From patchwork Wed Dec 31 15:36:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Colin McAllister X-Patchwork-Id: 77840 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19DFDEE6458 for ; Wed, 31 Dec 2025 15:39:33 +0000 (UTC) Received: from mx0b-000eb902.pphosted.com (mx0b-000eb902.pphosted.com [205.220.177.212]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.87152.1767195381928888687 for ; Wed, 31 Dec 2025 07:36:22 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@garmin.com header.s=pps1 header.b=hq+qvbru; dkim=pass header.i=@garmin.com header.s=selector2 header.b=sJe9FUoC; spf=pass (domain: garmin.com, ip: 205.220.177.212, mailfrom: prvs=6460acd53d=colin.mcallister@garmin.com) Received: from pps.filterd (m0220297.ppops.net [127.0.0.1]) by mx0a-000eb902.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5BVENSrI024993 for ; Wed, 31 Dec 2025 09:36:21 -0600 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=garmin.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pps1; bh=P6bsO YeXm3bBNawHYFNFu4PUTCpaxoCukXjn2RMZN7Y=; b=hq+qvbru//Rax5A/xSjGa VrgEJwwsUht7CRdhC7zSwxbbRwTKm7995afC9slNIXPOtsuJQa+oDzaHUJYFBbo1 +F9cCR84yFi+hZkkB8yr6PAidFANWFMoahaZ+LFaD0dQ36Y8CMLrVypnV70yhOTj l3moXEKFaBjuPUIl9NFxP00UcpAytkBD5FAeO9Zg33dKqFXhwvGNrYCMTo0cpJcy Y/E6CBtPg4YhBflPbMvr5jPBSPKh8agpDEZgfnle/MMSGzW/6Uh4/jm0XYhRRNHw lnQ3i/xFjWQxbAN/YVhciCrrGZ1h5Opdaw5Lvf/ADS8JfMqQbZxTGLjAqxbCgcYp Q== Received: from ph7pr06cu001.outbound.protection.outlook.com (mail-westus3azon11020096.outbound.protection.outlook.com [52.101.201.96]) by mx0a-000eb902.pphosted.com (PPS) with ESMTPS id 4bc95sam19-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 31 Dec 2025 09:36:20 -0600 (CST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=QvAKXAtZMS1pRTVetQNdKwWXpZMSR2q2npcscmZNqbM3BqHz5fnkCupD7yq6cff5pEgPleJ4x38Vo5MTzCO0T9qoW4qZqHNRWFE8L7d/4ls54zkynpPm8SEEBTRp4F1wOQhl6EYHgUHjWnNzR+pdgb2F63YaBUw3fFto/Tgt1Fe2Ejkp3/v6J3sDFPfCfU3P1cg6Jnf7/PFoxvYrpGacH9pQke9GKlKIw4SpedzVHilApAbsG8enpl248xrF45AlH0TPWGmav7/lCVZi75dJGeV2Jnm1czmqUIrPD41SOvzVjOfmGlJa9vGrGuydiWKDReUAfyyF3k4/ssNqG2Qo/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=P6bsOYeXm3bBNawHYFNFu4PUTCpaxoCukXjn2RMZN7Y=; b=bUL70dyRpaSWxpdaQ0L2UR1ZBOKmqpiB1Z1gq9MHnJzqyseK0kYtlu8+nxd6aNjQIBmyca8GuVQRjai3p6RpEn9JvYkr9T03r7UfHeWlfVzvT/Mp538i8Z3Hkp/+IyywYbuWQJjMJXlPK3SZQQ/dl9H7VZrveb8SfKFzaIxt9N/7rvlJ6uhW19BNQePzAKB1umIktvCGSJOJcvNeOy9psQkDprskBhqHlQFz0jAsQSvIYfXhoTIOdS4VGak7O3w0yOThk9dGuZx90nVPgCOhC+I4T+TMY6dGE2A9xeVFd58nSV2YCtxv4MsfFGAWSGXBF6nMpNSina7/yepILCAq/g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 204.77.163.244) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=garmin.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=garmin.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=garmin.