mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-13 17:39:57 +00:00
Changqing Li
fedd8cf51d
CVE-2025-23419: When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-23419 This partially cherry picked from commit 13935cf9fdc3c8d8278c70716417d3b71c36140e, the original patch had 2 parts. One fixed problem in `http/ngx_http_request` module and the second fixed problem in `stream/ngx_stream_ssl_module` module. The fix for `stream/ngx_stream_ssl_module can't be aplied because, the 'stream virtual servers' funcionality was added later in this commit: https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de. Therefore only `http/ngx_http_request` part was backported. Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
meta-webserver ============== This layer provides support for building web servers, web-based applications and related software. Dependencies ------------ This layer depends on: URI: git://git.openembedded.org/openembedded-core subdirectory: meta branch: kirkstone For some recipes, the meta-oe layer is required: URI: git://git.openembedded.org/meta-openembedded subdirectory: meta-oe branch: kirkstone Layout ------ recipes-httpd/ Web servers recipes-php/ PHP applications recipes-support/ Miscellaneous support recipes recipes-webadmin/ Standalone web administration interfaces Notes ----- * This layer used to provide a modphp recipe that built mod_php, but this is now built as part of the php recipe in meta-oe. However, since apache2 is required to build mod_php, and apache2 recipe is in this layer and recipes in meta-oe can't depend on it, mod_php is not built by default. If you do wish to use mod_php, you need to add "apache2" to the PACKAGECONFIG value for the php recipe in order to enable it. See here for info on how to do that: http://www.yoctoproject.org/docs/current/ref-manual/ref-manual.html#var-PACKAGECONFIG Maintenance ----------- Send patches / pull requests to openembedded-devel@lists.openembedded.org with '[meta-webserver][kirkstone]' in the subject. When sending single patches, please using something like: git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix='meta-webserver][kirkstone][PATCH' Layer maintainer: Armin Kuster <akuster808@gmail.com> License ------- All metadata is MIT licensed unless otherwise stated. Source code included in tree for individual recipes is under the LICENSE stated in each recipe (.bb file) unless otherwise stated. This README document is Copyright (C) 2012 Intel Corporation.