| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
License-Update: License year updated
This upgrade include security fix for:
CVE-2025-24529
CVE-2025-24530
Release note:
https://www.phpmyadmin.net/news/2025/1/21/phpMyAdmin-522-is-released/
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2025-23419:
When multiple server blocks are configured to share the same IP address
and port, an attacker can use session resumption to bypass client
certificate authentication requirements on these servers. This
vulnerability arises when TLS Session Tickets
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key
are used and/or the SSL session cache
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
are used in the default server and the default server is performing
client certificate authentication. Note: Software versions which have
reached End of Technical Support (EoTS) are not evaluated.
Refer:
https://nvd.nist.gov/vuln/detail/CVE-2025-23419
This partially cherry picked from commit
13935cf9fdc3c8d8278c70716417d3b71c36140e, the original patch had 2
parts. One fixed problem in `http/ngx_http_request` module and the
second fixed problem in `stream/ngx_stream_ssl_module` module. The fix
for `stream/ngx_stream_ssl_module can't be aplied because, the 'stream
virtual servers' funcionality was added later in this commit:
https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de.
Therefore only `http/ngx_http_request` part was backported.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
| |
The nginx upgrade in commit 6eef5e3efb0a871622d2ea5eeb016b61d46f722c
added an incorrect tarball checksum and didn't update the license
checksum, resulting in build failures.
Signed-off-by: Jef Driesen <jefdriesen@telenet.be>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
===========
https://nginx.org/en/CHANGES
*) Security: when using HTTP/3 a segmentation fault might occur in a
worker process while processing a specially crafted QUIC session
(CVE-2024-24989, CVE-2024-24990).
*) Bugfix: connections with pending AIO operations might be closed
prematurely during graceful shutdown of old worker processes.
*) Bugfix: socket leak alerts no longer logged when fast shutdown was
requested after graceful shutdown of old worker processes.
*) Bugfix: a socket descriptor error, a socket leak, or a segmentation
fault in a worker process (for SSL proxying) might occur if AIO was
used in a subrequest.
*) Bugfix: a segmentation fault might occur in a worker process if SSL
proxying was used along with the "image_filter" directive and errors
with code 415 were redirected with the "error_page" directive.
*) Bugfixes and improvements in HTTP/3.
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Busybox can optionally provide an httpd server, but by default The Yocto
Project defconfig for busybox does not enable it. If it is enabled,
busybox puts the resulting /usr/sbin/httpd object under the control of
update-alternatives.
apache2, on the other hand, does not put /usr/sbin/httpd under the control
of update-alternatives. Therefore, in the off chance a user enables the
busybox httpd server, it does not play well with apache2.
Add update-alternatives information to apache2 so that it plays nicely with
busybox which can optionally provide an httpd server at /usr/sbin/httpd.
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
| |
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f and https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4]
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE's Fixed by upgrade:
CVE-2024-39884 httpd: source code disclosure with handlers configured via AddType
CVE-2024-40725 httpd: source code disclosure with handlers configured via AddType
Other Changes between 2.4.60 -> 2.4.62
======================================
https://github.com/apache/httpd/blob/2.4.62/CHANGES
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE's Fixed by upgrade:
CVE-2024-36387 apache2/httpd: DoS by null pointer in websocket over HTTP/2
CVE-2024-38472 apache2/httpd: UNC SSRF on WIndows
CVE-2024-38473 apache2/httpd: Encoding problem in mod_proxy
CVE-2024-38474 apache2/httpd: Substitution encoding issue in mod_rewrite
CVE-2024-38475 apache2/httpd: Improper escaping of output in mod_rewrite
CVE-2024-38476 apache2/httpd: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
CVE-2024-38477 apache2/httpd: null pointer dereference in mod_proxy
CVE-2024-39573 apache2/httpd: Potential SSRF in mod_rewrite
Other Changes between 2.4.59 -> 2.4.60
======================================
https://github.com/apache/httpd/blob/2.4.60/CHANGES
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
|
|
|
|
|
|
| |
Current version 2.27.1 is not affected by the issue.
Affected versions: Up to (excl.) 2.27.1
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For now, the known non-reproducible packages list is stored inside the
autobuilder config.json file. This is not ideal. Let's move this list
into each layers of meta-openembedded.
