summaryrefslogtreecommitdiffstats
path: root/meta-webserver/recipes-httpd/nginx
Commit message (Collapse)AuthorAgeFilesLines
* nginx: fix CVE-2025-23419Changqing Li2025-03-062-0/+89
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2025-23419: When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-23419 This partially cherry picked from commit 13935cf9fdc3c8d8278c70716417d3b71c36140e, the original patch had 2 parts. One fixed problem in `http/ngx_http_request` module and the second fixed problem in `stream/ngx_stream_ssl_module` module. The fix for `stream/ngx_stream_ssl_module can't be aplied because, the 'stream virtual servers' funcionality was added later in this commit: https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de. Therefore only `http/ngx_http_request` part was backported. Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: Backport fix for CVE-2024-7347Ashish Sharma2024-08-253-0/+88
| | | | | | | | Upstream-Status: Backport [https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f & https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4] Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx-1.20.1: Drop reference to removed patchJasper Orschulko2024-07-171-1/+0
| | | | | | | | | | Follow-up to commits 38a07ce and 8e297cd. Also remove remaining reference to removed patch in nginx 1.20.1. Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx-1.21.1: Drop reference to removed patchNiko Mauno2024-06-271-2/+0
| | | | | | | | | | | | Align to commit 8e297cdc841c6cad34097f00a6903ba25edfc153 ("nginx: Remove obsolete patch") by removing reference to removed patch file. By doing so we mitigate the following BitBake complaint: WARNING: .../meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.21.1.bb: Unable to get checksum for nginx SRC_URI entry 0001-HTTP-2-per-iteration-stream-handling-limit.patch: file could not be found Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: Remove obsolete patchJasper Orschulko2024-06-021-92/+0
| | | | | | | | | | With the inclusion of commit 85102dd2dff41945997b983f7c2bfc954dd3bc47 the same patch was introduced again, thus this copy can be deleted (which accidently was never used, since I originally forgot to add it to the SRC_URI, whoops). Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: fix CVE-2023-44487Meenali Gupta2024-05-262-0/+80
| | | | | | | | | | | | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. References: https://nvd.nist.gov/vuln/detail/CVE-2023-44487 Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: Mitigate HTTP/2 Stream Resets Flood impactJasper Orschulko2023-12-133-0/+95
| | | | | | | | | | | | | | | | Reduces the impact of HTTP/2 Stream Reset flooding in the nginx product (CVE-2023-44487). See: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ This patch only reduces the impact and does not completely mitigate the CVE in question, the latter being due to a design flaw in the HTTP/2 protocol itself. For transparancy reasons I therefore opted to not mark the CVE as resolved, so that integrators can decide for themselves, wheither to enable HTTP/2 support or allow HTTP/1.1 connections only. Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: upgrade to 1.24.0 releaseMichael Haener2023-11-181-0/+6
| | | | | | | | | | According to http://nginx.org/en/CHANGES nginx supports the openssl 3.x component only from version 1.21.2. In Kirstone openssl 3.x is included but all provided versions of nginx are older, so there is currently an incompatibility. With this patch this incompatibility get removed. Signed-off-by: Michael Haener <michael.haener@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: add configure optionJoe Slater2023-10-172-0/+42
| | | | | | | | | | Support --with-http_xslt_module configure option via a PACKAGECONFIG option. The option is not added to the defaults. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit e0ac8eec48ddddc93751cfcdef2557998bfe91c8) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* webserver: nginx: Add streamLuke Schaefer2023-07-041-0/+1
| | | | | | | | Signed-off-by: Luke Schaefer <lukeschafer17@gmail.com> Add stream support to nginx PACKAGECONFIG Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: CVE-2022-41741, CVE-2022-41742 Memory corruption in the ↵Hitendra Prajapati2022-11-192-1/+322
| | | | | | | | | ngx_http_mp4_module Upstream-Status: Backport from https://github.com/nginx/nginx/commit/6b022a5556af22b6e18532e547a6ae46b0d8c6ea Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: add gunzip PACKAGECONFIGStefan Herbrechtsmeier2022-03-291-0/+1
| | | | | | | | | | The nginx gunzip module is a filter that decompresses responses with 'Content-Encoding: gzip' for clients that do not support 'gzip' encoding method. The module will be useful when it is desirable to store data compressed to save space and reduce I/O costs. Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: use ln -rsRoss Burton2021-11-111-1/+1
| | | | | | | lnr is deprecated, use ln -rs directly instead. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: Fix off_t size passed in configureNathan Rossi2021-08-311-1/+1
