summaryrefslogtreecommitdiffstats
path: root/meta-webserver/recipes-httpd
Commit message (Collapse)AuthorAgeFilesLines
* nginx: update versions for both the stable branch and mainlineDerek Straka2023-12-143-10/+10
| | | | | | | | Stable: None -> 1.24.0 Legacy Mainline 1.21.1 -> Removed Signed-off-by: Derek Straka <derek@asterius.io> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: upgrade 1.25.2 -> 1.25.3Meenali Gupta2023-12-141-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: =========== https://nginx.org/en/CHANGES *) Change: improved detection of misbehaving clients when using HTTP/2. *) Feature: startup speedup when using a large number of locations. Thanks to Yusuke Nojima. *) Bugfix: a segmentation fault might occur in a worker process when using HTTP/2 without SSL; the bug had appeared in 1.25.1. *) Bugfix: the "Status" backend response header line with an empty reason phrase was handled incorrectly. *) Bugfix: memory leak during reconfiguration when using the PCRE2 library. Thanks to ZhenZhong Wu. *) Bugfixes and improvements in HTTP/3. Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: v2.4.57 to v2.4.58 to fix CVE-2023-43622Dylan Turner2023-11-272-33/+1
| | | | | | | | | | Note that patch 0011-modules... is no longer needed as it's included in the upgrade as well. CVE: CVE-2023-43622 Signed-off-by: Dylan Turner <dylan.turner@ni.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: add vendor to product name used for CVE checkingJeffrey Pautler2023-11-101-1/+1
| | | | | | | | | | | | This recipe sets the product name used for CVE checking to "http_server". However, the cve-check logic matches that name to all products in the CVE database regardless of vendor. Currently, it is matching to products from vendors other than apache. As a result, CVE checking incorrectly reports CVEs for those vendors' products for this package. Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: add configure optionJoe Slater2023-10-042-0/+42
| | | | | | | | Support --with-http_xslt_module configure option via a PACKAGECONFIG option. The option is not added to the defaults. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* gnome-tweaks, networkmanager-fortisslvpn, libesmtp, json-schema-validator, ↵Martin Jansa2023-09-271-1/+1
| | | | | | | | | | | | | | | | | python3-pybluez, python3-pynetlinux, apache2: Fix Malformed Upstream-Status * Accepted was replaced with Backport in gatesgarth: https://docs.yoctoproject.org/migration-guides/migration-3.2.html#miscellaneous-changes * as detected with oe-core/scripts/contrib/patchreview.py: meta-openembedded $ grep -A 3 Malformed *qa-patches meta-gnome.qa-patches:Malformed Upstream-Status 'Malformed Upstream-Status in patch meta-gnome.qa-patches-/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch meta-gnome.qa-patches-Please correct according to https://docs.yoctoproject.org/contributor-guide/recipe-style-guide.html#patch-upstream-status : meta-gnome.qa-patches-Upstream-Status: Accepted [https://gitlab.gnome.org/GNOME/gnome-tweaks/-/commit/dc9701e18775c01d0b69fabaa350147f70096da8]' (/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch) Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: upgrade 1.25.1 -> 1.25.2Wang Mingyu2023-08-261-1/+1
| | | | | | | | | | | | | | | | | | Changelog: =========== *) Feature: path MTU discovery when using HTTP/3. *) Feature: TLS_AES_128_CCM_SHA256 cipher suite support when using HTTP/3. *) Change: now nginx uses appname "nginx" when loading OpenSSL configuration. *) Change: now nginx does not try to load OpenSSL configuration if the --with-openssl option was used to built OpenSSL and the OPENSSL_CONF environment variable is not set. *) Bugfix: in the $body_bytes_sent variable when using HTTP/3. *) Bugfix: in HTTP/3. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* cherokee: add CVE_PRODUCTRoss Burton2023-07-201-0/+2
| | | | | | | | As per https://nvd.nist.gov/vuln/detail/CVE-2019-1010218, Cherokee uses to use cherokee-project:cherokee_web_server. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: upgrade 1.24.0 -> 1.25.1Wang Mingyu2023-07-202-6/+6
| | | | | | | | | | | | | | | | | Changelog: ========== *) Feature: the "http2" directive, which enables HTTP/2 on a per-server basis; the "http2" parameter of the "listen" directive is now deprecated. *) Change: HTTP/2 server push support has been removed. *) Change: the deprecated "ssl" directive is not supported anymore. *) Bugfix: in HTTP/3 when using OpenSSL. *) Feature: experimental HTTP/3 support. License-Update: Copyright year updated to 2023. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: upgrade to 1.24.0 releaseMichael Haener2023-07-111-1/+1
| | | | | | | Brings nginx to the current stable version. Signed-off-by: Michael Haener <michael.haener@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: Add stream Signed-off-by: Luke Schaefer <lukeschafer17@gmail.com>Luke Schaefer2023-06-271-0/+1