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P6bsOYeXm3bBNawHYFNFu4PUTCpaxoCukXjn2RMZN7Y=; b=sJe9FUoCUa6adUitXDkUAc9x/itvWtVJ1I5afgShyYmwBHgQz3/f6ggP5qfmcutdRX3UogZ81GzcfAx25a/EalNpOk6VAkZ70hJkbevk8iMlcIsJpIf8GV/aAAHI5hizbqcOYbbYSP/+FsYyA/y098GptHfO0kw2gp9TXPEv15Oe72LbzmYb+WcnFkkuL3MniTCQQK1ItQBezZvCJPEPsa4qWDgTt4jfIreGzIMJBhSdnpsi+1RJr7jCJbbKid7oCIUdWVdDL213WkF7p5IdySyaQG9cJY+s9saIfZlQTVx0qsRk4z3TysKo3xUECu/XiKx3fEEjMaf1TD5T3syUwg== Received: from BYAPR06CA0003.namprd06.prod.outlook.com (2603:10b6:a03:d4::16) by SA1PR04MB9803.namprd04.prod.outlook.com (2603:10b6:806:4a6::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9478.4; Wed, 31 Dec 2025 15:36:19 +0000 Received: from SJ1PEPF00001CDD.namprd05.prod.outlook.com (2603:10b6:a03:d4:cafe::71) by BYAPR06CA0003.outlook.office365.com (2603:10b6:a03:d4::16) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9478.4 via Frontend Transport; Wed, 31 Dec 2025 15:36:18 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 204.77.163.244) smtp.mailfrom=garmin.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=garmin.com; Received-SPF: Pass (protection.outlook.com: domain of garmin.com designates 204.77.163.244 as permitted sender) receiver=protection.outlook.com; client-ip=204.77.163.244; helo=edgetransport.garmin.com; pr=C Received: from edgetransport.garmin.com (204.77.163.244) by SJ1PEPF00001CDD.mail.protection.outlook.com (10.167.242.5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9478.4 via Frontend Transport; Wed, 31 Dec 2025 15:36:18 +0000 Received: from cv1wpa-exmb6.ad.garmin.com (10.5.144.76) by cv1wpa-edge1 (10.60.4.254) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Wed, 31 Dec 2025 09:36:14 -0600 Received: from cv1wpa-exmb2.ad.garmin.com (10.5.144.72) by cv1wpa-exmb6.ad.garmin.com (10.5.144.76) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1748.26; Wed, 31 Dec 2025 09:36:15 -0600 Received: from cv1wpa-exmb1.ad.garmin.com (10.5.144.71) by CV1WPA-EXMB2.ad.garmin.com (10.5.144.72) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Wed, 31 Dec 2025 09:36:14 -0600 Received: from ola-jnrkg73.ad.garmin.com (10.5.209.17) by smtp.garmin.com (10.5.144.71) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Wed, 31 Dec 2025 09:36:14 -0600 From: "Colin McAllister" To: CC: Colin Pinnell McAllister Subject: [meta-webserver][scarthgap][PATCH 1/2] nginx: upgrade 1.25.4 -> 1.25.5 Date: Wed, 31 Dec 2025 09:36:06 -0600 Message-ID: <20251231153607.3978985-2-colin.mcallister@garmin.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251231153607.3978985-1-colin.mcallister@garmin.com> References: <20251231153607.3978985-1-colin.mcallister@garmin.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SJ1PEPF00001CDD:EE_|SA1PR04MB9803:EE_ X-MS-Office365-Filtering-Correlation-Id: e2be7d30-8c34-4538-5fa0-08de488257b9 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|376014|36860700013|1800799024; X-Microsoft-Antispam-Message-Info: QrNLMNJED1ldMMxAyoXL2lmd4GHUunUyb2caLlRFU3fhBW8CbAAbxyi5OJOIT72HzUMEnj42mBCgxWgwuj5fH3LIGVgJk2eISlJV3C/rNPebiS4t3gnIEdw/dEcbe4gKaOZpdB7tVj1gby1W3G6n4XhUmz85zkBbZC+GvuKPJP53Jr3EyC3r9Fty731fXEvJlucI9Ig0lXfRAbJjPbwc6E2ITk1LnmKnV2x9ILMFaXwtT1HpqcWG8etre3Y6Ouo6uolu8SbzynqWlpahCGzaHelByJPu224iVi7BoCH+KQcnEAbJ2MQb4jcd3/jAxDvk0E3R9PFCYZR/w1i8U/RsALllAS66F8XHjKmmXUg6GUTgJ8DJiQ9BBNDT7CMOrqlNWm+UHz24Pd4Cfdg20vvmER3+INtNc+cIK5pw3LyMUTRfEr+jhgO8ZJwwAzrth7HJ5LJ1tTcJLbw9OOFDExiB/CyhsEueDhnAwy3Ks5OPA6AexMdalZmWfTwJk3rm/Ul22oRSlLPgwxpNLwLxN/Fz/UA5yxtHPk/yHpmXE+QSbecxyRo/eB60apQ53Idaks2FTBH+EXX8DXpwA6rP8IwijjnV5/b9DsZLToQA5lEKoKn0M3TVcYDYyrXOxEOAeDqZn4zN2xpNCC+AijIxs+RwIL715YcCU5t1rqJbd9KJU7lcEUSKlblYhixV0UEpmMchI1aLx1JZqozu53kZ7u+asYXkbuQotg+M04KwStTpd6sG5BgfSuMBv7tKNmXO98uMY/KJXmak6oUdLiTuTZ18gKHvNjybVTI5OQ51Xd1