nginx: Upgrade stable 1.24.0 -> 1.26.0

nginx-1.26.0 stable version has been released, incorporating new features and bug fixes from the 1.25.x mainline branch - including experimental HTTP/3 support, HTTP/2 on a per-server basis virtual servers in the stream module, passing stream connections to listen sockets, and more. License-Update: copyright years refreshed Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Peter Marko <peter.marko@siemens.com> 2024-04-30 23:49:21 +0200
committer: Khem Raj <raj.khem@gmail.com> 2024-04-30 17:02:36 -0700
commit: d0fd84b7dff9446a6f28ee43cd2119db63e5b1b4 (patch)
tree: 43038bb069b17437b2def8d728b360c82ebeb8f8
parent: 224eb2697ffddc97a2ff0a4ee3dbca14ec3bb13e (diff)
download: meta-openembedded-d0fd84b7dff9446a6f28ee43cd2119db63e5b1b4.tar.gz
3 files changed, 6 insertions, 86 deletions
diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2023-44487.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2023-44487.patch
deleted file mode 100644
index 2fc6a60f6..000000000
--- a/meta-webserver/recipes-httpd/nginx/files/CVE-2023-44487.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 6ceef192e7af1c507826ac38a2d43f08bf265fb9 Mon Sep 17 00:00:00 2001
-From: Maxim Dounin <mdounin@mdounin.ru>
-Date: Wed, 10 Jan 2024 18:52:11 +0000
-Subject: [PATCH] HTTP/2: per-iteration stream handling limit.
-To ensure that attempts to flood servers with many streams are detected
-early, a limit of no more than 2 * max_concurrent_streams new streams per one
-event loop iteration was introduced.  This limit is applied even if
-max_concurrent_streams is not yet reached - for example, if corresponding
-streams are handled synchronously or reset.
-Further, refused streams are now limited to maximum of max_concurrent_streams
-and 100, similarly to priority_limit initial value, providing some tolerance
-to clients trying to open several streams at the connection start, yet
-low tolerance to flooding attempts.
-Upstream-Status: Backport [https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9]
-CVE: CVE-2023-44487
-Signed-off-by: alperak <alperyasinak1@gmail.com>
---
- src/http/v2/ngx_http_v2.c | 15 +++++++++++++++
- src/http/v2/ngx_http_v2.h |  2 ++
- 2 files changed, 17 insertions(+)
-diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
-index ea3f27c..1116e56 100644
--- a/src/http/v2/ngx_http_v2.c
-+++ b/src/http/v2/ngx_http_v2.c
-@@ -361,6 +361,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev)
-     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler");
- 
-     h2c->blocked = 1;
-+    h2c->new_streams = 0;
- 
-     if (c->close) {
-         c->close = 0;
-@@ -1321,6 +1322,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
-         goto rst_stream;
-     }
- 
-+    if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) {
-+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
-+                      "client sent too many streams at once");
-+
-+        status = NGX_HTTP_V2_REFUSED_STREAM;
-+        goto rst_stream;
-+    }
-+
-     if (!h2c->settings_ack
-         && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG)
-         && h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW)
-@@ -1386,6 +1395,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos,
- 
- rst_stream:
- 
-+    if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) {
-+        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
-+                      "client sent too many refused streams");
-+        return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR);
-+    }
-+
-     if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) {
-         return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
-     }
-diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
-index 4e25293..b9daf92 100644
--- a/src/http/v2/ngx_http_v2.h
-+++ b/src/http/v2/ngx_http_v2.h
-@@ -124,6 +124,8 @@ struct ngx_http_v2_connection_s {
-     ngx_uint_t                       processing;
-     ngx_uint_t                       frames;
-     ngx_uint_t                       idle;
-+    ngx_uint_t                       new_streams;
-+    ngx_uint_t                       refused_streams;
-     ngx_uint_t                       priority_limit;
- 
-     ngx_uint_t                       pushing;
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
deleted file mode 100644
index e5666f6fe..000000000
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ /dev/null
@@ -1,8 +0,0 @@
-require nginx.inc
-LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
-SRC_URI:append = " file://CVE-2023-44487.patch"
-SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.26.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.26.0.bb
new file mode 100644
index 000000000..0ce940d42
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.26.0.bb
@@ -0,0 +1,6 @@
+require nginx.inc
+LIC_FILES_CHKSUM = "file://LICENSE;md5=a6547d7e5628787ee2a9c5a3480eb628"
+SRC_URI[sha256sum] = "d2e6c8439d6c6db5015d8eaab2470ab52aef85a7bf363182879977e084370497"
author	Peter Marko <peter.marko@siemens.com>	2024-04-30 23:49:21 +0200
committer	Khem Raj <raj.khem@gmail.com>	2024-04-30 17:02:36 -0700
commit	d0fd84b7dff9446a6f28ee43cd2119db63e5b1b4 (patch)
tree	43038bb069b17437b2def8d728b360c82ebeb8f8
parent	224eb2697ffddc97a2ff0a4ee3dbca14ec3bb13e (diff)
download	meta-openembedded-d0fd84b7dff9446a6f28ee43cd2119db63e5b1b4.tar.gz

diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2023-44487.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2023-44487.patch deleted file mode 100644 index 2fc6a60f6..000000000 --- a/meta-webserver/recipes-httpd/nginx/files/CVE-2023-44487.patch +++ /dev/null
@@ -1,78 +0,0 @@
1	From 6ceef192e7af1c507826ac38a2d43f08bf265fb9 Mon Sep 17 00:00:00 2001
2	From: Maxim Dounin <mdounin@mdounin.ru>
3	Date: Wed, 10 Jan 2024 18:52:11 +0000
4	Subject: [PATCH] HTTP/2: per-iteration stream handling limit.
5
6	To ensure that attempts to flood servers with many streams are detected
7	early, a limit of no more than 2 * max_concurrent_streams new streams per one
8	event loop iteration was introduced. This limit is applied even if
9	max_concurrent_streams is not yet reached - for example, if corresponding
10	streams are handled synchronously or reset.
11
12	Further, refused streams are now limited to maximum of max_concurrent_streams
13	and 100, similarly to priority_limit initial value, providing some tolerance
14	to clients trying to open several streams at the connection start, yet
15	low tolerance to flooding attempts.
16
17	Upstream-Status: Backport [https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9]
18	CVE: CVE-2023-44487
19
20	Signed-off-by: alperak <alperyasinak1@gmail.com>
21	---
22	src/http/v2/ngx_http_v2.c \| 15 +++++++++++++++
23	src/http/v2/ngx_http_v2.h \| 2 ++
24	2 files changed, 17 insertions(+)
25
26	diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
27	index ea3f27c..1116e56 100644
28	--- a/src/http/v2/ngx_http_v2.c
29	+++ b/src/http/v2/ngx_http_v2.c
30	@@ -361,6 +361,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev)
31	ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler");
32
33	h2c->blocked = 1;
34	+ h2c->new_streams = 0;
35
36	if (c->close) {
37	c->close = 0;
38	@@ -1321,6 +1322,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t h2c, u_char pos,
39	goto rst_stream;
40	}
41
42	+ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) {
43	+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
44	+ "client sent too many streams at once");
45	+
46	+ status = NGX_HTTP_V2_REFUSED_STREAM;
47	+ goto rst_stream;
48	+ }
49	+
50	if (!h2c->settings_ack
51	&& !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG)
52	&& h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW)
53	@@ -1386,6 +1395,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t h2c, u_char pos,
54
55	rst_stream:
56
57	+ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) {
58	+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
59	+ "client sent too many refused streams");
60	+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR);
61	+ }
62	+
63	if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) {
64	return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
65	}
66	diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h
67	index 4e25293..b9daf92 100644
68	--- a/src/http/v2/ngx_http_v2.h
69	+++ b/src/http/v2/ngx_http_v2.h
70	@@ -124,6 +124,8 @@ struct ngx_http_v2_connection_s {
71	ngx_uint_t processing;
72	ngx_uint_t frames;
73	ngx_uint_t idle;
74	+ ngx_uint_t new_streams;
75	+ ngx_uint_t refused_streams;
76	ngx_uint_t priority_limit;
77
78	ngx_uint_t pushing;


diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb deleted file mode 100644 index e5666f6fe..000000000 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ /dev/null
@@ -1,8 +0,0 @@
1	require nginx.inc
2
3	LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
4
5	SRC_URI:append = " file://CVE-2023-44487.patch"
6
7	SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
8


diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.26.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.26.0.bb new file mode 100644 index 000000000..0ce940d42 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.26.0.bb
@@ -0,0 +1,6 @@
		1	require nginx.inc
		2
		3	LIC_FILES_CHKSUM = "file://LICENSE;md5=a6547d7e5628787ee2a9c5a3480eb628"
		4
		5	SRC_URI[sha256sum] = "d2e6c8439d6c6db5015d8eaab2470ab52aef85a7bf363182879977e084370497"
		6