summaryrefslogtreecommitdiffstats
path: root/meta-webserver
diff options
context:
space:
mode:
Diffstat (limited to 'meta-webserver')
-rw-r--r--meta-webserver/conf/layer.conf2
-rw-r--r--meta-webserver/recipes-devtools/swagger-ui/swagger-ui_5.32.6.bb (renamed from meta-webserver/recipes-devtools/swagger-ui/swagger-ui_5.30.3.bb)2
-rw-r--r--meta-webserver/recipes-httpd/apache2/apache2_2.4.68.bb (renamed from meta-webserver/recipes-httpd/apache2/apache2_2.4.66.bb)2
-rw-r--r--meta-webserver/recipes-httpd/hiawatha/files/0001-Add-__attribute__-nonstring-to-remove-unterminated-s.patch43
-rw-r--r--meta-webserver/recipes-httpd/hiawatha/files/0002-Replace-__attribute__-nonstring-with-macro-MBEDTLS_A.patch42
-rw-r--r--meta-webserver/recipes-httpd/hiawatha/files/define-MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING.patch33
-rw-r--r--meta-webserver/recipes-httpd/hiawatha/hiawatha_12.2.bb (renamed from meta-webserver/recipes-httpd/hiawatha/hiawatha_11.7.bb)7
-rw-r--r--meta-webserver/recipes-httpd/monkey/files/0001-server-http-fix-malformed-request-crash-paths.patch160
-rw-r--r--meta-webserver/recipes-httpd/monkey/files/0002-server-scheduler-guard-protocol-close-callback.patch51
-rw-r--r--meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch108
-rw-r--r--meta-webserver/recipes-httpd/monkey/monkey_1.8.7.bb (renamed from meta-webserver/recipes-httpd/monkey/monkey_1.8.4.bb)14
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx_1.28.1.bb7
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb10
-rw-r--r--meta-webserver/recipes-httpd/nginx/nginx_1.30.2.bb6
-rw-r--r--meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb4
-rw-r--r--meta-webserver/recipes-php/xdebug/xdebug_3.5.3.bb (renamed from meta-webserver/recipes-php/xdebug/xdebug_3.5.0.bb)3
-rw-r--r--meta-webserver/recipes-support/spawn-fcgi/spawn-fcgi_1.6.6.bb (renamed from meta-webserver/recipes-support/spawn-fcgi/spawn-fcgi_1.6.5.bb)6
-rw-r--r--meta-webserver/recipes-webadmin/webmin/webmin_2.641.bb (renamed from meta-webserver/recipes-webadmin/webmin/webmin_2.501.bb)2
18 files changed, 349 insertions, 153 deletions
diff --git a/meta-webserver/conf/layer.conf b/meta-webserver/conf/layer.conf
index dcaae5cca8..0c48efc465 100644
--- a/meta-webserver/conf/layer.conf
+++ b/meta-webserver/conf/layer.conf
@@ -17,7 +17,7 @@ LAYERVERSION_webserver = "1"
17 17
18LAYERDEPENDS_webserver = "core openembedded-layer" 18LAYERDEPENDS_webserver = "core openembedded-layer"
19 19
20LAYERSERIES_COMPAT_webserver = "walnascar whinlatter" 20LAYERSERIES_COMPAT_webserver = "whinlatter wrynose"
21 21
22LICENSE_PATH += "${LAYERDIR}/licenses" 22LICENSE_PATH += "${LAYERDIR}/licenses"
23 23
diff --git a/meta-webserver/recipes-devtools/swagger-ui/swagger-ui_5.30.3.bb b/meta-webserver/recipes-devtools/swagger-ui/swagger-ui_5.32.6.bb
index 3d152e15ad..4f157f1692 100644
--- a/meta-webserver/recipes-devtools/swagger-ui/swagger-ui_5.30.3.bb
+++ b/meta-webserver/recipes-devtools/swagger-ui/swagger-ui_5.32.6.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
12 12
13SRC_URI = "git://github.com/swagger-api/swagger-ui;branch=master;protocol=https;tag=v${PV}" 13SRC_URI = "git://github.com/swagger-api/swagger-ui;branch=master;protocol=https;tag=v${PV}"
14 14
15SRCREV = "199761a94d03753ec62c23bb4ba162bb73c3cfc7" 15SRCREV = "dcdca62c8b64a0a54e4decd4e1a6c3c712fdcc60"
16 16
17CVE_STATUS[CVE-2016-1000229] = "fixed-version: fixed since 2.2.1" 17CVE_STATUS[CVE-2016-1000229] = "fixed-version: fixed since 2.2.1"
18 18
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.66.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.68.bb
index 630c6f3b1b..dc8c0df12d 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.66.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.68.bb
@@ -27,7 +27,7 @@ SRC_URI:append:class-target = " \
27 " 27 "
28 28
29LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3" 29LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3"
30SRC_URI[sha256sum] = "94d7ff2b42acbb828e870ba29e4cbad48e558a79c623ad3596e4116efcfea25a" 30SRC_URI[sha256sum] = "68c74d4df38c26bed4dfbdb8f3baf1eb532f3872357becc1bba5d136f6b63c06"
31 31
32S = "${UNPACKDIR}/httpd-${PV}" 32S = "${UNPACKDIR}/httpd-${PV}"
33 33
