CVE-2025-23419:
When multiple server blocks are configured to share the same IP address
and port, an attacker can use session resumption to bypass client
certificate authentication requirements on these servers. This
vulnerability arises when TLS Session Tickets
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key
are used and/or the SSL session cache
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
are used in the default server and the default server is performing
client certificate authentication. Note: Software versions which have
reached End of Technical Support (EoTS) are not evaluated.
Refer:
https://nvd.nist.gov/vuln/detail/CVE-2025-23419
This partially cherry picked from commit
13935cf9fdc3c8d8278c70716417d3b71c36140e, the original patch had 2
parts. One fixed problem in `http/ngx_http_request` module and the
second fixed problem in `stream/ngx_stream_ssl_module` module. The fix
for `stream/ngx_stream_ssl_module can't be aplied because, the 'stream
virtual servers' funcionality was added later in this commit:
d21675228a.
Therefore only `http/ngx_http_request` part was backported.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2025-24529:
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS
vulnerability has been discovered for the Insert tab.
Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-24529
CVE-2025-24530:
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS
vulnerability has been discovered for the check tables feature. A
crafted table or database name could be used for XSS.
Refer: https://nvd.nist.gov/vuln/detail/CVE-2025-24530
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE's Fixed by upgrade:
CVE-2024-36387 apache2/httpd: DoS by null pointer in websocket over HTTP/2
CVE-2024-38472 apache2/httpd: UNC SSRF on WIndows
CVE-2024-38473 apache2/httpd: Encoding problem in mod_proxy
CVE-2024-38474 apache2/httpd: Substitution encoding issue in mod_rewrite
CVE-2024-38475 apache2/httpd: Improper escaping of output in mod_rewrite
CVE-2024-38476 apache2/httpd: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect
CVE-2024-38477 apache2/httpd: null pointer dereference in mod_proxy
CVE-2024-39573 apache2/httpd: Potential SSRF in mod_rewrite
Other Changes between 2.4.59 -> 2.4.60
======================================
https://github.com/apache/httpd/blob/2.4.60/CHANGES
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Align to commit 8e297cdc841c6cad34097f00a6903ba25edfc153
("nginx: Remove obsolete patch") by removing reference to
removed patch file. By doing so we mitigate the following
BitBake complaint:
WARNING: .../meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.21.1.bb: Unable to get checksum for nginx SRC_URI entry 0001-HTTP-2-per-iteration-stream-handling-limit.patch: file could not be found
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
With the inclusion of commit 85102dd2dff41945997b983f7c2bfc954dd3bc47
the same patch was introduced again, thus this copy can be deleted
(which accidently was never used, since I originally forgot to add it to
the SRC_URI, whoops).
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The HTTP/2 protocol allows a denial of service (server resource consumption)
because request cancellation can reset many streams quickly, as exploited in
the wild in August through October 2023.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-44487
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This upgrade incorporates the fixes for CVE-2024-27316,
CVE-2024-24795,CVE-2023-38709 and other bugfixes.
Adjusted 0004-apache2-log-the-SELinux-context-at-startup.patch
and 0007-apache2-allow-to-disable-selinux-support.patch to
align with upgraded version.
Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.59
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This recipe sets the product name used for CVE checking to
"http_server". However, the cve-check logic matches that name to all
products in the CVE database regardless of vendor. Currently, it is
matching to products from vendors other than apache. As a result,
CVE checking incorrectly reports CVEs for those vendors' products for
this package.
Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 51f70eaaa5973e385645f574093ee860f5648f88)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Reduces the impact of HTTP/2 Stream Reset flooding in the nginx product
(CVE-2023-44487).
See: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
This patch only reduces the impact and does not completely mitigate the CVE
in question, the latter being due to a design flaw in the HTTP/2 protocol
itself. For transparancy reasons I therefore opted to not mark the
CVE as resolved, so that integrators can decide for themselves, wheither to
enable HTTP/2 support or allow HTTP/1.1 connections only.
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
According to http://nginx.org/en/CHANGES nginx supports the openssl 3.x
component only from version 1.21.2. In Kirstone openssl 3.x is included but
all provided versions of nginx are older, so there is currently an
incompatibility. With this patch this incompatibility get removed.
