Mirror of git.openembedded.org/meta-openembedded https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=master-next 2026-05-12T08:10:18+00:00 2026-05-12T08:10:18+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-05-09T11:06:00+00:00 urn:sha1:26ecae46ece43d5ce32433c2405439539d62db68 1.30.0 stable version has been released, incorporating new features and bug fixes from the 1.29.x mainline branch (https://nginx.org/en/CHANGES-1.30) Also dropped v1.28 support. Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> 2026-03-28T15:32:48+00:00 Gyorgy Sarvari skandigraun@gmail.com 2026-03-28T07:30:21+00:00 urn:sha1:81e1926faffdc13555f94422c722ab5fcbee6b61 Changes: *) Security: a buffer overflow might occur while handling a COPY or MOVE request in a location with "alias", allowing an attacker to modify the source or destination path outside of the document root (CVE-2026-27654). *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module on 32-bit platforms might cause a worker process crash, or might have potential other impact (CVE-2026-27784). *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module might cause a worker process crash, or might have potential other impact (CVE-2026-32647). *) Security: a segmentation fault might occur in a worker process if the CRAM-MD5 or APOP authentication methods were used and authentication retry was enabled (CVE-2026-27651). *) Security: an attacker might use PTR DNS records to inject data in auth_http requests, as well as in the XCLIENT command in the backend SMTP connection (CVE-2026-28753). *) Security: SSL handshake might succeed despite OCSP rejecting a client certificate in the stream module (CVE-2026-28755). *) Feature: the "multipath" parameter of the "listen" directive. *) Feature: the "local" parameter of the "keepalive" directive in the "upstream" block. *) Change: now the "keepalive" directive in the "upstream" block is enabled by default. *) Change: now ngx_http_proxy_module supports keepalive by default; the default value for "proxy_http_version" is "1.1"; the "Connection" proxy header is not sent by default anymore. *) Bugfix: an invalid HTTP/2 request might be sent after switching to the next upstream if buffered body was used in the ngx_http_grpc_module. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> 2026-03-28T15:32:48+00:00 Gyorgy Sarvari skandigraun@gmail.com 2026-03-28T07:30:20+00:00 urn:sha1:34b3d0f4917169c5cd568cdb13796a2d75f1fbf1 Changes: *) Security: a buffer overflow might occur while handling a COPY or MOVE request in a location with "alias", allowing an attacker to modify the source or destination path outside of the document root (CVE-2026-27654). *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module on 32-bit platforms might cause a worker process crash, or might have potential other impact (CVE-2026-27784). *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module might cause a worker process crash, or might have potential other impact (CVE-2026-32647). *) Security: a segmentation fault might occur in a worker process if the CRAM-MD5 or APOP authentication methods were used and authentication retry was enabled (CVE-2026-27651). *) Security: an attacker might use PTR DNS records to inject data in auth_http requests, as well as in the XCLIENT command in the backend SMTP connection (CVE-2026-28753). *) Security: SSL handshake might succeed despite OCSP rejecting a client certificate in the stream module (CVE-2026-28755). *) Change: now nginx limits the size and rate of QUIC stateless reset packets. *) Bugfix: receiving a QUIC packet by a wrong worker process could cause the connection to terminate. *) Bugfix: in the ngx_http_mp4_module. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> 2026-03-18T21:33:26+00:00 Ankur Tyagi ankur.tyagi85@gmail.com 2026-03-15T20:44:21+00:00 urn:sha1:757cf709436b6997dbead37fb766e1db4575433f Changelog: * Feature: session affinity support; the "sticky" directive in the "upstream" block of the "http" module; the "server" directive supports the "route" and "drain" parameters. * Change: now nginx limits the size and rate of QUIC stateless reset packets. * Bugfix: receiving a QUIC packet by a wrong worker process could cause the connection to terminate. * Bugfix: "[crit] cache file ... contains invalid header" messages might appear in logs when sending a cached HTTP/2 response. * Bugfix: proxying to scgi backends might not work when using chunked transfer encoding and the "scgi_request_buffering" directive. * Bugfix: in the ngx_http_mp4_module. * Bugfix: nginx treated a comma as separator in the "Cookie" request header line when evaluating "$cookie_..." variables. * Bugfix: in IMAP command literal argument parsing. Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> 2026-02-16T08:34:02+00:00 Gyorgy Sarvari skandigraun@gmail.com 2026-02-12T14:10:22+00:00 urn:sha1:cd0a0f605ec21795ad9ce996a52d6704c4e6fbbe License-Update: copyright year bump. Changelog: 1.29.5: - Security: an attacker might inject plain text data in the response from an SSL backend (CVE-2026-1642). - Bugfix: use-after-free might occur after switching to the next gRPC or HTTP/2 backend. - Bugfix: an invalid HTTP/2 request might be sent after switching to the next upstream. - Bugfix: a response with multiple ranges might be larger than the source response. - Bugfix: fixed setting HTTP_HOST when proxying to FastCGI, SCGI, and uwsgi backends. - Bugfix: fixed warning when compiling with MSVC 2022 x86. - Change: the logging level of the "ech_required" SSL error has been lowered from "crit" to "info". 1.29.4: - Feature: the ngx_http_proxy_module supports HTTP/2. - Feature: Encrypted ClientHello TLS extension support when using OpenSSL ECH feature branch; the "ssl_ech_file" directive. Thanks to Stephen Farrell. - Change: validation of host and port in the request line, "Host" header field, and ":authority" pseudo-header field has been changed to follow RFC 3986. - Change: now a single LF used as a line terminator in a chunked request or response body is considered an error. - Bugfix: when using HTTP/3 with OpenSSL 3.5.1 or newer a segmentation fault might occur in a worker process; the bug had appeared in 1.29.1. Thanks to Jan Svojanovsky. - Bugfix: a segmentation fault might occur in a worker process if the "try_files" directive and "proxy_pass" with a URI were used. 1.29.3: - Feature: the "add_header_inherit" and "add_trailer_inherit" directives. - Feature: the $request_port and $is_request_port variables. - Feature: the $ssl_sigalg and $ssl_client_sigalg variables. - Feature: the "volatile" parameter of the "geo" directive. - Feature: now certificate compression is available with BoringSSL. - Bugfix: now certificate compression is disabled with OCSP stapling. 1.29.2 - Feature: now nginx can be built with AWS-LC. Thanks Samuel Chiang. - Bugfix: now the "ssl_protocols" directive works in a virtual server different from the default server when using OpenSSL 1.1.1 or newer. - Bugfix: SSL handshake always failed when using TLSv1.3 with OpenSSL and client certificates and resuming a session with a different SNI value; the bug had appeared in 1.27.4. - Bugfix: the "ignoring stale global SSL error" alerts might appear in logs when using QUIC and the "ssl_reject_handshake" directive; the bug had appeared in 1.29.0. Thanks to Vladimir Homutov. - Bugfix: in delta-seconds processing in the "Cache-Control" backend response header line. - Bugfix: an XCLIENT command didn't use the xtext encoding. Thanks to Igor Morgenstern of Aisle Research. - Bugfix: in SSL certificate caching during reconfiguration. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> 2026-02-16T08:34:02+00:00 Gyorgy Sarvari skandigraun@gmail.com 2026-02-12T14:10:21+00:00 urn:sha1:f2be1069f18e0f7c0f87cffae0f304c118231231 Changelog: - Security: an attacker might inject plain text data in the response from an SSL backend (CVE-2026-1642). - Bugfix: use-after-free might occur after switching to the next gRPC or HTTP/2 backend. - Bugfix: fixed warning when compiling with MSVC 2022 x86. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> 2026-01-12T18:25:56+00:00 Peter Marko peter.marko@siemens.com 2026-01-10T20:29:19+00:00 urn:sha1:5d3936d5dd0489a984e37cc00b59e6a05d9541ac Fix is included via commit [1]. [1] https://github.com/nginx/nginx/commit/fbbbf189dadf3bd59c2462af68c16f2c2874d4ee Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> 2026-01-04T19:34:49+00:00 Gyorgy Sarvari skandigraun@gmail.com 2026-01-04T19:11:04+00:00 urn:sha1:d25aadbbb53d54382b4b82b1f78a69d4d117fd28 nginx has a long history, and has used multiple CPEs over time. Set CVE_PRODUCT to reflect current and historic vendor:product pairs. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> 2026-01-04T19:06:41+00:00 Jason Schonberg schonm@gmail.com 2026-01-04T18:58:11+00:00 urn:sha1:222c6425644a39c9b7757792b47e500ca55f85b0 Drop CVE patch which has been integrated into this new version. Solves: * CVE-2025-53859 CHANGES: https://nginx.org/en/CHANGES-1.28 Signed-off-by: Jason Schonberg <schonm@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> 2025-12-01T16:45:52+00:00 Hongxu Jia hongxu.jia@windriver.com 2025-12-01T07:05:24+00:00 urn:sha1:3e308aacb03631eb1ed27baad7fc28f21075e3a4 NGINX 1.22 and later supports PCRE2 [1] [1] https://github.com/nginx/nginx/commit/c6fec0b027569a4e0b1d8aaee7dea0f2e4d6052b Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>