[meta-webserver,scarthgap,0/2] Fix CVE-2025-23419 for 1.25.x

Message ID	20251231153607.3978985-1-colin.mcallister@garmin.com
Headers	show Return-Path: <philip@balister.org> ip: 205.220.177.212, mailfrom: prvs=6460acd53d=colin.mcallister@garmin.com) Received-SPF: Pass (protection.outlook.com: domain of garmin.com designates 204.77.163.244 as permitted sender) receiver=protection.outlook.com; client-ip=204.77.163.244; helo=edgetransport.garmin.com; pr=C From: "Colin McAllister" <colin.mcallister@garmin.com> To: <openembedded-devel@lists.openembedded.org> CC: Colin Pinnell McAllister <colin.mcallister@garmin.com> Subject: [meta-webserver][scarthgap][PATCH 0/2] Fix CVE-2025-23419 for 1.25.x Date: Wed, 31 Dec 2025 09:36:05 -0600 Message-ID: <20251231153607.3978985-1-colin.mcallister@garmin.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	Fix CVE-2025-23419 for 1.25.x \| expand [meta-webserver,scarthgap,0/2] Fix CVE-2025-23419 for 1.25.x [meta-webserver,scarthgap,1/2] nginx: upgrade 1.25.4 -> 1.25.5 [meta-webserver,scarthgap,2/2] nginx: Fix CVE-2025-23419 for 1.25.5

Message ID

20251231153607.3978985-1-colin.mcallister@garmin.com

Headers

Received-SPF: Pass (protection.outlook.com: domain of garmin.com designates
 204.77.163.244 as permitted sender) receiver=protection.outlook.com;
 client-ip=204.77.163.244; helo=edgetransport.garmin.com; pr=C
From: "Colin McAllister" <colin.mcallister@garmin.com>
To: <openembedded-devel@lists.openembedded.org>
CC: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Subject: [meta-webserver][scarthgap][PATCH 0/2] Fix CVE-2025-23419 for 1.25.x
Date: Wed, 31 Dec 2025 09:36:05 -0600
Message-ID: <20251231153607.3978985-1-colin.mcallister@garmin.com>
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Dec 2025 15:36:15.7552
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 a6e52ef2-2d55-49f9-99b5-08de48825601
X-MS-Exchange-CrossTenant-Id: 38d0d425-ba52-4c0a-a03e-2a65c8e82e2d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=38d0d425-ba52-4c0a-a03e-2a65c8e82e2d;Ip=[204.77.163.244];Helo=[edgetransport.garmin.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	CO1PEPF000044FA.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR04MB8266
X-Proofpoint-ORIG-GUID: ax6o4g5MmRkLuKTJtmPyXBqXitqZIeAT
X-Proofpoint-GUID: ax6o4g5MmRkLuKTJtmPyXBqXitqZIeAT
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjMxMDEzNiBTYWx0ZWRfX3xQVvP5vDksg
 d22XCM+L8vnI/vo0ECLRM95dTnQDhT/+Y3Sa8jxpLDxu4HQlmHjkGt66tMUD2gM/DHY2DKdoDDE
 puBDtRCLH3evEc8ryM0GVhuL1YusqzkbwQrEX0ym0AWXiiM42CgfOv07EKlkyUAk6mY6hlvcCo5
 ubLWUWckB43B73qqRts+Yln8qc7uvM11XTne4b7Iej9GiW5xrZ55fCw1lBb85ZEikpsFVKX8tG3
 EZmlAd3s/e3jrPfC4UB7ZP8kwcPGKMrUzGZxHYCVEtLh/EBTpGUdfj8ML/19FwvBQoP7GhaRbBn
 knOKOOWjPijd5tHjWNivL9N6YVpHlzmmxCVosuyFHtpE8JEDwloB7rmWDxxqdavcv3sR4ov8l3v
 IWjxXp7hbGCYNP3cVOAMrVO1mhqj+YtSfkfKi0cmVOYKxyg+qeD9li0ntFNU6TDVQ2+/bAqshiv
 KAu6uf3quGxK+VXlY9FI9Iy0WtXHaGaJZl2HchyU=
X-Authority-Analysis: v=2.4 cv=VvMuwu2n c=1 sm=1 tr=0 ts=695542f2 cx=c_pps
 a=Pb7wY1jdxbaV20HAOOqOTg==:117 a=YA0UzX50FYCGjWi3QxTvkg==:17
 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=wP3pNCr1ah4A:10 a=qm69fr9Wx_0A:10
 a=VkNPw1HP01LnGYTKEx00:22 a=f7mX8exDah0BDslT-HQA:9
 cc=ntf
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49
 definitions=2025-12-31_04,2025-12-31_01,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 suspectscore=0
 priorityscore=1501 phishscore=0 lowpriorityscore=0 bulkscore=0
 clxscore=1011 adultscore=0 malwarescore=0 impostorscore=0 spamscore=0
 classifier=typeunknown authscore=0 authtc= authcc=notification
 route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2512120000
 definitions=main-2512310136
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 31 Dec 2025 15:39:33 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/123078

Series

Fix CVE-2025-23419 for 1.25.x | expand

Message

Colin McAllister Dec. 31, 2025, 3:36 p.m. UTC

Fix CVE-2025-23419 by upgrading nginx from 1.25.4 to 1.25.5, which allows the upstream fix to be applied cleanly.
It appears that the CVE-2025-23419.patch for 1.24.0 can be applied to 1.25.4, however this patch is a modified
version of the upstream patch. By upgrading 1.25.4 to 1.25.5, we are able cleanly apply the upstream fix.
Since 1.25.x is not the default preference, I assume upgrading one patch version is acceptable.

Colin Pinnell McAllister (2):
  nginx: upgrade 1.25.4 -> 1.25.5
  nginx: Fix CVE-2025-23419 for 1.25.5

 .../nginx/nginx-1.25.5/CVE-2025-23419.patch   | 119 ++++++++++++++++++
 meta-webserver/recipes-httpd/nginx/nginx.inc  |   1 +
 .../recipes-httpd/nginx/nginx_1.24.0.bb       |   3 +-
 .../{nginx_1.25.4.bb => nginx_1.25.5.bb}      |   2 +-
 4 files changed, 122 insertions(+), 3 deletions(-)
 create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2025-23419.patch
 rename meta-webserver/recipes-httpd/nginx/{nginx_1.25.4.bb => nginx_1.25.5.bb} (74%)