diff --git a/meta-webserver/recipes-httpd/hiawatha/files/0001-Add-__attribute__-nonstring-to-remove-unterminated-s.patch b/meta-webserver/recipes-httpd/hiawatha/files/0001-Add-__attribute__-nonstring-to-remove-unterminated-s.patch
deleted file mode 100644
index 5a9c719b6d..0000000000
--- a/meta-webserver/recipes-httpd/hiawatha/files/0001-Add-__attribute__-nonstring-to-remove-unterminated-s.patch
+++ /dev/null
@@ -1,43 +0,0 @@
1From 56b26ede007453a4ee9832076597e82d2a903700 Mon Sep 17 00:00:00 2001
2From: Felix Conway <felix.conway@arm.com>
3Date: Wed, 11 Jun 2025 16:04:06 +0100
4Subject: [PATCH 1/2] Add __attribute__ ((nonstring)) to remove
5 unterminated-string-initialization warning
6
7Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/pull/10216]
8Signed-off-by: Felix Conway <felix.conway@arm.com>
9Signed-off-by: Khem Raj <raj.khem@gmail.com>
10---
11 library/ssl_tls13_keys.c | 3 ++-
12 library/ssl_tls13_keys.h | 3 ++-
13 2 files changed, 4 insertions(+), 2 deletions(-)
14
15diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
16index 739414e..375814c 100644
17--- a/library/ssl_tls13_keys.c
18+++ b/library/ssl_tls13_keys.c
19@@ -81,7 +81,8 @@ struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels =
20 * the HkdfLabel structure on success.
21 */
22
23-static const char tls13_label_prefix[6] = "tls13 ";
24+/* We need to tell the compiler that we meant to leave out the null character. */
25+static const char tls13_label_prefix[6] __attribute__ ((nonstring)) = "tls13 ";
26
27 #define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN(label_len, context_len) \
28 (2 /* expansion length */ \
29diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h
30index d3a4c6c..95cde7a 100644
31--- a/library/ssl_tls13_keys.h
32+++ b/library/ssl_tls13_keys.h
33@@ -40,8 +40,9 @@
34
35 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
36
37+/* We need to tell the compiler that we meant to leave out the null character. */
38 #define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
39- const unsigned char name [sizeof(string) - 1];
40+ const unsigned char name [sizeof(string) - 1] __attribute__ ((nonstring));
41
42 union mbedtls_ssl_tls13_labels_union {
43 MBEDTLS_SSL_TLS1_3_LABEL_LIST
diff --git a/meta-webserver/recipes-httpd/hiawatha/files/0002-Replace-__attribute__-nonstring-with-macro-MBEDTLS_A.patch b/meta-webserver/recipes-httpd/hiawatha/files/0002-Replace-__attribute__-nonstring-with-macro-MBEDTLS_A.patch
deleted file mode 100644
index 2f94cee277..0000000000
--- a/meta-webserver/recipes-httpd/hiawatha/files/0002-Replace-__attribute__-nonstring-with-macro-MBEDTLS_A.patch
+++ /dev/null
@@ -1,42 +0,0 @@
1From 91ec670d3f6399510995dedbf99dca2e7e9bd2d8 Mon Sep 17 00:00:00 2001
2From: Felix Conway <felix.conway@arm.com>
3Date: Thu, 12 Jun 2025 11:28:56 +0100
4Subject: [PATCH 2/2] Replace __attribute__((nonstring)) with macro
5 MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING
6
7This macro applies __attribute__((nonstring)) when using a compiler that supports it
8
9Upstream-Status: Backport [https://github.com/Mbed-TLS/mbedtls/pull/10216]
10Signed-off-by: Felix Conway <felix.conway@arm.com>
11Signed-off-by: Khem Raj <raj.khem@gmail.com>
12---
13 library/ssl_tls13_keys.c | 2 +-
14 library/ssl_tls13_keys.h | 2 +-
15 2 files changed, 2 insertions(+), 2 deletions(-)
16
17diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
18index 375814c..621a7d5 100644
19--- a/library/ssl_tls13_keys.c
20+++ b/library/ssl_tls13_keys.c
21@@ -82,7 +82,7 @@ struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels =
22 */
23
24 /* We need to tell the compiler that we meant to leave out the null character. */
25-static const char tls13_label_prefix[6] __attribute__ ((nonstring)) = "tls13 ";
26+static const char tls13_label_prefix[6] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING = "tls13 ";
27
28 #define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN(label_len, context_len) \
29 (2 /* expansion length */ \
30diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h
31index 95cde7a..3aa94d7 100644
32--- a/library/ssl_tls13_keys.h
33+++ b/library/ssl_tls13_keys.h
34@@ -42,7 +42,7 @@
35
36 /* We need to tell the compiler that we meant to leave out the null character. */
37 #define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
