mirror of
git://git.openembedded.org/meta-openembedded
synced 2025-12-31 13:38:06 +00:00
fedd8cf51d
CVE-2025-23419:
When multiple server blocks are configured to share the same IP address
and port, an attacker can use session resumption to bypass client
certificate authentication requirements on these servers. This
vulnerability arises when TLS Session Tickets
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key
are used and/or the SSL session cache
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache
are used in the default server and the default server is performing
client certificate authentication. Note: Software versions which have
reached End of Technical Support (EoTS) are not evaluated.
Refer:
https://nvd.nist.gov/vuln/detail/CVE-2025-23419
This partially cherry picked from commit
13935cf9fdc3c8d8278c70716417d3b71c36140e, the original patch had 2
parts. One fixed problem in `http/ngx_http_request` module and the
second fixed problem in `stream/ngx_stream_ssl_module` module. The fix
for `stream/ngx_stream_ssl_module can't be aplied because, the 'stream
virtual servers' funcionality was added later in this commit:
d21675228a.
Therefore only `http/ngx_http_request` part was backported.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
meta-webserver ============== This layer provides support for building web servers, web-based applications and related software. Dependencies ------------ This layer depends on: URI: git://git.openembedded.org/openembedded-core subdirectory: meta branch: kirkstone For some recipes, the meta-oe layer is required: URI: git://git.openembedded.org/meta-openembedded subdirectory: meta-oe branch: kirkstone Layout ------ recipes-httpd/ Web servers recipes-php/ PHP applications recipes-support/ Miscellaneous support recipes recipes-webadmin/ Standalone web administration interfaces Notes ----- * This layer used to provide a modphp recipe that built mod_php, but this is now built as part of the php recipe in meta-oe. However, since apache2 is required to build mod_php, and apache2 recipe is in this layer and recipes in meta-oe can't depend on it, mod_php is not built by default. If you do wish to use mod_php, you need to add "apache2" to the PACKAGECONFIG value for the php recipe in order to enable it. See here for info on how to do that: http://www.yoctoproject.org/docs/current/ref-manual/ref-manual.html#var-PACKAGECONFIG Maintenance ----------- Send patches / pull requests to openembedded-devel@lists.openembedded.org with '[meta-webserver][kirkstone]' in the subject. When sending single patches, please using something like: git send-email -M -1 --to openembedded-devel@lists.openembedded.org --subject-prefix='meta-webserver][kirkstone][PATCH' Layer maintainer: Armin Kuster <akuster808@gmail.com> License ------- All metadata is MIT licensed unless otherwise stated. Source code included in tree for individual recipes is under the LICENSE stated in each recipe (.bb file) unless otherwise stated. This README document is Copyright (C) 2012 Intel Corporation.