linux/meta-openembedded.git/meta-webserver, branch scarthgap-next

apache2: Upgrade 2.4.62 -> 2.4.64

2025-08-02T17:13:10+00:00

This upgrade incorporates the fixes for CVE-2025-53020, CVE-2025-49812, CVE-2025-49630, CVE-2025-23048, CVE-2024-47252, CVE-2024-43394, CVE-2024-43204, CVE-2024-42516 and other bugfixes. Changelog: https://downloads.apache.org/httpd/CHANGES_2.4.64 Signed-off-by: Vijay Anusuri Signed-off-by: Armin Kuster

phpmyadmin: upgrade 5.2.1 -> 5.2.2

2025-07-11T00:04:33+00:00

License-Update: License year updated This upgrade include security fix for: CVE-2025-24529 CVE-2025-24530 Release note: https://www.phpmyadmin.net/news/2025/1/21/phpMyAdmin-522-is-released/ Signed-off-by: Changqing Li Signed-off-by: Armin Kuster

nginx: fix CVE-2025-23419

2025-03-03T13:09:03+00:00

CVE-2025-23419: When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-23419 This partially cherry picked from commit 13935cf9fdc3c8d8278c70716417d3b71c36140e, the original patch had 2 parts. One fixed problem in `http/ngx_http_request` module and the second fixed problem in `stream/ngx_stream_ssl_module` module. The fix for `stream/ngx_stream_ssl_module can't be aplied because, the 'stream virtual servers' funcionality was added later in this commit: https://github.com/nginx/nginx/commit/d21675228a0ba8d4331e05c60660228a5d3326de. Therefore only `http/ngx_http_request` part was backported. Signed-off-by: Changqing Li Signed-off-by: Armin Kuster

nginx: fix the tarball and license checksums

2025-02-04T22:51:19+00:00

The nginx upgrade in commit 6eef5e3efb0a871622d2ea5eeb016b61d46f722c added an incorrect tarball checksum and didn't update the license checksum, resulting in build failures. Signed-off-by: Jef Driesen Signed-off-by: Armin Kuster

nginx: upgrade 1.25.3 -> 1.25.4

2025-01-21T00:34:12+00:00

Changelog: =========== https://nginx.org/en/CHANGES *) Security: when using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session (CVE-2024-24989, CVE-2024-24990). *) Bugfix: connections with pending AIO operations might be closed prematurely during graceful shutdown of old worker processes. *) Bugfix: socket leak alerts no longer logged when fast shutdown was requested after graceful shutdown of old worker processes. *) Bugfix: a socket descriptor error, a socket leak, or a segmentation fault in a worker process (for SSL proxying) might occur if AIO was used in a subrequest. *) Bugfix: a segmentation fault might occur in a worker process if SSL proxying was used along with the "image_filter" directive and errors with code 415 were redirected with the "error_page" directive. *) Bugfixes and improvements in HTTP/3. Signed-off-by: Divya Chellam Signed-off-by: Armin Kuster

apache2: use update-alternatives for httpd

2024-10-06T11:26:19+00:00

Busybox can optionally provide an httpd server, but by default The Yocto Project defconfig for busybox does not enable it. If it is enabled, busybox puts the resulting /usr/sbin/httpd object under the control of update-alternatives. apache2, on the other hand, does not put /usr/sbin/httpd under the control of update-alternatives. Therefore, in the off chance a user enables the busybox httpd server, it does not play well with apache2. Add update-alternatives information to apache2 so that it plays nicely with busybox which can optionally provide an httpd server at /usr/sbin/httpd. Signed-off-by: Trevor Woerner Signed-off-by: Armin Kuster

nginx: Backport fix for CVE-2024-7347

2024-08-21T20:45:46+00:00

Upstream-Status: Backport [https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f and https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4] Signed-off-by: Ashish Sharma Signed-off-by: Armin Kuster

apache2: Upgrade 2.4.60 -> 2.4.62

2024-08-03T15:51:25+00:00

CVE's Fixed by upgrade: CVE-2024-39884 httpd: source code disclosure with handlers configured via AddType CVE-2024-40725 httpd: source code disclosure with handlers configured via AddType Other Changes between 2.4.60 -> 2.4.62 ====================================== https://github.com/apache/httpd/blob/2.4.62/CHANGES Signed-off-by: Siddharth Doshi Signed-off-by: Armin Kuster

apache2: Upgrade 2.4.59 -> 2.4.60

2024-07-09T12:14:43+00:00

CVE's Fixed by upgrade: CVE-2024-36387 apache2/httpd: DoS by null pointer in websocket over HTTP/2 CVE-2024-38472 apache2/httpd: UNC SSRF on WIndows CVE-2024-38473 apache2/httpd: Encoding problem in mod_proxy CVE-2024-38474 apache2/httpd: Substitution encoding issue in mod_rewrite CVE-2024-38475 apache2/httpd: Improper escaping of output in mod_rewrite CVE-2024-38476 apache2/httpd: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect CVE-2024-38477 apache2/httpd: null pointer dereference in mod_proxy CVE-2024-39573 apache2/httpd: Potential SSRF in mod_rewrite Other Changes between 2.4.59 -> 2.4.60 ====================================== https://github.com/apache/httpd/blob/2.4.60/CHANGES Signed-off-by: Siddharth Doshi Signed-off-by: Armin Kuster

sthttpd: Update status for CVE-2017-10671

2024-04-30T18:00:34+00:00

Current version 2.27.1 is not affected by the issue. Affected versions: Up to (excl.) 2.27.1 Signed-off-by: Ninette Adhikari Signed-off-by: Khem Raj