38- const unsigned char name [sizeof(string) - 1] __attribute__ ((nonstring));
39+ const unsigned char name [sizeof(string) - 1] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING;
40
41 union mbedtls_ssl_tls13_labels_union {
42 MBEDTLS_SSL_TLS1_3_LABEL_LIST
diff --git a/meta-webserver/recipes-httpd/hiawatha/files/define-MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING.patch b/meta-webserver/recipes-httpd/hiawatha/files/define-MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING.patch
deleted file mode 100644
index 6e2d9eb5f1..0000000000
--- a/meta-webserver/recipes-httpd/hiawatha/files/define-MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING.patch
+++ /dev/null
@@ -1,33 +0,0 @@
1Replace __attribute__((nonstring)) with macro MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING
2This macro applies __attribute__((nonstring)) when using a compiler that supports it
3
4Upstream-Status: Backport [https://github.com/Mbed-TLS/TF-PSA-Crypto/commit/996f4fa3a2fbe8792ed3efd1bcb3657001f35ae1]
5
6Signed-off-by: Felix Conway <felix.conway@arm.com>
7Signed-off-by: Khem Raj <raj.khem@gmail.com>
8
9--- a/library/ssl_tls13_keys.h
10+++ b/library/ssl_tls13_keys.h
11@@ -7,6 +7,22 @@
12 #if !defined(MBEDTLS_SSL_TLS1_3_KEYS_H)
13 #define MBEDTLS_SSL_TLS1_3_KEYS_H
14
15+/* GCC >= 15 has a warning 'unterminated-string-initialization' which complains if you initialize
16+ * a string into an array without space for a terminating NULL character. In some places in the
17+ * codebase this behaviour is intended, so we add the macro MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING
18+ * to suppress the warning in these places.
19+ */
20+#if defined(__has_attribute)
21+#if __has_attribute(nonstring)
22+#define MBEDTLS_HAS_ATTRIBUTE_NONSTRING
23+#endif /* __has_attribute(nonstring) */
24+#endif /* __has_attribute */
25+#if defined(MBEDTLS_HAS_ATTRIBUTE_NONSTRING)
26+#define MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING __attribute__((nonstring))
27+#else
28+#define MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING
29+#endif /* MBEDTLS_HAS_ATTRIBUTE_NONSTRING */
30+
31 /* This requires MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) to be defined at
32 * the point of use. See e.g. the definition of mbedtls_ssl_tls13_labels_union
33 * below. */
diff --git a/meta-webserver/recipes-httpd/hiawatha/hiawatha_11.7.bb b/meta-webserver/recipes-httpd/hiawatha/hiawatha_12.2.bb
index 4e7e5fa31d..525aa06e84 100644
--- a/meta-webserver/recipes-httpd/hiawatha/hiawatha_11.7.bb
+++ b/meta-webserver/recipes-httpd/hiawatha/hiawatha_12.2.bb
@@ -6,15 +6,12 @@ DEPENDS = "libxml2 libxslt virtual/crypt"
6 6
7SECTION = "net" 7SECTION = "net"
8 8
9SRC_URI = "https://hiawatha.leisink.net/files/hiawatha-${PV}.tar.gz \ 9SRC_URI = "https://hiawatha.leisink.net/files/download/hiawatha-${PV}.tar.gz \
10 file://0001-Add-__attribute__-nonstring-to-remove-unterminated-s.patch;patchdir=mbedtls \
11 file://0002-Replace-__attribute__-nonstring-with-macro-MBEDTLS_A.patch;patchdir=mbedtls \
12 file://define-MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING.patch;patchdir=mbedtls \
13 file://hiawatha-init \ 10 file://hiawatha-init \
14 file://hiawatha.service \ 11 file://hiawatha.service \
15 " 12 "
16 13
17SRC_URI[sha256sum] = "8bc180ae3b986d02466f081efeefdb1595d96783f581fded2a9b198752ab7ae1" 14SRC_URI[sha256sum] = "f0343f5bf0a200973ebdf16668ab8e845e78498682ca83b05b78b2cc78fbe736"
18 15
19INITSCRIPT_NAME = "hiawatha" 16INITSCRIPT_NAME = "hiawatha"
20INITSCRIPT_PARAMS = "defaults 70" 17INITSCRIPT_PARAMS = "defaults 70"
diff --git a/meta-webserver/recipes-httpd/monkey/files/0001-server-http-fix-malformed-request-crash-paths.patch b/meta-webserver/recipes-httpd/monkey/files/0001-server-http-fix-malformed-request-crash-paths.patch
new file mode 100644
index 0000000000..b57d7ac219
--- /dev/null
+++ b/meta-webserver/recipes-httpd/monkey/files/0001-server-http-fix-malformed-request-crash-paths.patch
@@ -0,0 +1,160 @@
1From 839620179e2b4e5982c53d8956d92e690d82960c Mon Sep 17 00:00:00 2001
2From: Eduardo Silva <eduardo@chronosphere.io>
3Date: Thu, 9 Apr 2026 12:11:52 -0600
4Subject: [PATCH] server: http: fix malformed request crash paths
5
6Fix the reproducible malformed-request crash paths in the HTTP
7request lifecycle.
