: Check before forwarding that a nocanon path has not been
     rewritten with spaces during processing.  [Yann Ylavic]

  *) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
     double encode encoded slashes in the URL sent by the reverse proxy to the
     backend. [Ruediger Pluem]

  *) mod_http2: fixed a crash during connection termination. See PR 66539.
     [Stefan Eissing]

  *) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
     in a question mark. PR66547. [Eric Covener]

  *) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded
     characters on redirections without the "NE" flag.
     [Yann Ylavic, Eric Covener]

  *) mod_proxy: Fix double encoding of the uri-path of the request forwarded
     to the origin server, when using mapping=encoded|servlet.  [Yann Ylavic]

  *) mod_mime: Do not match the extention against possible query string
     parameters in case ProxyPass was used with the nocanon option.
     [Ruediger Pluem]

New patch:
0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch
Accepted in upstream, expected to be removed at next apache2 2.4.58 update.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-04-25 08:14:39 -07:00
Khem Raj 3a8e18f038 monkey,webmin: Fix upstream patch status
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-04-07 16:58:15 -07:00
Khem Raj cb125e2bef meta-webserver: Fix missing upstream status on patches
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-04-05 20:41:10 -07:00
Wang Mingyu 184fd210ea nginx: upgrade 1.23.3 -> 1.23.4
Changelog:
===========
*) Change: now TLSv1.3 protocol is enabled by default.
*) Change: now nginx issues a warning if protocol parameters of a
   listening socket are redefined.
*) Change: now nginx closes connections with lingering if pipelining was
   used by the client.
*) Feature: byte ranges support in the ngx_http_gzip_static_module.
*) Bugfix: port ranges in the "listen" directive did not work; the bug
   had appeared in 1.23.3.
*) Bugfix: incorrect location might be chosen to process a request if a
   prefix location longer than 255 characters was used in the
   configuration.
*) Bugfix: non-ASCII characters in file names on Windows were not
   supported by the ngx_http_autoindex_module, the ngx_http_dav_module,
   and the "include" directive.
*) Change: the logging level of the "data length too long", "length too
   short", "bad legacy version", "no shared signature algorithms", "bad
   digest length", "missing sigalgs extension", "encrypted length too
   long", "bad length", "bad key update", "mixed handshake and non
   handshake data", "ccs received early", "data between ccs and
   finished", "packet length too long", "too many warn alerts", "record
   too small", and "got a fin before a ccs" SSL errors has been lowered
   from "crit" to "info".
*) Bugfix: a socket leak might occur when using HTTP/2 and the
   "error_page" directive to redirect errors with code 400.
*) Bugfix: messages about logging to syslog errors did not contain
   information that the errors happened while logging to syslog.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
   appeared in logs when using zlib-ng.
*) Bugfix: in the mail proxy server.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-04-04 13:39:46 -07:00
Johannes Kirchmair 356b224344 redirect unwanted error message in nginx install
if we run opkg install nginx on our system (without systemd)
we end up getting the following message in the install process

$ opkg install nginx_1.20.1-r0_core2-64.ipk 
...
//var/lib/opkg/info/nginx.postinst: line 3: type: systemd-tmpfiles: not found

this confused some of my coworkers.
as installation also finishes correctly without sytemd-tmpfiles
and not having systemd-tempfiles is not really a problem, I think
we should redirect the message also to /dev/NULL

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-04-04 13:39:46 -07:00
Peter Johennecken 9937ffa5d2 nginx: added packagegroup for webdav module
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-03-31 10:42:43 -07:00
Wang Mingyu 1e48109bc5 nginx: upgrade 1.20.1 -> 1.23.3
CVE-2021-3618.patch
removed since it's included in 1.23.3

Changelog:
==========
*) Bugfix: an error might occur when reading PROXY protocol version 2
   header with large number of TLVs.

*) Bugfix: a segmentation fault might occur in a worker process if SSI
   was used to process subrequests created by other modules.
   Thanks to Ciel Zhao.

*) Workaround: when a hostname used in the "listen" directive resolves
   to multiple addresses, nginx now ignores duplicates within these
   addresses.

*) Bugfix: nginx might hog CPU during unbuffered proxying if SSL
   connections to backends were used.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-03-09 23:45:17 -08:00
Wang Mingyu f8b54b5243 apache2: upgrade 2.4.55 -> 2.4.56
Changelog:
==========
-  rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
   truncated without the initial logfile being truncated.

-  mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
   allow connections of any age to be reused. Up to now, a negative value
   was handled as an error when parsing the configuration file.  PR 66421.

-  mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
   of headers.

-  mod_md:
   - Enabling ED25519 support and certificate transparency information when
     building with libressl v3.5.0 and newer.
   - MDChallengeDns01 can now be configured for individual domains.
   - Fixed a bug that caused the challenge
     teardown not being invoked as it should.

-  mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
   reported in access logs and error documents. The processing of the
   reset was correct, only unneccesary reporting was caused.

-  mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-03-08 07:12:23 -08:00
Yi Zhao f018a6bb3b apache2: use /run instead of /var/run for systemd volatile config
Fixes:
systemd-tmpfiles[181]: /etc/tmpfiles.d/apache2-volatile.conf:1:
Line references path below legacy directory /var/run/, updating /var/run/apache2 -> /run/apache2;
please update the tmpfiles.d/ drop-in file accordingly.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-02-24 08:45:44 -08:00