linux/meta-openembedded.git/meta-webserver, branch master-next

monkey: patch CVEs

2026-04-20T14:35:36+00:00

These patches are about a number of CVEs files against the application: CVE-2025-63649, CVE-2025-63650, CVE-2025-63651, CVE-2025-63652, CVE-2025-63653, CVE-2025-63655, CVE-2025-63656, CVE-2025-63657 and CVE-2025-63658. These patches are taken from a pull request[1] that is referenced in the relevant bug report[2]. The patches don't target specific CVEs on separately, but they fix a number of CVEs altogether. Based on upstream analysis (in the linked issue) a number of these CVEs are duplicates of each other and/or not exploitable. The valid CVEs are fixed by these patches. I haven't added specific CVE info to the patches, one hand because of the above, it is hard to separate the patches by CVE, and secondarily because NVD tracks these CVEs with incorrect version info: NVD considers 1.8.6 fully fixed, even though the patches are only in the master branch, untagged at this time. After updating the recipe to 1.8.6+, the vulnerabilites will disappear from the CVE report due to this. [1]: https://github.com/monkey/monkey/pull/434 [2]: https://github.com/monkey/monkey/issues/426 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj

monkey: upgrade 1.8.4 -> 1.8.7

2026-04-20T14:35:36+00:00

Shortlog: https://github.com/monkey/monkey/compare/v1.8.4...v1.8.7 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj

hiawatha: Upgrade to 12.1 release

2026-04-16T19:21:07+00:00

- HTTP/2 support added via the nghttp2 library (credits to Heiko Zimmermann) — noted as experimental, so testing carefully before enabling on production servers is recommended. - mbed TLS updated from 4.0.0 to 4.1.0. - ssi-cgi removed — the release notes suggest using Hiawatha's XSLT support as a more advanced alternative. Signed-off-by: Khem Raj

sthttpd: disable C23 support to fix configure check

2026-04-16T19:21:06+00:00

Set ac_cv_prog_cc_c23=no to prevent autoconf from detecting C23 compiler support, avoiding potential build failures as the package is not yet fully ported to support C23 standard. Signed-off-by: Khem Raj

swagger-ui: upgrade 5.32.1 -> 5.32.2

2026-04-10T14:59:58+00:00

Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj

webmin: upgrade 2.621 -> 2.630

2026-04-06T16:46:29+00:00

Changelog: https://github.com/webmin/webmin/releases/tag/2.630 Signed-off-by: Jason Schonberg Signed-off-by: Khem Raj

nginx: upgrade 1.29.6 -> 1.29.7

2026-03-28T15:32:48+00:00

Changes: *) Security: a buffer overflow might occur while handling a COPY or MOVE request in a location with "alias", allowing an attacker to modify the source or destination path outside of the document root (CVE-2026-27654). *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module on 32-bit platforms might cause a worker process crash, or might have potential other impact (CVE-2026-27784). *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module might cause a worker process crash, or might have potential other impact (CVE-2026-32647). *) Security: a segmentation fault might occur in a worker process if the CRAM-MD5 or APOP authentication methods were used and authentication retry was enabled (CVE-2026-27651). *) Security: an attacker might use PTR DNS records to inject data in auth_http requests, as well as in the XCLIENT command in the backend SMTP connection (CVE-2026-28753). *) Security: SSL handshake might succeed despite OCSP rejecting a client certificate in the stream module (CVE-2026-28755). *) Feature: the "multipath" parameter of the "listen" directive. *) Feature: the "local" parameter of the "keepalive" directive in the "upstream" block. *) Change: now the "keepalive" directive in the "upstream" block is enabled by default. *) Change: now ngx_http_proxy_module supports keepalive by default; the default value for "proxy_http_version" is "1.1"; the "Connection" proxy header is not sent by default anymore. *) Bugfix: an invalid HTTP/2 request might be sent after switching to the next upstream if buffered body was used in the ngx_http_grpc_module. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj

nginx: upgrade 1.28.2 -> 1.28.3

2026-03-28T15:32:48+00:00

Changes: *) Security: a buffer overflow might occur while handling a COPY or MOVE request in a location with "alias", allowing an attacker to modify the source or destination path outside of the document root (CVE-2026-27654). *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module on 32-bit platforms might cause a worker process crash, or might have potential other impact (CVE-2026-27784). *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module might cause a worker process crash, or might have potential other impact (CVE-2026-32647). *) Security: a segmentation fault might occur in a worker process if the CRAM-MD5 or APOP authentication methods were used and authentication retry was enabled (CVE-2026-27651). *) Security: an attacker might use PTR DNS records to inject data in auth_http requests, as well as in the XCLIENT command in the backend SMTP connection (CVE-2026-28753). *) Security: SSL handshake might succeed despite OCSP rejecting a client certificate in the stream module (CVE-2026-28755). *) Change: now nginx limits the size and rate of QUIC stateless reset packets. *) Bugfix: receiving a QUIC packet by a wrong worker process could cause the connection to terminate. *) Bugfix: in the ngx_http_mp4_module. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj

swagger-ui: upgrade 5.32.0 -> 5.32.1

2026-03-27T16:09:03+00:00

Bugfixes: ========= - invalidate models components cache based on location - style: use container queries for responsive design Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj

hiawatha: Fix checksum mismatch again

2026-03-25T01:55:44+00:00

Signed-off-by: Khem Raj