8
9Handle missing Host data in directory redirects, reject malformed
10range delimiters before substring parsing, and avoid reusing invalid
11request state while advancing pipelined requests.
12
13Verified by rebuilding with cmake --build build and replaying the
14reported crash-inducing request fixtures against build/bin/monkey.
15
16Signed-off-by: Eduardo Silva <eduardo@chronosphere.io>
17
18This patch is part of https://github.com/monkey/monkey/pull/434,
19containing assorted CVE fixes.
20
21Upstream-Status: Backport [https://github.com/monkey/monkey/commit/1570f41231888ae8c7fbd719704e2486a952e45d]
22Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
23---
24 mk_core/mk_memory.c | 10 ++++++++++
25 mk_server/mk_http.c | 46 +++++++++++++++++++++++++++++++++++++++++----
26 2 files changed, 52 insertions(+), 4 deletions(-)
27
28diff --git a/mk_core/mk_memory.c b/mk_core/mk_memory.c
29index c4073e23..008f7ac6 100644
30--- a/mk_core/mk_memory.c
31+++ b/mk_core/mk_memory.c
32@@ -52,6 +52,16 @@ char *mk_ptr_to_buf(mk_ptr_t p)
33 {
34 char *buf;
35
36+ if (!p.data || p.len == 0) {
37+ buf = mk_mem_alloc(1);
38+ if (!buf) {
39+ return NULL;
40+ }
41+
42+ buf[0] = '\0';
43+ return buf;
44+ }
45+
46 buf = mk_mem_alloc(p.len + 1);
47 if (!buf) return NULL;
48
49diff --git a/mk_server/mk_http.c b/mk_server/mk_http.c
50index ad12a74a..f2f12554 100644
51--- a/mk_server/mk_http.c
52+++ b/mk_server/mk_http.c
53@@ -457,6 +457,10 @@ static int mk_http_range_parse(struct mk_http_request *sr)
54 if ((sep_pos = mk_string_char_search(sr->range.data, '-', sr->range.len)) < 0)
55 return -1;
56
57+ if (sep_pos < eq_pos) {
58+ return -1;
59+ }
60+
61 len = sr->range.len;
62 sh = &sr->headers;
63
64@@ -476,10 +480,16 @@ static int mk_http_range_parse(struct mk_http_request *sr)
65 /* =yyy-xxx */
66 if ((eq_pos + 1 != sep_pos) && (len > sep_pos + 1)) {
67 buffer = mk_string_copy_substr(sr->range.data, eq_pos + 1, sep_pos);
68+ if (!buffer) {
69+ return -1;
70+ }
71 sh->ranges[0] = (unsigned long) atol(buffer);
72 mk_mem_free(buffer);
73
74 buffer = mk_string_copy_substr(sr->range.data, sep_pos + 1, len);
75+ if (!buffer) {
76+ return -1;
77+ }
78 sh->ranges[1] = (unsigned long) atol(buffer);
79 mk_mem_free(buffer);
80
81@@ -493,6 +503,9 @@ static int mk_http_range_parse(struct mk_http_request *sr)
82 /* =yyy- */
83 if ((eq_pos + 1 != sep_pos) && (len == sep_pos + 1)) {
84 buffer = mk_string_copy_substr(sr->range.data, eq_pos + 1, len);
85+ if (!buffer) {
86+ return -1;
87+ }
88 sr->headers.ranges[0] = (unsigned long) atol(buffer);
89 mk_mem_free(buffer);
90
91@@ -522,7 +535,16 @@ static int mk_http_directory_redirect_check(struct mk_http_session *cs,
92 return 0;
93 }
94
95+ if (!sr->host.data || sr->host.len <= 0) {
96+ mk_http_error(MK_CLIENT_BAD_REQUEST, cs, sr, server);
97+ return -1;
98+ }
99+
100 host = mk_ptr_to_buf(sr->host);
101+ if (!host) {
102+ mk_http_error(MK_CLIENT_BAD_REQUEST, cs, sr, server);
103+ return -1;
104+ }
105
106 /*
107 * Add ending slash to the location string
108@@ -588,6 +610,9 @@ static inline char *mk_http_index_lookup(mk_ptr_t *path_base,
109 }
110
111 off = path_base->len;
112+ if ((size_t) off >= buf_size) {
113+ return NULL;
114+ }
115 memcpy(buf, path_base->data, off);
116
117 mk_list_foreach(head, server->index_files) {
118@@ -1138,15 +1163,27 @@ int mk_http_request_end(struct mk_http_session *cs, struct mk_server *server)
119 ret = mk_http_parser_more(&cs->parser, cs->body_length);
120 if (ret == MK_TRUE) {
121 /* Our pipeline request limit is the same that our keepalive limit */
122+ if (cs->parser.i < 0 ||
123+ (unsigned int) (cs->parser.i + 1) >= cs->body_length) {
124+ goto shutdown;
125+ }
126+
127 cs->counter_connections++;
128 len = (cs->body_length - cs->parser.i) -1;
129+ if (len <= 0) {
130+ goto shutdown;
131+ }
132 memmove(cs->body,
133 cs->body + cs->parser.i + 1,
