These patches are about a number of CVEs files against the application:
CVE-2025-63649, CVE-2025-63650, CVE-2025-63651, CVE-2025-63652, CVE-2025-63653, CVE-2025-63655,
CVE-2025-63656, CVE-2025-63657 and CVE-2025-63658.
These patches are taken from a pull request[1] that is referenced in the relevant bug report[2].
The patches don't target specific CVEs on separately, but they fix a number of CVEs altogether.
Based on upstream analysis (in the linked issue) a number of these CVEs are duplicates of each
other and/or not exploitable. The valid CVEs are fixed by these patches.
I haven't added specific CVE info to the patches, one hand because of the above, it is hard to
separate the patches by CVE, and secondarily because NVD tracks these CVEs with incorrect version
info: NVD considers 1.8.6 fully fixed, even though the patches are only in the master branch,
untagged at this time. After updating the recipe to 1.8.6+, the vulnerabilites will disappear
from the CVE report due to this.
[1]: https://github.com/monkey/monkey/pull/434
[2]: https://github.com/monkey/monkey/issues/426
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit d31f07340f)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changes:
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
*) Change: now nginx limits the size and rate of QUIC stateless reset
packets.
*) Bugfix: receiving a QUIC packet by a wrong worker process could cause
the connection to terminate.
*) Bugfix: in the ngx_http_mp4_module.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
(cherry picked from commit 34b3d0f491)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changes with nginx 1.29.2
*) Feature: now nginx can be built with AWS-LC.
*) Bugfix: now the "ssl_protocols" directive works in a virtual server
different from the default server when using OpenSSL 1.1.1 or newer.
*) Bugfix: SSL handshake always failed when using TLSv1.3 with OpenSSL
and client certificates and resuming a session with a different SNI
value; the bug had appeared in 1.27.4.
*) Bugfix: the "ignoring stale global SSL error" alerts might appear in
logs when using QUIC and the "ssl_reject_handshake" directive; the
bug had appeared in 1.29.0.
*) Bugfix: in delta-seconds processing in the "Cache-Control" backend
response header line.
*) Bugfix: an XCLIENT command didn't use the xtext encoding.
*) Bugfix: in SSL certificate caching during reconfiguration.
https://nginx.org/en/CHANGES
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
- Security: an attacker might inject plain text data in the response
from an SSL backend (CVE-2026-1642).
- Bugfix: use-after-free might occur after switching to the next gRPC
or HTTP/2 backend.
- Bugfix: fixed warning when compiling with MSVC 2022 x86.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
The vulnerability was reported against mod_auth_openidc, which module
is a 3rd party one, and not part of the apache2 source distribution.
The affected module is not part of the meta-oe universe currently,
so ignore the CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-04-23
nginx-1.28.0 stable version has been released, incorporating new
features and bug fixes from the 1.27.x mainline branch - including
memory usage and CPU usage optimizations in complex SSL configurations,
automatic re‑resolution of hostnames in upstream groups, performance
enhancements in QUIC, OCSP validation of client SSL certificates and
OCSP stapling support in the stream module, variables support in the
proxy_limit_rate, fastcgi_limit_rate, scgi_limit_rate, and
uwsgi_limit_rate directives, the proxy_pass_trailers directive, and
more.
License-Update: copyright years refreshed and removed C-style comments
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.
I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This CVE is officially disputed by Redhat with official statement in
https://nvd.nist.gov/vuln/detail/CVE-2007-0086
Red Hat does not consider this issue to be a security vulnerability.
The pottential attacker has to send acknowledgement packets periodically
to make server generate traffic. Exactly the same effect could be
achieved by simply downloading the file. The statement that setting the
TCP window size to arbitrarily high value would permit the attacker to
disconnect and stop sending ACKs is false, because Red Hat Enterprise
Linux limits the size of the TCP send buffer to 4MB by default.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
These were not updated on recipe upgrade.
To make maintenance easier, remove exact versions.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit modifies the PACKAGECONFIG entry for zlib to ensure that the
mod_deflate module is enabled with the appropriate zlib configuration.
By adding the --with-zlib=${STAGING_LIBDIR}/../ option, we direct the
configure script to use the zlib library from the staging directory
instead of relying on the host system's zlib installation.
Without that configure will search the host for zlib headers and lib.
This change resolves build failures related to zlib dependency when
mod_deflate is enabled and ensures a consistent build environment across
different host configurations.
Signed-off-by: Valeria Petrov <valeria.petrov@spinetix.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
fastcgi, scgi and uwsgi are enabled by default in nginx. Provide an
option to disable these features (that reduces binary size by 8%).
Signed-off-by: Maxin John <maxin.john@gehealthcare.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Busybox can optionally provide an httpd server, but by default The Yocto
Project defconfig for busybox does not enable it. If it is enabled,
busybox puts the resulting /usr/sbin/httpd object under the control of
update-alternatives.
apache2, on the other hand, does not put /usr/sbin/httpd under the control
of update-alternatives. Therefore, in the off chance a user enables the
busybox httpd server, it does not play well with apache2.
Add update-alternatives information to apache2 so that it plays nicely with
busybox which can optionally provide an httpd server at /usr/sbin/httpd.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update CVE status for: CVE-1999-0289, CVE-2007-0450, CVE-2010-0425
The current version (2.4.6) is not affected. It only applies for Windows.
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Gyorgy Sarvari
Ankur Tyagi
Peter Marko
Jason Schonberg
Valeria Petrov
Khem Raj
Wang Mingyu
Alexander Kanavin
Yoann Congal
Alexis Cellier
Changqing Li
Derek Straka
Niko Mauno
Maxin John
Trevor Woerner
Archana Polampalli
alba@thehoodiefirm.com
Ninette Adhikari