| | | | | | Add stream support to nginx PACKAGECONFIG Signed-off-by: Khem Raj <raj.khem@gmail.com>
* monkey: Remove buildpaths from generated mk_env.hKhem Raj2023-05-281-0/+4
| | | | | | | | | | | It has paths to compiler and assembler which are technically cross compilers in OE. We do have these names symlinked on target too but paths needs to be removed. Fixes WARNING: monkey-1.6.9-r0 do_package_qa: QA Issue: File /usr/include/monkey/mk_env.h in package monkey-dev contains reference to TMPDIR [buildpaths] Signed-off-by: Khem Raj <raj.khem@gmail.com>
* monkey: remove unused patch fileMartin Jansa2023-05-241-30/+0
| | | | | | | * it was removed from SRC_URI in: https://git.openembedded.org/meta-openembedded/commit/?id=45b327ba1620febf3dd8a8b415d601c9c9e78bc5 Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: upgrade 2.4.56 -> 2.4.57Valeria Petrov2023-04-252-1/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: Changes with Apache 2.4.57 *) mod_proxy: Check before forwarding that a nocanon path has not been rewritten with spaces during processing. [Yann Ylavic] *) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not double encode encoded slashes in the URL sent by the reverse proxy to the backend. [Ruediger Pluem] *) mod_http2: fixed a crash during connection termination. See PR 66539. [Stefan Eissing] *) mod_rewrite: Fix a 2.4.56 regression for substitutions ending in a question mark. PR66547. [Eric Covener] *) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded characters on redirections without the "NE" flag. [Yann Ylavic, Eric Covener] *) mod_proxy: Fix double encoding of the uri-path of the request forwarded to the origin server, when using mapping=encoded|servlet. [Yann Ylavic] *) mod_mime: Do not match the extention against possible query string parameters in case ProxyPass was used with the nocanon option. [Ruediger Pluem] New patch: 0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch Accepted in upstream, expected to be removed at next apache2 2.4.58 update. Signed-off-by: Khem Raj <raj.khem@gmail.com>
* monkey,webmin: Fix upstream patch statusKhem Raj2023-04-071-1/+1
| | | | Signed-off-by: Khem Raj <raj.khem@gmail.com>
* meta-webserver: Fix missing upstream status on patchesKhem Raj2023-04-053-0/+3
| | | | Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: upgrade 1.23.3 -> 1.23.4Wang Mingyu2023-04-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: =========== *) Change: now TLSv1.3 protocol is enabled by default. *) Change: now nginx issues a warning if protocol parameters of a listening socket are redefined. *) Change: now nginx closes connections with lingering if pipelining was used by the client. *) Feature: byte ranges support in the ngx_http_gzip_static_module. *) Bugfix: port ranges in the "listen" directive did not work; the bug had appeared in 1.23.3. *) Bugfix: incorrect location might be chosen to process a request if a prefix location longer than 255 characters was used in the configuration. *) Bugfix: non-ASCII characters in file names on Windows were not supported by the ngx_http_autoindex_module, the ngx_http_dav_module, and the "include" directive. *) Change: the logging level of the "data length too long", "length too short", "bad legacy version", "no shared signature algorithms", "bad digest length", "missing sigalgs extension", "encrypted length too long", "bad length", "bad key update", "mixed handshake and non handshake data", "ccs received early", "data between ccs and finished", "packet length too long", "too many warn alerts", "record too small", and "got a fin before a ccs" SSL errors has been lowered from "crit" to "info". *) Bugfix: a socket leak might occur when using HTTP/2 and the "error_page" directive to redirect errors with code 400. *) Bugfix: messages about logging to syslog errors did not contain information that the errors happened while logging to syslog. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: in the mail proxy server. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* redirect unwanted error message in nginx installJohannes Kirchmair2023-04-041-1/+1
| | | | | | | | | | | | | | | | if we run opkg install nginx on our system (without systemd) we end up getting the following message in the install process $ opkg install nginx_1.20.1-r0_core2-64.ipk  ... //var/lib/opkg/info/nginx.postinst: line 3: type: systemd-tmpfiles: not found this confused some of my coworkers. as installation also finishes correctly without sytemd-tmpfiles and not having systemd-tempfiles is not really a problem, I think we should redirect the message also to /dev/NULL Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: added packagegroup for webdav modulePeter Johennecken2023-03-311-0/+1
| | | | Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: upgrade 1.20.1 -> 1.23.3Wang Mingyu2023-03-093-116/+6