134 len);
135 cs->body_length = len;
136
137 /* Prepare for next one */
138- sr = mk_list_entry_first(&cs->request_list, struct mk_http_request, _head);
139+ if (mk_list_is_empty(&cs->request_list) == 0) {
140+ cs->close_now = MK_TRUE;
141+ goto shutdown;
142+ }
143+ sr = &cs->sr_fixed;
144 mk_http_request_free(sr, server);
145 mk_http_request_init(cs, sr, server);
146 mk_http_parser_init(&cs->parser);
147@@ -1626,9 +1663,10 @@ int mk_http_sched_done(struct mk_sched_conn *conn,
148 struct mk_http_request *sr;
149
150 session = mk_http_session_get(conn);
151- sr = mk_list_entry_first(&session->request_list,
152- struct mk_http_request, _head);
153- mk_plugin_stage_run_40(session, sr, server);
154+ if (mk_list_is_empty(&session->request_list) != 0) {
155+ sr = &session->sr_fixed;
156+ mk_plugin_stage_run_40(session, sr, server);
157+ }
158
159 return mk_http_request_end(session, server);
160 }
diff --git a/meta-webserver/recipes-httpd/monkey/files/0002-server-scheduler-guard-protocol-close-callback.patch b/meta-webserver/recipes-httpd/monkey/files/0002-server-scheduler-guard-protocol-close-callback.patch
new file mode 100644
index 0000000000..c731db0919
--- /dev/null
+++ b/meta-webserver/recipes-httpd/monkey/files/0002-server-scheduler-guard-protocol-close-callback.patch
@@ -0,0 +1,51 @@
1From 82fb537e74e9b801d196b76efaf735ee50cd86c6 Mon Sep 17 00:00:00 2001
2From: Eduardo Silva <eduardo@chronosphere.io>
3Date: Thu, 9 Apr 2026 12:43:31 -0600
4Subject: [PATCH] server: scheduler: guard protocol close callback
5
6Avoid calling a null cb_close handler from the scheduler close
7and timeout paths.
8
9This fixes the HTTP/2 upgrade case where the protocol handler can be
10switched to mk_http2_handler even though that handler does not
11implement cb_close.
12
13Verified by rebuilding with cmake --build build.
14
15Signed-off-by: Eduardo Silva <eduardo@chronosphere.io>
16
17This patch is part of https://github.com/monkey/monkey/pull/434,
18containing assorted CVE fixes.
19
20Upstream-Status: Backport [https://github.com/monkey/monkey/commit/fc1d68fb38044df08cb43c7d9af0f68714388efc]
21Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
22---
23 mk_server/mk_scheduler.c | 8 +++++---
24 1 file changed, 5 insertions(+), 3 deletions(-)
25
26diff --git a/mk_server/mk_scheduler.c b/mk_server/mk_scheduler.c
27index a680d3cd..3cf0ba40 100644
28--- a/mk_server/mk_scheduler.c
29+++ b/mk_server/mk_scheduler.c
30@@ -598,8 +598,10 @@ int mk_sched_check_timeouts(struct mk_sched_worker *sched,
31 MK_TRACE("Scheduler, closing fd %i due TIMEOUT",
32 conn->event.fd);
33 MK_LT_SCHED(conn->event.fd, "TIMEOUT_CONN_PENDING");
34- conn->protocol->cb_close(conn, sched, MK_SCHED_CONN_TIMEOUT,
35- server);
36+ if (conn->protocol->cb_close) {
37+ conn->protocol->cb_close(conn, sched, MK_SCHED_CONN_TIMEOUT,
38+ server);
39+ }
40 mk_sched_drop_connection(conn, sched, server);
41 }
42 }
43@@ -749,7 +751,7 @@ int mk_sched_event_close(struct mk_sched_conn *conn,
44 MK_TRACE("[FD %i] Connection Handler, closed", conn->event.fd);
45 mk_event_del(sched->loop, &conn->event);
46
47- if (type != MK_EP_SOCKET_DONE) {
48+ if (type != MK_EP_SOCKET_DONE && conn->protocol->cb_close) {
49 conn->protocol->cb_close(conn, sched, type, server);
50 }
51 /*
diff --git a/meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch b/meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch
new file mode 100644
index 0000000000..1e56893c65
--- /dev/null
+++ b/meta-webserver/recipes-httpd/monkey/files/0003-server-parser-harden-boundary-checks.patch
@@ -0,0 +1,108 @@
1From b9f24a2968fa62de4a6ecf070fa0389ce10e7729 Mon Sep 17 00:00:00 2001
2From: Eduardo Silva <eduardo@chronosphere.io>
3Date: Thu, 9 Apr 2026 12:11:57 -0600
4Subject: [PATCH] server: parser: harden boundary checks
5
6Tighten parser and helper validation around explicit lengths and
7buffer boundaries.