Signed-off-by: Michael Haener <michael.haener@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Support --with-http_xslt_module configure option via a PACKAGECONFIG
option. The option is not added to the defaults.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e0ac8eec48ddddc93751cfcdef2557998bfe91c8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
Changes with Apache 2.4.57
*) mod_proxy: Check before forwarding that a nocanon path has not been
rewritten with spaces during processing. [Yann Ylavic]
*) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
double encode encoded slashes in the URL sent by the reverse proxy to the
backend. [Ruediger Pluem]
*) mod_http2: fixed a crash during connection termination. See PR 66539.
[Stefan Eissing]
*) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
in a question mark. PR66547. [Eric Covener]
*) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded
characters on redirections without the "NE" flag.
[Yann Ylavic, Eric Covener]
*) mod_proxy: Fix double encoding of the uri-path of the request forwarded
to the origin server, when using mapping=encoded|servlet. [Yann Ylavic]
*) mod_mime: Do not match the extention against possible query string
parameters in case ProxyPass was used with the nocanon option.
[Ruediger Pluem]
New patch:
0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch
Accepted in upstream, expected to be removed at next apache2 2.4.58 update.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0b9305faa29f6e26871e7662391efbaae4ae92d9)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
In phpMyAdmin before 4.9.11 and 5.x before 5.2.1,
an authenticated user can trigger XSS by
uploading a crafted .sql file through the drag-and-drop interface.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-25727
Upstream patch:
efa2406695
Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
==========
- rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
truncated without the initial logfile being truncated.
- mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
allow connections of any age to be reused. Up to now, a negative value
was handled as an error when parsing the configuration file. PR 66421.
- mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
of headers.
- mod_md:
- Enabling ED25519 support and certificate transparency information when
building with libressl v3.5.0 and newer.
- MDChallengeDns01 can now be configured for individual domains.
- Fixed a bug that caused the challenge
teardown not being invoked as it should.
- mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
reported in access logs and error documents. The processing of the
reset was correct, only unneccesary reporting was caused.
- mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f8b54b5243c9effb66d5685463b87767e753b843)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The nginx gunzip module is a filter that decompresses responses with
'Content-Encoding: gzip' for clients that do not support 'gzip' encoding
method. The module will be useful when it is desirable to store data
compressed to save space and reduce I/O costs.
Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Layer priority is the ultimate decider of what recipe is used: if layer
A has recipe foo_1 and layer B has recipe foo_2, if layer A's priority
is higher than B then foo_1 will be used, even though the version in B
is higher, and even if PREFERRED_VERSION_foo is set to 2.
This complicates recipes moving between layers, for example when a newer
version of a recipe (say, python3-wheel) is taken from a layer with a
higher priority (say, meta-python) and moved to a layer with a lower
priority (say, oe-core) then it has to be removed before it is added:
there is no way to have it in both layers and work correctly.
Higher priorities are useful in distribution layers where you may want
to override specific recipes without any other fuss. However as all of
the layers in meta-oe simply add more recipes in defined areas, there's
no need to have a higher layer priority.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The json-c dependancy is only needed when cloud is enabled.
Almost no inpact on the size of the package.
Default disabled.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
- Fix broken pagination links in the navigation sidebar
- Fix MariaDB has no support for system variable "disabled_storage_engines"
- Fix unsupported operand types in Results.php when running "SHOW PROCESSLIST" SQL query
- Fixed importing browser settings question box after login when having no pmadb
- Fix "First day of calendar" user override has no effect
- Fixed repeating headers are not working
- Fixed import of email-adresses or links from ODS results in empty contents
- Fixed a type error on ODS import with non string values
- Fixed header row show/hide columns buttons on each line after hover are shown on each row
- [security] Fix for path disclosure under certain server configurations (if display_errors is on, for instance)
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
https can now be enabled (default) or disabled.
The lz4 patch is now in this release.
Package size increase of 2%
Tested on RaspberryPi4-64
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Added the packageconfig to compress the data with lz4.
But disabled it by default.
Patch added to have it working without compression enabled.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
*) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
multipart content in mod_lua of Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A carefully crafted request body can cause a buffer overflow in
the mod_lua multipart parser (r:parsebody() called from Lua
scripts).
The Apache httpd team is not aware of an exploit for the
vulnerabilty though it might be possible to craft one.
This issue affects Apache HTTP Server 2.4.51 and earlier.
*) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
forward proxy configurations in Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A crafted URI sent to httpd configured as a forward proxy
(ProxyRequests on) can cause a crash (NULL pointer dereference)
or, for configurations mixing forward and reverse proxy
declarations, can allow for requests to be directed to a
declared Unix Domain Socket endpoint (Server Side Request
Forgery).
