Changes:
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
*) Feature: the "multipath" parameter of the "listen" directive.
*) Feature: the "local" parameter of the "keepalive" directive in the
"upstream" block.
*) Change: now the "keepalive" directive in the "upstream" block is
enabled by default.
*) Change: now ngx_http_proxy_module supports keepalive by default; the
default value for "proxy_http_version" is "1.1"; the "Connection"
proxy header is not sent by default anymore.
*) Bugfix: an invalid HTTP/2 request might be sent after switching to
the next upstream if buffered body was used in the
ngx_http_grpc_module.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Changes:
*) Security: a buffer overflow might occur while handling a COPY or MOVE
request in a location with "alias", allowing an attacker to modify
the source or destination path outside of the document root
(CVE-2026-27654).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module on 32-bit platforms might cause a worker process
crash, or might have potential other impact (CVE-2026-27784).
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, or might have
potential other impact (CVE-2026-32647).
*) Security: a segmentation fault might occur in a worker process if the
CRAM-MD5 or APOP authentication methods were used and authentication
retry was enabled (CVE-2026-27651).
*) Security: an attacker might use PTR DNS records to inject data in
auth_http requests, as well as in the XCLIENT command in the backend
SMTP connection (CVE-2026-28753).
*) Security: SSL handshake might succeed despite OCSP rejecting a client
certificate in the stream module (CVE-2026-28755).
*) Change: now nginx limits the size and rate of QUIC stateless reset
packets.
*) Bugfix: receiving a QUIC packet by a wrong worker process could cause
the connection to terminate.
*) Bugfix: in the ngx_http_mp4_module.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Update the sha256sum to match the current upstream archive.
Signed-off-by: Alper Ak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
The CVE is now tracked with the correct version info by NVD.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
* Feature: session affinity support; the "sticky" directive in the
"upstream" block of the "http" module; the "server" directive supports
the "route" and "drain" parameters.
* Change: now nginx limits the size and rate of QUIC stateless reset
packets.
* Bugfix: receiving a QUIC packet by a wrong worker process could cause the
connection to terminate.
* Bugfix: "[crit] cache file ... contains invalid header" messages might
appear in logs when sending a cached HTTP/2 response.
* Bugfix: proxying to scgi backends might not work when using chunked
transfer encoding and the "scgi_request_buffering" directive.
* Bugfix: in the ngx_http_mp4_module.
* Bugfix: nginx treated a comma as separator in the "Cookie" request header
line when evaluating "$cookie_..." variables.
* Bugfix: in IMAP command literal argument parsing.
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
* mbed TLS updated to 4.0.0.
* Replaced strcpy() with strlcpy() and sprintf() with snprintf().
* Added OS sandbox.
* Removed DHsize option.
* Known bug: mbed TLS v4.0.0 doesn't compile in Cygwin, so building
a Windows package is not possible.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: copyright year bump.
Changelog:
1.29.5:
- Security: an attacker might inject plain text data in the response
from an SSL backend (CVE-2026-1642).
- Bugfix: use-after-free might occur after switching to the next gRPC
or HTTP/2 backend.
- Bugfix: an invalid HTTP/2 request might be sent after switching to
the next upstream.
- Bugfix: a response with multiple ranges might be larger than the
source response.
- Bugfix: fixed setting HTTP_HOST when proxying to FastCGI, SCGI, and
uwsgi backends.
- Bugfix: fixed warning when compiling with MSVC 2022 x86.
- Change: the logging level of the "ech_required" SSL error has been
lowered from "crit" to "info".
1.29.4:
- Feature: the ngx_http_proxy_module supports HTTP/2.
- Feature: Encrypted ClientHello TLS extension support when using
OpenSSL ECH feature branch; the "ssl_ech_file" directive.
Thanks to Stephen Farrell.
- Change: validation of host and port in the request line, "Host"
header field, and ":authority" pseudo-header field has been changed
to follow RFC 3986.
- Change: now a single LF used as a line terminator in a chunked
request or response body is considered an error.
- Bugfix: when using HTTP/3 with OpenSSL 3.5.1 or newer a segmentation
fault might occur in a worker process; the bug had appeared in
1.29.1.
Thanks to Jan Svojanovsky.
- Bugfix: a segmentation fault might occur in a worker process if the
"try_files" directive and "proxy_pass" with a URI were used.
1.29.3:
- Feature: the "add_header_inherit" and "add_trailer_inherit"
directives.
- Feature: the $request_port and $is_request_port variables.
- Feature: the $ssl_sigalg and $ssl_client_sigalg variables.