8
9Require exact header literal matches, validate chunk length tokens,
10and guard helper routines that previously trusted inconsistent
11pointer or length state.
12
13Verified by rebuilding with cmake --build build and replaying the
14reported malformed request fixtures against build/bin/monkey.
15
16Signed-off-by: Eduardo Silva <eduardo@chronosphere.io>
17
18This patch is part of https://github.com/monkey/monkey/pull/434,
19containing assorted CVE fixes.
20
21Upstream-Status: Backport [https://github.com/monkey/monkey/commit/ffe0d0ed1b074ea6f3965c37bb754e9f19130a82]
22Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
23---
24 include/monkey/mk_http_parser.h | 6 +++++-
25 mk_server/mk_http_parser.c | 13 +++++++++++++
26 mk_server/mk_mimetype.c | 7 ++++++-
27 mk_server/mk_user.c | 2 +-
28 4 files changed, 25 insertions(+), 3 deletions(-)
29
30diff --git a/include/monkey/mk_http_parser.h b/include/monkey/mk_http_parser.h
31index 9e3b365e..465ea0e4 100644
32--- a/include/monkey/mk_http_parser.h
33+++ b/include/monkey/mk_http_parser.h
34@@ -389,7 +389,11 @@ int mk_http_parser_chunked_decode_buf(struct mk_http_parser *p,
35
36 static inline int mk_http_parser_more(struct mk_http_parser *p, int len)
37 {
38- if (abs(len - p->i) - 1 > 0) {
39+ if (len <= 0 || p->i < 0) {
40+ return MK_FALSE;
41+ }
42+
43+ if ((p->i + 1) < len) {
44 return MK_TRUE;
45 }
46
47diff --git a/mk_server/mk_http_parser.c b/mk_server/mk_http_parser.c
48index 9413528a..3c831f29 100644
49--- a/mk_server/mk_http_parser.c
50+++ b/mk_server/mk_http_parser.c
51@@ -173,6 +173,16 @@ static inline void request_set(mk_ptr_t *ptr, struct mk_http_parser *p, char *bu
52 static inline int header_cmp(const char *expected, char *value, int len)
53 {
54 int i = 0;
55+ size_t expected_len;
56+
57+ if (len < 0) {
58+ return -1;
59+ }
60+
61+ expected_len = strlen(expected);
62+ if ((size_t) len != expected_len) {
63+ return -1;
64+ }
65
66 if (len >= 8) {
67 if (expected[0] != tolower(value[0])) return -1;
68@@ -535,6 +545,9 @@ parse_more:
69 (errno != 0)) {
70 return MK_HTTP_PARSER_ERROR;
71 }
72+ if (ptr == tmp || *ptr != '\0') {
73+ return MK_HTTP_PARSER_ERROR;
74+ }
75
76 if (chunk_len < 0) {
77 return MK_HTTP_PARSER_ERROR;
78diff --git a/mk_server/mk_mimetype.c b/mk_server/mk_mimetype.c
79index b86b4ef1..5462ea5c 100644
80--- a/mk_server/mk_mimetype.c
81+++ b/mk_server/mk_mimetype.c
82@@ -197,7 +197,12 @@ struct mk_mimetype *mk_mimetype_find(struct mk_server *server, mk_ptr_t *filenam
83 {
84 int j, len;
85
86- j = len = filename->len;
87+ if (!filename->data || filename->len <= 0) {
88+ return NULL;
89+ }
90+
91+ len = filename->len;
92+ j = len - 1;
93
94 /* looking for extension */
95 while (j >= 0 && filename->data[j] != '.') {
96diff --git a/mk_server/mk_user.c b/mk_server/mk_user.c
97index 7200ff08..716331ac 100644
98--- a/mk_server/mk_user.c
99+++ b/mk_server/mk_user.c
100@@ -46,7 +46,7 @@ int mk_user_init(struct mk_http_session *cs, struct mk_http_request *sr,
101 }
102
103 limit = mk_string_char_search(sr->uri_processed.data + offset, '/',
104- sr->uri_processed.len);
105+ sr->uri_processed.len - offset);
106
107 if (limit == -1) {
108 limit = (sr->uri_processed.len) - offset;
diff --git a/meta-webserver/recipes-httpd/monkey/monkey_1.8.4.bb b/meta-webserver/recipes-httpd/monkey/monkey_1.8.7.bb
index 126a2a6fa5..a9bea8f767 100644
--- a/meta-webserver/recipes-httpd/monkey/monkey_1.8.4.bb
+++ b/meta-webserver/recipes-httpd/monkey/monkey_1.8.7.bb
@@ -7,13 +7,17 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2ee41112a44fe7014dce33e26468ba93"
7 7
8SECTION = "net" 8SECTION = "net"
9 9
10SRC_URI = "git://github.com/monkey/monkey;branch=master;protocol=https \ 10SRC_URI = "git://github.com/monkey/monkey;branch=master;protocol=https;tag=v${PV} \
11 file://0001-fastcgi-Use-value-instead-of-address-of-sin6_port.patch \ 11 file://0001-fastcgi-Use-value-instead-of-address-of-sin6_port.patch \