| | | | | | | | | | | | | | | | | | | | | | | | CVE-2021-3618.patch removed since it's included in 1.23.3 Changelog: ========== *) Bugfix: an error might occur when reading PROXY protocol version 2 header with large number of TLVs. *) Bugfix: a segmentation fault might occur in a worker process if SSI was used to process subrequests created by other modules. Thanks to Ciel Zhao. *) Workaround: when a hostname used in the "listen" directive resolves to multiple addresses, nginx now ignores duplicates within these addresses. *) Bugfix: nginx might hog CPU during unbuffered proxying if SSL connections to backends were used. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: upgrade 2.4.55 -> 2.4.56Wang Mingyu2023-03-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: ========== - rotatelogs: Add -T flag to allow subsequent rotated logfiles to be truncated without the initial logfile being truncated. - mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to allow connections of any age to be reused. Up to now, a negative value was handled as an error when parsing the configuration file. PR 66421. - mod_proxy_ajp: Report an error if the AJP backend sends an invalid number of headers. - mod_md: - Enabling ED25519 support and certificate transparency information when building with libressl v3.5.0 and newer. - MDChallengeDns01 can now be configured for individual domains. - Fixed a bug that caused the challenge teardown not being invoked as it should. - mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors reported in access logs and error documents. The processing of the reset was correct, only unneccesary reporting was caused. - mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: use /run instead of /var/run for systemd volatile configYi Zhao2023-02-241-1/+1
| | | | | | | | | | Fixes: systemd-tmpfiles[181]: /etc/tmpfiles.d/apache2-volatile.conf:1: Line references path below legacy directory /var/run/, updating /var/run/apache2 -> /run/apache2; please update the tmpfiles.d/ drop-in file accordingly. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: upgrade 2.4.54 -> 2.4.55Wang Mingyu2023-02-071-1/+1
| | | | | | | | Changelog: https://downloads.apache.org/httpd/CHANGES_2.4.55 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* monkey: use git fetcherMartin Jansa2022-11-101-2/+3
| | | | | | | | * monkey-project.com doesn't resolve anymore * use v1.6.9 tag from github Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: Add ipv6 supportJoshua Watt2022-10-271-1/+2
| | | | | | | Adds a PACKAGECONFIG to enable ipv6 in nginx Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* sthttpd: Define _GNU_SOURCE if HAVE_SIGSET is setKhem Raj2022-09-072-0/+52
| | | | Signed-off-by: Khem Raj <raj.khem@gmail.com>
* monkey: Fix build with muslKhem Raj2022-08-282-0/+31
| | | | Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: Fix the buildpaths issueMingli Yu2022-08-062-0/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: WARNING: apache2-2.4.54-r0 do_package_qa: QA Issue: File /usr/src/debug/apache2/2.4.54-r0/build/server/exports.c in package apache2-src contains reference to TMPDIR [buildpaths] Before the patch: # cat ./build/server/exports.c [snip] #include "mpm_fdqueue.h" const void *ap_ugly_hack = NULL; /* * /buildarea/build/tmp-glibc/work/core2-32-wrs-linux/apache2/2.4.54-r0/httpd-2.4.54/include/ap_expr.h */ const void *ap_hack_ap_expr_exec = (const void *)ap_expr_exec; [snip] After the patch: # cat ./build/server/exports.c [snip] #include "mpm_fdqueue.h" const void *ap_ugly_hack = NULL; /* * ap_expr.h */ const void *ap_hack_ap_expr_exec = (const void *)ap_expr_exec; [snip] Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: split out a new package apache2-utilsChen Qi2022-06-301-2/+14
| | | | | | | | Split out apache2-utils so this small package could be used by other packages. For example, htpasswd could be used by docker-registry. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: upgrade 2.4.53 -> 2.4.54wangmy2022-06-302-8/+6
| | | | | | | | | | | 0004-apache2-log-the-SELinux-context-at-startup.patch refresh for new version. Changelog: https://downloads.apache.org/httpd/CHANGES_2.4.54 Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: add gunzip PACKAGECONFIGStefan Herbrechtsmeier2022-03-291-0/+1
| | | | | | | | | | The nginx gunzip module is a filter that decompresses responses with 'Content-Encoding: gzip' for clients that do not support 'gzip' encoding method. The module will be useful when it is desirable to store data compressed to save space and reduce I/O costs. Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: upgrade 2.4.52 -> 2.4.53Yi Zhao2022-03-2411-65/+62
| | | | | | | | | | | | | | | | ChangeLog: https://downloads.apache.org/httpd/CHANGES_2.4.53 Security fixes: CVE-2022-23943 CVE-2022-22721 CVE-2022-22720 CVE-2022-22719 Refresh patches. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* recipes: Update LICENSE variable to use SPDX license identifiersKhem Raj2022-03-042-2/+2
| | | | Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: upgrade 2.4.51 -> 2.4.52wangmy2021-12-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: ========== *) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (cve.mitre.org) A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. *) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier (cve.mitre.org) A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). *) http: Enforce that fully qualified uri-paths not to be forward-proxied have an http(s) scheme, and that the ones to be forward proxied have a hostname, per HTTP specifications. *) OpenSSL autoconf detection improvement: pick up openssl.pc in the specified openssl path. *) mod_proxy_connect, mod_proxy: Do not change the status code after we already sent it to the client. *) mod_http: Correctly sent a 100 Continue status code when sending an interim response as result of an Expect: 100-Continue in the request and not the current status code of the request. PR 65725 *) mod_dav: Some DAV extensions, like CalDAV, specify both document elements and property elements that need to be taken into account when generating a property. The document element and property element are made available in the dav_liveprop_elem structure by calling dav_get_liveprop_element(). *) mod_dav: Add utility functions dav_validate_root_ns(), dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and dav_find_attr() so that other modules get to play too. *) mpm_event: Restart stopping of idle children after a load peak. PR 65626. *) mod_http2: fixes 2 regressions in server limit handling. 1. When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection send a GOAWAY frame much too early on new connections, leading to invalid protocol state and a client failing the request. See PR65731. The module now initializes the HTTP/2 protocol correctly and allows the client to submit one request before the shutdown via a GOAWAY frame is being announced. 2. A regression in v1.15.24 was fixed that could lead to httpd child processes not being terminated on a graceful reload or when reaching MaxConnectionsPerChild. When unprocessed h2 requests were queued at the time, these could stall. See <https://github.com/icing/mod_h2/issues/212>. *) mod_ssl: Add build support for OpenSSL v3. *) mod_proxy_connect: Honor the smallest of the backend or client timeout while tunneling. *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP half-close forwarding when tunneling protocols. *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by a third-party module. PR 65627. *) mod_md: Fix memory leak in case of failures to load the private key. PR 65620 *) mod_md: adding v2.4.8 with the following changes - Added support for ACME External Account Binding (EAB). Use the new directive `MDExternalAccountBinding` to provide the server with the value for key identifier and hmac as provided by your CA. While working on some servers, EAB handling is not uniform across CAs. First tests with a Sectigo Certificate Manager in demo mode are successful. But ZeroSSL, for example, seems to regard EAB values as a one-time-use-only thing, which makes them fail if you create a seconde account or retry the creation of the first account with the same EAB. - The directive 'MDCertificateAuthority' now checks if its parameter is a http/https url or one of a set of known names. Those are 'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test' for now and they are not case-sensitive. The default of LetsEncrypt is unchanged. - `MDContactEmail` can now be specified inside a `<MDomain dnsname>` section. - Treating 401 HTTP status codes for orders like 403, since some ACME servers seem to prefer that for accessing oders from other accounts. - When retrieving certificate chains, try to read the repsonse even if the HTTP Content-Type is unrecognized. - Fixed a bug that reset the error counter of a certificate renewal and prevented the increasing delays in further attempts. - Fixed the renewal process giving up every time on an already existing order with some invalid domains. Now, if such are seen in a previous order, a new order is created for a clean start over again. See <https://github.com/icing/mod_md/issues/268> - Fixed a mixup in md-status handler when static certificate files and renewal was configured at the same time. *) mod_md: values for External Account Binding (EAB) can now also be configured to be read from a separate JSON file. This allows to keep server configuration permissions world readable without exposing secrets. *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO. PR 65616. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache-websocket: remove obsolete support for renamed libtoolRoss Burton2021-12-131-2/+1