- Feature: the "volatile" parameter of the "geo" directive.
- Feature: now certificate compression is available with BoringSSL.
- Bugfix: now certificate compression is disabled with OCSP stapling.
1.29.2
- Feature: now nginx can be built with AWS-LC.
Thanks Samuel Chiang.
- Bugfix: now the "ssl_protocols" directive works in a virtual server
different from the default server when using OpenSSL 1.1.1 or newer.
- Bugfix: SSL handshake always failed when using TLSv1.3 with OpenSSL
and client certificates and resuming a session with a different SNI
value; the bug had appeared in 1.27.4.
- Bugfix: the "ignoring stale global SSL error" alerts might appear in
logs when using QUIC and the "ssl_reject_handshake" directive; the
bug had appeared in 1.29.0.
Thanks to Vladimir Homutov.
- Bugfix: in delta-seconds processing in the "Cache-Control" backend
response header line.
- Bugfix: an XCLIENT command didn't use the xtext encoding.
Thanks to Igor Morgenstern of Aisle Research.
- Bugfix: in SSL certificate caching during reconfiguration.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
- Security: an attacker might inject plain text data in the response
from an SSL backend (CVE-2026-1642).
- Bugfix: use-after-free might occur after switching to the next gRPC
or HTTP/2 backend.
- Bugfix: fixed warning when compiling with MSVC 2022 x86.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop patches that are included in this release.
Changes:
* mbed TLS updated to 3.6.4.
* Small bugfixes.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
nginx has a long history, and has used multiple CPEs
over time. Set CVE_PRODUCT to reflect current and historic
vendor:product pairs.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Drop CVE patch which has been integrated into this new version.
Solves:
* CVE-2025-53859
CHANGES:
https://nginx.org/en/CHANGES-1.28
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
352
Shown a warning if the last shutdown/reboot was unclean
Bug fixes and translation updates
351
Firewall ports can be deleted individually
350
networking: fix renaming of bridges and other groups (RHEL-117883)
bridge: fix OpenSSH_10.2p1 host key detection
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
- prevent webook from crashing in case of openapi 3.0
- deps: bump react-syntax-highlighter to 16.0.0
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX to check the correct
latest stable verison.
Before the patch:
$ devtool latest-version xdebug
INFO: Current version: 3.4.6
INFO: Latest version:
After the patch:
$ devtool latest-version xdebug
INFO: Current version: 3.4.6
INFO: Latest version: 3.4.7
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Remove the patch with the fix that is already present in the new
version.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The BusyBox version of mv does not have the -Z flag for setting SELinux
security context. This results in failure
when the cockpit-certificate-helper script is executed.
Depend the package on GNU Coreutils to make sure that the proper version
of mv is installed.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The old-bridge package config option was removed from the recipe,
but the usage of this option was left in some places.
Remove any reference to old-bridge. Only the Python bridge is currently
supported by Cockpit.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The vulnerability was reported against mod_auth_openidc, which module
is a 3rd party one, and not part of the apache2 source distribution.
The affected module is not part of the meta-oe universe currently,
so ignore the CVE.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Modified net-generic.patch to update a hardcoded version number to avoid
patch fuzz.
Changelog: https://github.com/webmin/webmin/releases/tag/2.300
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
[2025-07-14] — Xdebug 3.4.5
Fixed bug #2332: Segmentation fault for code coverage with nested fibers
Fixed bug #2356: Reading properties with get hooks may modify property value
[2025-06-12] — Xdebug 3.4.4
Fixed bug #2349: Regression in Xdebug 3.4.3 breaks throwing exceptions in nested generators
Fixed bug #2350: Crash when a certain page generates an exception since Xdebug 3.4.3
Fixed bug #2352: Crash when using latest Xdebug version when throwing exceptions
Fixed bug #2354: The __invoke frame in call stacks don't have the argument name in the trace
[2025-05-14] — Xdebug 3.4.3
Fixed bug #2322: Xdebug tries to open debugging connection in destructors during shutdown
Fixed bug #2325: Referred chrome browser extension is no longer working
Fixed bug #2326: Step debugger finishes if property debugging handler in PHP throws an exception
Fixed bug #2331: Segmentation fault with 'invalid' variable names
Fixed bug #2339: Trying to throw an exception can cause a zend_mm_heap corrupted error under specific circumstances
Fixed bug #2340: Xdebug case sensitivity issues on some files introduced since 3.3.0
Fixed bug #2343: Fatal error on virtual property hook step debugging
Fixed bug #2348: Xdebug does not resolve breakpoints in property hooks
Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