12 file://0001-include-Fix-location-of-mk_core.h-etal.patch \ 12 file://0001-include-Fix-location-of-mk_core.h-etal.patch \
13 file://monkey.service \ 13 file://monkey.service \
14 file://monkey.init" 14 file://monkey.init \
15 file://0001-server-http-fix-malformed-request-crash-paths.patch \
16 file://0002-server-scheduler-guard-protocol-close-callback.patch \
17 file://0003-server-parser-harden-boundary-checks.patch \
18 "
15 19
16SRCREV = "94af273244369e1a8426d0d1f6376475aff90db9" 20SRCREV = "0fd3bbd657c6d6339315709ef068493c572b973c"
17 21
18UPSTREAM_CHECK_COMMITS = "1" 22UPSTREAM_CHECK_COMMITS = "1"
19 23
@@ -51,6 +55,10 @@ do_install:append() {
51 if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then 55 if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
52 install -Dm 644 ${UNPACKDIR}/monkey.service ${D}/${systemd_unitdir}/system/monkey.service 56 install -Dm 644 ${UNPACKDIR}/monkey.service ${D}/${systemd_unitdir}/system/monkey.service
53 fi 57 fi
58
59 # QA Issue: monkey installs files in /var/volatile, but it is expected to be empty [empty-dirs]
60 # these folders are supposed to be recreated at runtime
61 find ${D}/var -type d -empty -delete
54} 62}
55 63
56INITSCRIPT_NAME = "monkey" 64INITSCRIPT_NAME = "monkey"
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.28.1.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.28.1.bb
deleted file mode 100644
index eaaf2b75e9..0000000000
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.28.1.bb
+++ /dev/null
@@ -1,7 +0,0 @@
1require nginx.inc
2
3LIC_FILES_CHKSUM = "file://LICENSE;md5=3dc49537b08b14c8b66ad247bb4c4593"
4
5SRC_URI[sha256sum] = "40e7a0916d121e8905ef50f2a738b675599e42b2224a582dd938603fed15788e"
6
7CVE_STATUS[CVE-2025-53859] = "cpe-stable-backport: Fix is included in 1.28.1"
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb
deleted file mode 100644
index c08c8539c4..0000000000
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.29.1.bb
+++ /dev/null
@@ -1,10 +0,0 @@
1require nginx.inc
2
3# 1.28.x branch is the current stable branch, the recommended default
4# 1.29.x is the current mainline branches containing all new features
5DEFAULT_PREFERENCE = "-1"
6
7LIC_FILES_CHKSUM = "file://LICENSE;md5=3dc49537b08b14c8b66ad247bb4c4593"
8
9SRC_URI[sha256sum] = "c589f7e7ed801ddbd904afbf3de26ae24eb0cce27c7717a2e94df7fb12d6ad27"
10
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.30.2.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.30.2.bb
new file mode 100644
index 0000000000..2ccc7226a4
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.30.2.bb
@@ -0,0 +1,6 @@
1require nginx.inc
2
3LIC_FILES_CHKSUM = "file://LICENSE;md5=79da1c70d587d3a199af9255ad393f99"
4
5SRC_URI[sha256sum] = "7df3090907fca3cc0e456d6dc00ceb230da74ea88026ceff0affc29dbbd9ac4c"
6
diff --git a/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb b/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb
index 9ff1772531..33543071ba 100644
--- a/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb
+++ b/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb
@@ -19,6 +19,8 @@ UPSTREAM_CHECK_REGEX = "v(?P<pver>\d+(\.\d+)+).tar.gz"
19 19
20inherit autotools update-rc.d systemd update-alternatives 20inherit autotools update-rc.d systemd update-alternatives
21 21
22CACHED_CONFIGUREVARS += "ac_cv_prog_cc_c23=no"
23
22ALTERNATIVE_PRIORITY = "100" 24ALTERNATIVE_PRIORITY = "100"
23ALTERNATIVE:${PN}-doc = "htpasswd.1" 25ALTERNATIVE:${PN}-doc = "htpasswd.1"
24ALTERNATIVE_LINK_NAME[htpasswd.1] = "${mandir}/man1/htpasswd.1" 26ALTERNATIVE_LINK_NAME[htpasswd.1] = "${mandir}/man1/htpasswd.1"
@@ -56,5 +58,3 @@ SYSTEMD_SERVICE:${PN} = "thttpd.service"
56 58
57FILES:${PN} += "${SRV_DIR}" 59FILES:${PN} += "${SRV_DIR}"
58FILES:${PN}-dbg += "${SRV_DIR}/cgi-bin/.debug" 60FILES:${PN}-dbg += "${SRV_DIR}/cgi-bin/.debug"
59
60CVE_STATUS[CVE-2017-10671] = "fixed-version: No action required. The current version (2.27.1) is not affected by the CVE."
