mirror of
git://git.openembedded.org/meta-openembedded
synced 2026-04-02 02:49:12 +00:00
81e1926faf
Changes: *) Security: a buffer overflow might occur while handling a COPY or MOVE request in a location with "alias", allowing an attacker to modify the source or destination path outside of the document root (CVE-2026-27654). *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module on 32-bit platforms might cause a worker process crash, or might have potential other impact (CVE-2026-27784). *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module might cause a worker process crash, or might have potential other impact (CVE-2026-32647). *) Security: a segmentation fault might occur in a worker process if the CRAM-MD5 or APOP authentication methods were used and authentication retry was enabled (CVE-2026-27651). *) Security: an attacker might use PTR DNS records to inject data in auth_http requests, as well as in the XCLIENT command in the backend SMTP connection (CVE-2026-28753). *) Security: SSL handshake might succeed despite OCSP rejecting a client certificate in the stream module (CVE-2026-28755). *) Feature: the "multipath" parameter of the "listen" directive. *) Feature: the "local" parameter of the "keepalive" directive in the "upstream" block. *) Change: now the "keepalive" directive in the "upstream" block is enabled by default. *) Change: now ngx_http_proxy_module supports keepalive by default; the default value for "proxy_http_version" is "1.1"; the "Connection" proxy header is not sent by default anymore. *) Bugfix: an invalid HTTP/2 request might be sent after switching to the next upstream if buffered body was used in the ngx_http_grpc_module. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>