| | | | | | | | libtool is now longer renamed to ${host}-libtool, so remove the changes to support this. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: remove obsolete support for renamed libtoolRoss Burton2021-12-131-1/+0
| | | | | | | | libtool is now longer renamed to ${host}-libtool, so remove the changes to support this. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: use ln -rsRoss Burton2021-11-111-1/+1
| | | | | | | lnr is deprecated, use ln -rs directly instead. Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* hiawatha: Create /var/log /var/run at runtimeKhem Raj2021-11-041-1/+18
| | | | Signed-off-by: Khem Raj <raj.khem@gmail.com>
* monkey: Keep /var/volatile emptyKhem Raj2021-11-041-6/+13
| | | | | | | | /var/volatile is populated at runtime as it can be mounted from a different partition, therefore its better to keep it empty and only populate it during runtime. Signed-off-by: Khem Raj <raj.khem@gmail.com>
* recipes: Update SRC_URI branch and protocolsRichard Purdie2021-11-033-3/+3
| | | | | | | | | This patch updates SRC_URIs using git to include branch=master if no branch is set and also to use protocol=https for github urls as generated by the conversion script in OE-Core. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Apache: Several CVE fixesArmin Kuster2021-10-221-1/+1
| | | | | | | | | | | | | | | | | | | | Source: Apache.org MR: 113457, 113453 Type: Security Fix Disposition: Backport from apache.org 2.4.51 ChangeID: 9d7b58f49487baff99bf8f101e53217425a2b81f Description: Bug fix only update. LTS version https://httpd.apache.org/security/vulnerabilities_24.html Fixes CVEs: CVE-2021-42013 CVE-2021-41524 CVE-2021-41773 Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* apache2: upgrade 2.4.48 -> 2.4.49wangmy2021-09-241-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes with Apache 2.4.49 *) SECURITY: CVE-2021-40438 (cve.mitre.org) mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic] *) SECURITY: CVE-2021-39275 (cve.mitre.org) core: ap_escape_quotes buffer overflow *) SECURITY: CVE-2021-36160 (cve.mitre.org) mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic] *) SECURITY: CVE-2021-34798 (cve.mitre.org) core: null pointer dereference on malformed request *) SECURITY: CVE-2021-33193 (cve.mitre.org) mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing] *) core/mod_proxy/mod_ssl: Adding `outgoing` flag to conn_rec, indicating a connection is initiated by the server to somewhere, in contrast to incoming connections from clients. Adding 'ap_ssl_bind_outgoing()` function that marks a connection as outgoing and is used by mod_proxy instead of the previous optional function `ssl_engine_set`. This enables other SSL module to secure proxy connections. The optional functions `ssl_engine_set`, `ssl_engine_disable` and `ssl_proxy_enable` are now provided by the core to have backward compatibility with non-httpd modules that might use them. mod_ssl itself no longer registers these functions, but keeps them in its header for backward compatibility. The core provided optional function wrap any registered function like it was done for `ssl_is_ssl`. [Stefan Eissing] *) mod_ssl: Support logging private key material for use with wireshark via log file given by SSLKEYLOGFILE environment variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton] *) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and "ProxyPassInterpolateEnv On" are configured. PR 65549. [Joel Self <joelself gmail.com>] *) mpm_event: Fix children processes possibly not stopped on graceful restart. PR 63169. [Joel Self <joelself gmail.com>] *) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d) protocols from mod_proxy_http, and a timeout triggering falsely when using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with upgrade= setting. PRs 65521 and 65519. [Yann Ylavic] *) mod_unique_id: Reduce the time window where duplicates may be generated PR 65159 [Christophe Jaillet] *) mpm_prefork: Block signals for child_init hooks to prevent potential threads created from there to catch MPM's signals. [Ruediger Pluem, Yann Ylavic] *) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load. PR 65159" added in 2.4.47. This causes issue on Windows. [Christophe Jaillet] *) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic] *) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted as successful or a staged renewal is replacing the existing certificates. This avoid potential mess ups in the md store file system to render the active certificates non-working. [@mkauf] *) mod_proxy: Faster unix socket path parsing in the "proxy:" URL. [Yann Ylavic] *) mod_ssl: tighten the handling of ALPN for outgoing (proxy) connections. If ALPN protocols are provided and sent to the remote server, the received protocol selected is inspected and checked for a match. Without match, the peer handshake fails. An