This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
(included).
*) http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications.
*) OpenSSL autoconf detection improvement: pick up openssl.pc in the
specified openssl path.
*) mod_proxy_connect, mod_proxy: Do not change the status code after we
already sent it to the client.
*) mod_http: Correctly sent a 100 Continue status code when sending an interim
response as result of an Expect: 100-Continue in the request and not the
current status code of the request. PR 65725
*) mod_dav: Some DAV extensions, like CalDAV, specify both document
elements and property elements that need to be taken into account
when generating a property. The document element and property element
are made available in the dav_liveprop_elem structure by calling
dav_get_liveprop_element().
*) mod_dav: Add utility functions dav_validate_root_ns(),
dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
dav_find_attr() so that other modules get to play too.
*) mpm_event: Restart stopping of idle children after a load peak. PR 65626.
*) mod_http2: fixes 2 regressions in server limit handling.
1. When reaching server limits, such as MaxRequestsPerChild, the
HTTP/2 connection send a GOAWAY frame much too early on new
connections, leading to invalid protocol state and a client
failing the request. See PR65731.
The module now initializes the HTTP/2 protocol correctly and
allows the client to submit one request before the shutdown
via a GOAWAY frame is being announced.
2. A regression in v1.15.24 was fixed that could lead to httpd
child processes not being terminated on a graceful reload or
when reaching MaxConnectionsPerChild. When unprocessed h2
requests were queued at the time, these could stall.
See <https://github.com/icing/mod_h2/issues/212>.
*) mod_ssl: Add build support for OpenSSL v3.
*) mod_proxy_connect: Honor the smallest of the backend or client timeout
while tunneling.
*) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
half-close forwarding when tunneling protocols.
*) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
a third-party module. PR 65627.
*) mod_md: Fix memory leak in case of failures to load the private key.
PR 65620
*) mod_md: adding v2.4.8 with the following changes
- Added support for ACME External Account Binding (EAB).
Use the new directive `MDExternalAccountBinding` to provide the
server with the value for key identifier and hmac as provided by
your CA.
While working on some servers, EAB handling is not uniform
across CAs. First tests with a Sectigo Certificate Manager in
demo mode are successful. But ZeroSSL, for example, seems to
regard EAB values as a one-time-use-only thing, which makes them
fail if you create a seconde account or retry the creation of the
first account with the same EAB.
- The directive 'MDCertificateAuthority' now checks if its parameter
is a http/https url or one of a set of known names. Those are
'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
for now and they are not case-sensitive.
The default of LetsEncrypt is unchanged.
- `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
section.
- Treating 401 HTTP status codes for orders like 403, since some ACME
servers seem to prefer that for accessing oders from other accounts.
- When retrieving certificate chains, try to read the repsonse even
if the HTTP Content-Type is unrecognized.
- Fixed a bug that reset the error counter of a certificate renewal
and prevented the increasing delays in further attempts.
- Fixed the renewal process giving up every time on an already existing
order with some invalid domains. Now, if such are seen in a previous
order, a new order is created for a clean start over again.
See <https://github.com/icing/mod_md/issues/268>
- Fixed a mixup in md-status handler when static certificate files
and renewal was configured at the same time.
*) mod_md: values for External Account Binding (EAB) can
now also be configured to be read from a separate JSON
file. This allows to keep server configuration permissions
world readable without exposing secrets.
*) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
PR 65616.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The previous commit was using a PACKAGECONFIG to enable or disable
the sending of anonymous data to Google Analytics.
This was giving QA issues.
Now the variable 'NETDATA_ANONYMOUS' is used to enable or disable
the opt-out.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Netdata is sending anonymous statics data to Google by default.
Disabling this by default in the recipe by adding the
.opt-out-from-anonymous-statistics file in the netdata config
directory.
@see: https://learn.netdata.cloud/docs/agent/anonymous-statistics#opt-out
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
libtool is now longer renamed to ${host}-libtool, so remove the changes
to support this.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
libtool is now longer renamed to ${host}-libtool, so remove the changes
to support this.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Added openssl so it can compile with default configuration.
* ebpf I had to disable. It seems to have issues with cross-compiling.
And the libbpf isn't available at all platforms.
Tested on raspberrypy4-64
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