diff --git a/meta-webserver/recipes-php/xdebug/xdebug_3.5.0.bb b/meta-webserver/recipes-php/xdebug/xdebug_3.5.3.bb
index b07546d521..02bac6f23f 100644
--- a/meta-webserver/recipes-php/xdebug/xdebug_3.5.0.bb
+++ b/meta-webserver/recipes-php/xdebug/xdebug_3.5.3.bb
@@ -1,4 +1,5 @@
1SUMMARY = "Debugging and profiling extension for PHP" 1SUMMARY = "Debugging and profiling extension for PHP"
2HOMEPAGE = "https://xdebug.org/"
2LICENSE = "Xdebug" 3LICENSE = "Xdebug"
3LIC_FILES_CHKSUM = "file://LICENSE;md5=afd6ce4aa04fdc346e5b3c6e634bd75c" 4LIC_FILES_CHKSUM = "file://LICENSE;md5=afd6ce4aa04fdc346e5b3c6e634bd75c"
4 5
@@ -6,7 +7,7 @@ DEPENDS = "php re2c-native"
6 7
7SRC_URI = "https://xdebug.org/files/xdebug-${PV}.tgz" 8SRC_URI = "https://xdebug.org/files/xdebug-${PV}.tgz"
8 9
9SRC_URI[sha256sum] = "f6daf55a5c7adadb07dd2af25ff78b1cc9b1c58d6cc442a463eba015b678aabf" 10SRC_URI[sha256sum] = "f073de91bea046106abf4d6071c963ea71e58571df6ce58948ceca89d121cb2d"
10 11
11UPSTREAM_CHECK_URI = "https://github.com/xdebug/xdebug/releases" 12UPSTREAM_CHECK_URI = "https://github.com/xdebug/xdebug/releases"
12UPSTREAM_CHECK_REGEX = "releases/tag/(?P<pver>\d+(\.\d+)+)$" 13UPSTREAM_CHECK_REGEX = "releases/tag/(?P<pver>\d+(\.\d+)+)$"
diff --git a/meta-webserver/recipes-support/spawn-fcgi/spawn-fcgi_1.6.5.bb b/meta-webserver/recipes-support/spawn-fcgi/spawn-fcgi_1.6.6.bb
index 307919f775..5ad93ebc69 100644
--- a/meta-webserver/recipes-support/spawn-fcgi/spawn-fcgi_1.6.5.bb
+++ b/meta-webserver/recipes-support/spawn-fcgi/spawn-fcgi_1.6.6.bb
@@ -6,9 +6,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e4dac5c6ab169aa212feb5028853a579"
6 6
7SRC_URI = "http://download.lighttpd.net/spawn-fcgi/releases-1.6.x/spawn-fcgi-${PV}.tar.gz" 7SRC_URI = "http://download.lighttpd.net/spawn-fcgi/releases-1.6.x/spawn-fcgi-${PV}.tar.gz"
8 8
9SRC_URI[sha256sum] = "a72d7bf7fb6d1a0acda89c93d4f060bf77a2dba97ddcfecd00f11e708f592c40" 9SRC_URI[sha256sum] = "4ffe2e9763cf71ca52c3d642a7bfe20d6be292ba0f2ec07a5900c3110d0e5a85"
10 10
11inherit autotools 11inherit meson
12 12
13PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" 13PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
14PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," 14PACKAGECONFIG[ipv6] = "-Dipv6=true,-Dipv6=false,"
diff --git a/meta-webserver/recipes-webadmin/webmin/webmin_2.501.bb b/meta-webserver/recipes-webadmin/webmin/webmin_2.641.bb
index 2c807947e4..b513ec14e6 100644
--- a/meta-webserver/recipes-webadmin/webmin/webmin_2.501.bb
+++ b/meta-webserver/recipes-webadmin/webmin/webmin_2.641.bb
@@ -19,7 +19,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/webadmin/webmin-${PV}.tar.gz \
19 file://mysql-config-fix.patch \ 19 file://mysql-config-fix.patch \
20 file://webmin.service \ 20 file://webmin.service \
21 " 21 "
22SRC_URI[sha256sum] = "0f2772a582d4c4cf24085993729cfc94df2a64d619cefede5400c24b02efb08f" 22SRC_URI[sha256sum] = "220015eaff2b666b9bbdf2ce2bc676de72d33e5cc5f35b800b0fa14934bdb95a"
23UPSTREAM_CHECK_URI = "http://www.webmin.com/download.html" 23UPSTREAM_CHECK_URI = "http://www.webmin.com/download.html"
24UPSTREAM_CHECK_REGEX = "webmin-(?P<pver>\d+(\.\d+)+).tar.gz" 24UPSTREAM_CHECK_REGEX = "webmin-(?P<pver>\d+(\.\d+)+).tar.gz"
25 25