| | | | | | | | | | | For linux, nginx will always compile with '-D_FILE_OFFSET_BITS=64'. This means that off_t will always be 8 bytes long, even on 32-bit targets. This configuration change resolves some issues with nginx and handling range headers. Signed-off-by: Nathan Rossi <nathan@nathanrossi.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: fix CVE-2021-3618Joe Slater2021-08-202-0/+109
| | | | | | | | | | | Backport with no change a patch from version 1.21.0. This patch was not cherry-picked by nginx to version 1.20.1. Information about this CVE comes from https://ubuntu.com/security/CVE-2021-3618. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Convert to new override syntaxMartin Jansa2021-08-031-7/+7
| | | | | | | | | | This is the result of automated script (0.9.1) conversion: oe-core/scripts/contrib/convert-overrides.py . converting the metadata to use ":" as the override character instead of "_". Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
* nginx: upgrade 1.19.6 -> 1.21.1Salman Ahmed2021-07-302-10/+10
| | | | | Signed-off-by: Salman Ahmed <salman.ahmed@weidmueller.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: upgrade 1.18.0 -> 1.20.1Salman Ahmed2021-07-302-6/+7
| | | | | Signed-off-by: Salman Ahmed <salman.ahmed@weidmueller.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: upgrade 1.17.8 -> 1.19.6changqing.li@windriver.com2020-12-302-10/+10
| | | | | Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: upgrade 1.16.1 -> 1.18.0changqing.li@windriver.com2020-12-302-6/+6
| | | | | Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: remove /var/log/nginx when do_installYi Zhao2020-05-061-1/+3
| | | | | | | | Remove directory /var/log/nginx when do_install because it is created by volatiles file. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: fix error during service startupChangqing Li2020-02-262-0/+100
| | | | | | | | | fix below error: nginx.service: failed to parse pid from file /run/nginx/nginx.pid: invalid argument Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: update to the latest development version (1.17.8)Derek Straka2020-02-092-6/+10
| | | | | | | See Changelog: https://nginx.org/en/CHANGES Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: update to the latest stable version (1.16.1)Derek Straka2020-02-092-10/+6
| | | | | | | | See changlog here: https://nginx.org/en/CHANGES-1.16 * Fixes CVE-2019-9511, CVE-2019-9513, CVE-2019-9516 Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: fix install pathsGaylord Charles2019-11-171-2/+2
| | | | | | | | | | | This patch fixes Nginx install paths. I tried to build the native variant for testing purpose and had errors. - Use path variable instead of /usr - Replace the absolute path symlink with a relative one Signed-off-by: Gaylord CHARLES <gaylord.charles@veo-labs.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: fix kill path in nginx systemd unit filenick83ola2019-05-272-2/+2
| | | | | | | the kill utility is located in /bin/kill -> use base_bindir instead of bindir Signed-off-by: Nicola Lunghi <nick83ola@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: add PACKAGECONFIG[http-auth-request]nick83ola2019-05-271-0/+1
| | | | | Signed-off-by: Nicola Lunghi <nick83ola@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: update stable version to 1.16.0nick83ola2019-05-272-10/+10
| | | | | | | | | | | | | The LIC_FILES_CHKSUM needs also to be updated due to the updated year in the LICENSE file - * Copyright (C) 2002-2018 Igor Sysoev - * Copyright (C) 2011-2018 Nginx, Inc. + * Copyright (C) 2002-2019 Igor Sysoev + * Copyright (C) 2011-2019 Nginx, Inc. Signed-off-by: Nicola Lunghi <nick83ola@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: update to version 1.17.0nick83ola2019-05-272-6/+6
| | | | | | | | | | | | | The LIC_FILES_CHKSUM needs also to be updated due to the updated year in the LICENSE file - * Copyright (C) 2002-2018 Igor Sysoev - * Copyright (C) 2011-2018 Nginx, Inc. + * Copyright (C) 2002-2019 Igor Sysoev + * Copyright (C) 2011-2019 Nginx, Inc. Signed-off-by: Nicola Lunghi <nick83ola@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: add default proxy_paramsAndré Draszik2019-01-192-0/+7
| | | | | | | | | | | | | As per Debian packaging - to use it, see https://wiki.debian.org/Nginx/DirectoryStructure#Extra_Parameters This file is most commonly included when Nginx is acting as a reverse proxy: include /etc/nginx/proxy_params; proxy_pass http://localhost:8000; Signed-off-by: André Draszik <andre.draszik@jci.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: configuration updateAndré Draszik2019-01-193-105/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Restructure the main configuration file to simplify custom configuration: * support inclusion of configuration fragments from subdirectories: - /etc/nginx/modules-enabled/*.conf - /etc/nginx/conf.d/*.conf - /etc/nginx/sites-enabled/* * default site (port 80): - move into /etc/nginx/sites-available/default_server and enable via symlink in /etc/nginx/sites-enabled/ - listen on IPv6 - drop unneeded example fragments * configure and enable gzip * update TLS settings to drop SSLv3 and enable TLSv1.3 for some safer defaults * update remaining bits to follow Debian standard configuration https://salsa.debian.org/nginx-team/nginx/blob/62a54a8ba66ee6cc1b4f8a33dab9a6f27a3fdac4/debian/conf/nginx.conf * drop unneeded example configuration bits from /etc/nginx/*.default These changes, in particular the configuration fragment support allow to easily customise nginx based on individual requirements. In addition, it is now possible for other recipes / packages to drop fragments into the respective directories in /etc/nginx without having to meddle with /etc/nginx/nginx.conf Signed-off-by: André Draszik <andre.draszik@jci.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: update systemd unit using nginx recommendationAndré Draszik2019-01-192-3/+8