exception is the proposal of "http/1.1" where it is accepted if the remote server did not answer ALPN with a selected protocol. This accomodates for hosts that do not observe/support ALPN and speak http/1.x be default. *) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances with others when their URLs contain a '$' substitution. PR 65419 + 65429. [Yann Ylavic] *) mod_dav: Add method_precondition hook. WebDAV extensions define conditions that must exist before a WebDAV method can be executed. This hook allows a WebDAV extension to verify these preconditions. [Graham Leggett] *) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other modules apart from versioning implementations to handle the REPORT method. [Graham Leggett] *) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and dav_get_resource() to mod_dav.h. [Graham Leggett] *) core: fix ap_escape_quotes substitution logic. [Eric Covener] *) Easy patches: synch 2.4.x and trunk - mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp. - mod_ldap: log and abort locking errors. - mod_ldap: style fix for r1831165 - mod_ldap: build break fix for r1831165 - mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements - mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590) - mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case. - mod_rewrite: Save a few cycles. - mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues - core: remove extra whitespace in HTTP_NOT_IMPLEMENTED [Christophe Jaillet] *) core/mpm: add hook 'child_stopping` that gets called when the MPM is stopping a child process. The additional `graceful` parameter allows registered hooks to free resources early during a graceful shutdown. [Yann Ylavic, Stefan Eissing] *) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the balancer-manager, which can lead to a crash. [Yann Ylavic] *) mpm_event: Fix graceful stop/restart of children processes if connections are in lingering close for too long. [Yann Ylavic] *) mod_md: fixed a potential null pointer dereference if ACME/OCSP server returned 2xx responses without content type. Reported by chuangwen. [chuangwen, Stefan Eissing] *) mod_md: - Domain names in `<MDomain ...>` can now appear in quoted form. - Fixed a failure in ACME challenge selection that aborted further searches when the tls-alpn-01 method did not seem to be suitable. - Changed the tls-alpn-01 setup to only become unsuitable when none of the dns names showed support for a configured 'Protocols ... acme-tls/1'. This allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost. [Stefan Eissing] *) Add CPING to health check logic. [Jean-Frederic Clere] *) core: Split ap_create_request() from ap_read_request(). [Graham Leggett] *) core, h2: common ap_parse_request_line() and ap_check_request_header() code. [Yann Ylavic] *) core: Add StrictHostCheck to allow unconfigured hostnames to be rejected. [Eric Covener] *) htcacheclean: Improve help messages. [Christophe Jaillet] Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: Fix off_t size passed in configureNathan Rossi2021-08-311-1/+1
| | | | | | | | | | | For linux, nginx will always compile with '-D_FILE_OFFSET_BITS=64'. This means that off_t will always be 8 bytes long, even on 32-bit targets. This configuration change resolves some issues with nginx and handling range headers. Signed-off-by: Nathan Rossi <nathan@nathanrossi.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: fix CVE-2021-3618Joe Slater2021-08-202-0/+109
| | | | | | | | | | | Backport with no change a patch from version 1.21.0. This patch was not cherry-picked by nginx to version 1.20.1. Information about this CVE comes from https://ubuntu.com/security/CVE-2021-3618. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Convert to new override syntaxMartin Jansa2021-08-037-60/+60
| | | | | | | | | | This is the result of automated script (0.9.1) conversion: oe-core/scripts/contrib/convert-overrides.py . converting the metadata to use ":" as the override character instead of "_". Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
* apache2: upgrade 2.4.46 -> 2.4.48Changqing Li2021-08-031-2/+2
| | | | | Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: upgrade 1.19.6 -> 1.21.1Salman Ahmed2021-07-302-10/+10
| | | | | Signed-off-by: Salman Ahmed <salman.ahmed@weidmueller.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nginx: upgrade 1.18.0 -> 1.20.1Salman Ahmed2021-07-302-6/+7
| | | | | Signed-off-by: Salman Ahmed <salman.ahmed@weidmueller.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* hiawatha: fix url.Armin Kuster2021-07-271-1/+1
| | | | | | | files moved under a new dir structure. Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
* nostromo: remove recipeArmin Kuster2021-04-296-301/+0
| | | | | | | | Hosting site seems to be dead so remove recipe. http://www.nazgul.ch Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>