Mirror of git.openembedded.org/meta-openembedded https://git.enea.com/cgit/linux/meta-openembedded.git/atom?h=mickledore-next 2024-01-07T18:15:11+00:00 2024-01-07T18:15:11+00:00 Meenali Gupta meenali.gupta@windriver.com 2023-12-21T03:45:50+00:00 urn:sha1:8e1f0fa6bfac0e96fedc666fe9066f92c85afb27 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 2023-10-15T23:09:42+00:00 Joe Slater joe.slater@windriver.com 2023-10-10T23:11:08+00:00 urn:sha1:39968837196cb48209b71e8852dd04a2f8ccdca8 Support --with-http_xslt_module configure option via a PACKAGECONFIG option. The option is not added to the defaults. Cherry-pick from master. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit e0ac8eec48ddddc93751cfcdef2557998bfe91c8) Signed-off-by: Armin Kuster <akuster808@gmail.com> 2023-05-07T16:16:20+00:00 Valeria Petrov valeria.petrov@spinetix.com 2023-04-19T13:36:08+00:00 urn:sha1:963d04aa8a507b56d79d0c643032613ebe7767ed Changelog: Changes with Apache 2.4.57 *) mod_proxy: Check before forwarding that a nocanon path has not been rewritten with spaces during processing. [Yann Ylavic] *) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not double encode encoded slashes in the URL sent by the reverse proxy to the backend. [Ruediger Pluem] *) mod_http2: fixed a crash during connection termination. See PR 66539. [Stefan Eissing] *) mod_rewrite: Fix a 2.4.56 regression for substitutions ending in a question mark. PR66547. [Eric Covener] *) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded characters on redirections without the "NE" flag. [Yann Ylavic, Eric Covener] *) mod_proxy: Fix double encoding of the uri-path of the request forwarded to the origin server, when using mapping=encoded|servlet. [Yann Ylavic] *) mod_mime: Do not match the extention against possible query string parameters in case ProxyPass was used with the nocanon option. [Ruediger Pluem] New patch: 0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch Accepted in upstream, expected to be removed at next apache2 2.4.58 update. Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 0b9305faa29f6e26871e7662391efbaae4ae92d9) Signed-off-by: Armin Kuster <akuster808@gmail.com> 2023-04-07T23:58:15+00:00 Khem Raj raj.khem@gmail.com 2023-04-07T17:13:30+00:00 urn:sha1:3a8e18f038ef086c579d8999926eae499652984c Signed-off-by: Khem Raj <raj.khem@gmail.com> 2023-04-06T03:41:10+00:00 Khem Raj raj.khem@gmail.com 2023-04-06T03:40:13+00:00 urn:sha1:cb125e2befbfb5ccc78b11128f78b67f9a740410 Signed-off-by: Khem Raj <raj.khem@gmail.com> 2023-04-04T20:39:46+00:00 Wang Mingyu wangmy@fujitsu.com 2023-04-03T09:00:08+00:00 urn:sha1:184fd210ea90b4408de8ae79e11889e4f55d5fbd Changelog: =========== *) Change: now TLSv1.3 protocol is enabled by default. *) Change: now nginx issues a warning if protocol parameters of a listening socket are redefined. *) Change: now nginx closes connections with lingering if pipelining was used by the client. *) Feature: byte ranges support in the ngx_http_gzip_static_module. *) Bugfix: port ranges in the "listen" directive did not work; the bug had appeared in 1.23.3. *) Bugfix: incorrect location might be chosen to process a request if a prefix location longer than 255 characters was used in the configuration. *) Bugfix: non-ASCII characters in file names on Windows were not supported by the ngx_http_autoindex_module, the ngx_http_dav_module, and the "include" directive. *) Change: the logging level of the "data length too long", "length too short", "bad legacy version", "no shared signature algorithms", "bad digest length", "missing sigalgs extension", "encrypted length too long", "bad length", "bad key update", "mixed handshake and non handshake data", "ccs received early", "data between ccs and finished", "packet length too long", "too many warn alerts", "record too small", and "got a fin before a ccs" SSL errors has been lowered from "crit" to "info". *) Bugfix: a socket leak might occur when using HTTP/2 and the "error_page" directive to redirect errors with code 400. *) Bugfix: messages about logging to syslog errors did not contain information that the errors happened while logging to syslog. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: in the mail proxy server. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> 2023-04-04T20:39:46+00:00 Johannes Kirchmair johannes.kirchmair@sigmatek.at 2023-03-16T15:37:24+00:00 urn:sha1:356b224344ecb5d509318b9dd6a67bab6f03a8ff if we run opkg install nginx on our system (without systemd) we end up getting the following message in the install process $ opkg install nginx_1.20.1-r0_core2-64.ipk  ... //var/lib/opkg/info/nginx.postinst: line 3: type: systemd-tmpfiles: not found this confused some of my coworkers. as installation also finishes correctly without sytemd-tmpfiles and not having systemd-tempfiles is not really a problem, I think we should redirect the message also to /dev/NULL Signed-off-by: Khem Raj <raj.khem@gmail.com> 2023-03-31T17:42:43+00:00 Peter Johennecken pjohennecken@rosen-group.com 2023-03-31T08:35:35+00:00 urn:sha1:9937ffa5d2ae3af7377958405f0dc3720a749028 Signed-off-by: Khem Raj <raj.khem@gmail.com> 2023-03-10T07:45:17+00:00 Wang Mingyu wangmy@fujitsu.com 2023-03-10T06:15:37+00:00 urn:sha1:1e48109bc57b047312055178995e796e6e0aca96 CVE-2021-3618.patch removed since it's included in 1.23.3 Changelog: ========== *) Bugfix: an error might occur when reading PROXY protocol version 2 header with large number of TLVs. *) Bugfix: a segmentation fault might occur in a worker process if SSI was used to process subrequests created by other modules. Thanks to Ciel Zhao. *) Workaround: when a hostname used in the "listen" directive resolves to multiple addresses, nginx now ignores duplicates within these addresses. *) Bugfix: nginx might hog CPU during unbuffered proxying if SSL connections to backends were used. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> 2023-03-08T15:12:23+00:00 Wang Mingyu wangmy@fujitsu.com 2023-03-08T13:23:40+00:00 urn:sha1:f8b54b5243c9effb66d5685463b87767e753b843 Changelog: ========== - rotatelogs: Add -T flag to allow subsequent rotated logfiles to be truncated without the initial logfile being truncated. - mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to allow connections of any age to be reused. Up to now, a negative value was handled as an error when parsing the configuration file. PR 66421. - mod_proxy_ajp: Report an error if the AJP backend sends an invalid number of headers. - mod_md: - Enabling ED25519 support and certificate transparency information when building with libressl v3.5.0 and newer. - MDChallengeDns01 can now be configured for individual domains. - Fixed a bug that caused the challenge teardown not being invoked as it should. - mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors reported in access logs and error documents. The processing of the reset was correct, only unneccesary reporting was caused. - mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>