These lists can be used with, in local.conf:
include conf/include/non-repro-meta-oe.inc
OEQA_REPRODUCIBLE_EXCLUDED_PACKAGES = "${KNOWN_NON_REPRO_META_OE}"
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Acked-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This upgrade incorporates the fixes for CVE-2024-27316,
CVE-2024-24795,CVE-2023-38709 and other bugfixes.
Adjusted 0004-apache2-log-the-SELinux-context-at-startup.patch
and 0007-apache2-allow-to-disable-selinux-support.patch to
align with upgraded version.
Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.59
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
| |
Signed-off-by: Maxim Perevozchikov <m.perevozchikov@yadro.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add it as runtime dependency to gnome-control-center because without it,
the file sharing options are hidden.
- configure the paths to fit to openembedded env
- add mod_dnssd runtime dependency for apache2 as this is a requirement
To enable the feature, PACKAGECONFIG httpd needs to be added.
This is not done by default to avoid apache2 runtime dependency just by
including this recipe.
NOTE: Apache2 httpd doesn't need to be running. It'll get
started and stopped on demand by systemd.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
| |
currently this is chosen depending on machine at do_configure
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
| |
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
| |
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
| |
* fixed a few minor oelint-adv warnings in the recipe
* placed all SRC_URI lines in one block
Tested on Raspberry PI 4
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
| |
* Drop SRCPV similarly like oe-core did in:
https://git.openembedded.org/openembedded-core/commit/?h=nanbield&id=843f82a246a535c353e08072f252d1dc78217872
* SRCPV is deferred now from PV to PKGV since:
https://git.openembedded.org/openembedded-core/commit/?h=nanbield&id=a8e7b0f932b9ea69b3a218fca18041676c65aba0
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
|
|
|
|
|
|
|
|
|
| |
Providing the http sub module feature. The module works as a filter which
replaces a specific character string in a response with another character
string.
Signed-off-by: Michael Haener <michael.haener@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream-Status: Backport from [https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9]
WARNING: nginx-1.24.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-44487)
This vulnerability exists between the following versions -> From(including) 1.9.5 Up to(including) 1.25.2
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
| |
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
| |
Netdata has plugins. Some of the written in Python.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
| |
Stable: None -> 1.24.0
Legacy Mainline 1.21.1 -> Removed
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
===========
https://nginx.org/en/CHANGES
*) Change: improved detection of misbehaving clients when using HTTP/2.
*) Feature: startup speedup when using a large number of locations.
Thanks to Yusuke Nojima.
*) Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2 without SSL; the bug had appeared in 1.25.1.
*) Bugfix: the "Status" backend response header line with an empty
reason phrase was handled incorrectly.
*) Bugfix: memory leak during reconfiguration when using the PCRE2
library.
Thanks to ZhenZhong Wu.
*) Bugfixes and improvements in HTTP/3.
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
| |
Note that patch 0011-modules... is no longer needed as it's included in
the upgrade as well.
CVE: CVE-2023-43622
Signed-off-by: Dylan Turner <dylan.turner@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
| |
The Markdown was, at least at github.com, displayed as a paragraph.
And it reads beter as a list.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
| |
And fixed the upstream check for new versions.
Changelog: https://github.com/netdata/netdata/blob/master/CHANGELOG.md
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
| |
There was a warning in the systemd journaling about it.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
| |
The netdata recipe does want to create a netdata group. So add it to the
static id for the reproducibility tests.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
[2023-07-14] — Xdebug 3.2.2
-Fixed bug #2175: Crash with EXC_BAD_ACCESS in xdebug_str_create
-Fixed bug #2180: Crash on extended SplFixedArray
-Fixed bug #2182: Segfault with ArrayObject on stack
-Fixed bug #2186: Segfault with trampoline functions and debugger activation
[2023-03-21] — Xdebug 3.2.1
-Fixed bug #2144: Xdebug 3.2.0 ignores xdebug.mode and enables all features
-Fixed bug #2145: Xdebug 3.2.0 crash PHP on Windows if xdebug.mode = off
-Fixed bug #2146: apache2 segfaulting with version 3.2.0 on PHP 8.0
-Fixed bug #2148: Icon for link to docs in xdebug_info() HTML output does not always render correctly
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This recipe sets the product name used for CVE checking to
"http_server". However, the cve-check logic matches that name to all
products in the CVE database regardless of vendor. Currently, it is
matching to products from vendors other than apache. As a result,
CVE checking incorrectly reports CVEs for those vendors' products for
this package.
Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In version 301, the default bridge implementation was changed to Python.
Adjust recipe to build and install new Python bridge.
Old bridge implementation is still available and can be enabled using
'--enable-old-bridge' flag. Add PACKAGECONFIG option for old bridge.
New bridge shows minor regressions like networking graph not generated
correctly. Probably additional dependencies are missing.
For this reason, keep the old bridge enabled by default.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Non-existing variable was used as a prefix for 'cockpit-askpass'.
Fix the path, so the binary will be correctly installed
in 'cockpit-bridge' package.
Fortunately, even with incorrect path, this binary was "caught"
by the main 'cockpit' package, so it was always installed in the final
image.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libyaml dependency now required. See:
6ee42875c: Bundle libyaml
json-c also seems required now. If I don't enable it, I get compile errors.
compression and https options got renamed upstream to lz4 and openssl. See:
c74bf56ee: Code reorg and cleanup - enrichment of /api/v2
Signed-off-by: Sam Van Den Berge <sam.van.den.berge@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
| |
In order to pass reproducible tests, recipes that use the
useradd class must have static ids configured.
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
| |
These are test images to build all recipes in layer. Renaming them makes
them refect what they are. Moreover we can rename the ptest images to
match OE-Core naming conventions for meta-oe/meta-perl/meta-python
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
| |
These were essentially duplicates of core-image-minimal, however
core-image-base is a better baseline for upper layers, so switched the
consumers of these images to use core-image-base
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
| |
We really do not need to define base images which already exist in core
layer, reuse them here.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
| |
Support --with-http_xslt_module configure option via a PACKAGECONFIG
option. The option is not added to the defaults.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
python3-pybluez, python3-pynetlinux, apache2: Fix Malformed Upstream-Status
* Accepted was replaced with Backport in gatesgarth:
https://docs.yoctoproject.org/migration-guides/migration-3.2.html#miscellaneous-changes
* as detected with oe-core/scripts/contrib/patchreview.py:
meta-openembedded $ grep -A 3 Malformed *qa-patches
meta-gnome.qa-patches:Malformed Upstream-Status 'Malformed Upstream-Status in patch
meta-gnome.qa-patches-/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch
meta-gnome.qa-patches-Please correct according to https://docs.yoctoproject.org/contributor-guide/recipe-style-guide.html#patch-upstream-status :
meta-gnome.qa-patches-Upstream-Status: Accepted [https://gitlab.gnome.org/GNOME/gnome-tweaks/-/commit/dc9701e18775c01d0b69fabaa350147f70096da8]' (/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
| |
Apps (Applications tab) is an optional Cockpit Project package.
Make it also an optional package in recipe.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
| |
Packagekit (Software Updates tab) is an optional Cockpit Project
package. Make it also an optional package in recipe.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
| |
* oe-core switched to nanbield in:
https://git.openembedded.org/openembedded-core/commit/?id=f212cb12a0db9c9de5afd3cc89b1331d386e55f6
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
===========
*) Feature: path MTU discovery when using HTTP/3.
*) Feature: TLS_AES_128_CCM_SHA256 cipher suite support when using
HTTP/3.
*) Change: now nginx uses appname "nginx" when loading OpenSSL
configuration.
*) Change: now nginx does not try to load OpenSSL configuration if the
--with-openssl option was used to built OpenSSL and the OPENSSL_CONF
environment variable is not set.
*) Bugfix: in the $body_bytes_sent variable when using HTTP/3.
*) Bugfix: in HTTP/3.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
| |
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
| |
As per https://nvd.nist.gov/vuln/detail/CVE-2019-1010218, Cherokee uses
to use cherokee-project:cherokee_web_server.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
==========
*) Feature: the "http2" directive, which enables HTTP/2 on a per-server
basis; the "http2" parameter of the "listen" directive is now
deprecated.
*) Change: HTTP/2 server push support has been removed.
*) Change: the deprecated "ssl" directive is not supported anymore.
*) Bugfix: in HTTP/3 when using OpenSSL.
*) Feature: experimental HTTP/3 support.
License-Update: Copyright year updated to 2023.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
|
| |
Brings nginx to the current stable version.
Signed-off-by: Michael Haener <michael.haener@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
|
|
|
|
| |
Add stream support to nginx PACKAGECONFIG
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|