| | | | | | | | | | | | | | | | | | Our systemd unit doesn't follow the official recommendation, see https://www.nginx.com/resources/wiki/start/topics/examples/systemd/ Most importantly: * it should start after some additional specific targets/units * using PrivateTmp is a useful security feature, in particular to avoid cross domain scripting via the temp folder * using systemd's $MAINPID, we can distinguish between multiple running nginx instances correctly Signed-off-by: André Draszik <andre.draszik@jci.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: update stable version to 1.14.2Andrej Valek2018-12-111-2/+2
| | | | | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: update to version 1.15.7Andrej Valek2018-12-102-6/+6
| | | | | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: add PACKAGECONFIG[ssl]Max Kellermann2018-09-241-2/+4
| | | | | Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: Upgrade to 1.15.2Khem Raj2018-08-152-6/+6
| | | | Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: remove the 1.13 recipe in favor of the new dev branch of 1.5.xDerek Straka2018-07-122-10/+10
| | | | | Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: enable thread pools by defaultDerek Straka2018-07-121-0/+1
| | | | | | | The thread pool feature can be enabled without significant extra binary size. Thread pools can increase performance by an order of magnitude on some configurations Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: update latest development version to 1.13.12Derek Straka2018-05-172-10/+10
| | | | | Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: update stable version to 1.14.0Derek Straka2018-05-172-6/+6
| | | | | | | License-Update: Update license file for latest copyright date Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: refresh patchesArmin Kuster2018-04-131-26/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | WARNING: nginx-1.12.2-r0 do_patch: Some of the context lines in patches were ignored. This can lead to incorrectly applied patches. The context lines in the patches can be updated with devtool: devtool modify <recipe> devtool finish --force-patch-refresh <recipe> <layer_path> Then the updated patches and the source tree (in devtool's workspace) should be reviewed to make sure the patches apply in the correct place and don't introduce duplicate lines (which can, and does happen when some of the context is ignored). Further information: http://lists.openembedded.org/pipermail/openembedded-core/2018-March/148675.html https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450 Details: Applying patch nginx-cross.patch patching file auto/feature patching file auto/options Hunk #1 succeeded at 386 (offset 33 lines). Hunk #2 succeeded at 580 (offset 35 lines). Hunk #3 succeeded at 599 (offset 22 lines). patching file auto/types/sizeof patching file auto/unix Hunk #1 succeeded at 587 (offset 194 lines). Hunk #2 succeeded at 604 with fuzz 1 (offset 188 lines). Hunk #3 succeeded at 620 with fuzz 2 (offset 188 lines). Now at patch nginx-cross.patch Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: update development version to 1.13.9Derek Straka2018-03-162-10/+10
| | | | | | | Update license checksum for copyright changes Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* recipes: use oe.utils.conditional instead of deprecated base_conditionalMartin Jansa2018-02-011-1/+1
| | | | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
* nginx: update dev version to 1.13.8Derek Straka2018-01-161-2/+2
| | | | | Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: update to version 1.13.7Derek Straka2017-12-271-2/+2
| | | | | Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: correctly set the endianness of the targetDerek Straka2017-12-112-1/+82
| | | | | | | | Add an inherit for siteinfo to get access to SITEINFO_ENDIANNESS Add a patch to have nginx actually use the user provided --with-endian Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: update development version to 1.13.6Derek Straka2017-11-151-2/+2
| | | | | Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: update stable version to 1.12.2Derek Straka2017-11-152-6/+6
| | | | | Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nginx: update development version to 1.13.5Derek Straka2017-09-221-2/+2
| | | | | Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
* Nginx: use PACKAGECONFIG variables in configureSzombathelyi György2017-09-181-1/+1
| | | | | Signed-off-by: Gyorgy Szombathelyi <gyurco@freemail.hu> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-23 23:16:09 +0000