wOXTKMdZ+XDyaJzfK14A7wyKgQ8yBlPtKTTqSGhQvoQw5PgYOVyhnx2vdeYjLgnC0p81iNwMcyc8NdHjTN7eByL+3YRKiC1FKyzrprkNxtAkp64a/6Wua8uxHWFl67YU3J+pnKconZSdpk3FPil2+G2sxlgcypX3cH7J8a1yTZmE6pPDcen4LWG+/KRNKEtQH6nQOrYEnNDEwnsDrDkvQ6W8idpmxAax+mViab6iAu4mYCWajDmUGj4NFJqdKzpMD+AiLyZnXwLhPNbq4oxv5wAcgEQUR/ipVKi22u0JBlvuNs3pcL954rMZ2eTMlmt23wd5yqEPt1Ce2E03S0lYmT98CTeIOGhgAnDROUSgRQp3pTb7EIz8uIVoV9d0fG9RQOkw+wMng4JrnUg3tSCBB2WSxWiSSRhFnPJw/yt+TfXntaRcD+7cjIXihBEWzLKEOMqcNtEMA1uVp/SNc4psZxSUKGKG/L/OLBAc4SPbPknTZpwp7jIgGkQ/4VgEAbcQxIrYeVtMYzmRXs66QRFQVgU2vtI0GYaV5TLycOl2xxqwMziYFnLwBOk+RgG8oS7Jf45KN9fFc4qxN9NPeEr+d3M7XkGr0c+Ttq45/exLTreJoFvcv2YngHebVMQ/6+Z0Ic9KVHpGpsRRaeJ+uEplqKKmuiUw/wvfkQFr7F8/zCVRJvMduqhMovtNcBFQzoVW60Rsaib005rhvum7L4VgQ1LZrMPCkPUevI/m4WQrVQvFqC/sK17W73+TVtnd6nGpd+dQ= X-Forefront-Antispam-Report: CIP:204.77.163.244;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:edgetransport.garmin.com;PTR:extedge.garmin.com;CAT:NONE;SFS:(13230040)(82310400026)(376014)(36860700013)(1800799024);DIR:OUT;SFP:1102; X-OriginatorOrg: garmin.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Dec 2025 15:36:18.6334 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e2be7d30-8c34-4538-5fa0-08de488257b9 X-MS-Exchange-CrossTenant-Id: 38d0d425-ba52-4c0a-a03e-2a65c8e82e2d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38d0d425-ba52-4c0a-a03e-2a65c8e82e2d;Ip=[204.77.163.244];Helo=[edgetransport.garmin.com] X-MS-Exchange-CrossTenant-AuthSource: SJ1PEPF00001CDD.namprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR04MB9803 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjMxMDEzNiBTYWx0ZWRfXxwrdJI6lrwwa bQt9sa/b3kUtcxWSwWsNp1DlE+1M/+eLTowgEPpkhvcMcPXNdFk3mISPTQWnP0t+0lgxrKLPJEk l/n4mMzjzsO5l36BXcWDoaU2tQzd5tpS0OjfoVTXxNfciiSON6IDIu3eTu0q8/nRx9/EOovP0Pi xN7GOOO5caou1sWBlQJ7NTymgTf4wH/hmyI588ouvNLLbec7jP996w3rumoTOdlOygIEEWrRA1Q o3PUiTKEwU7ci18wfVzaLpyGKCmP6JfFaWNCIKkCHpG8PcXegIJ7xqTxE0N3zVrEO3vzuA8BNAM vmRyoKYkisBNMYrTwdkYFnK7DPJvMqIBrkO3fNeUiKySwpsE/hkkfuY9JuYXM5sVdGyZNoXbY82 IRYPogS3vfRm6ILIbQfUIaqp1JKEmqsPP5MHgCiIbv4gpjgsV6N8PYawWu2IVPvbT6EGMggrnTI LPaZAvJyakRwEU6qE4zwvsEbshOAfrhjcJCdHE28= X-Proofpoint-GUID: wQGfIK6j4kIzHt7vU6U7BjJ7WkxPjtdK X-Proofpoint-ORIG-GUID: wQGfIK6j4kIzHt7vU6U7BjJ7WkxPjtdK X-Authority-Analysis: v=2.4 cv=If+KmGqa c=1 sm=1 tr=0 ts=695542f5 cx=c_pps a=NPiivNiK8hhPJgysqx5tlQ==:117 a=YA0UzX50FYCGjWi3QxTvkg==:17 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=wP3pNCr1ah4A:10 a=qm69fr9Wx_0A:10 a=VkNPw1HP01LnGYTKEx00:22 a=9bLDTSi9AAAA:8 a=NbHB2C0EAAAA:8 a=b246G4cK6kZ7vuBO_y4A:9 cc=ntf X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-31_04,2025-12-31_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 adultscore=0 spamscore=0 impostorscore=0 suspectscore=0 clxscore=1011 phishscore=0 priorityscore=1501 bulkscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc=notification route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2512120000 definitions=main-2512310136 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 31 Dec 2025 15:39:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123079 Changelog: ========== https://nginx.org/en/CHANGES *) Feature: virtual servers in the stream module. *) Feature: the ngx_stream_pass_module. *) Feature: the "deferred", "accept_filter", and "setfib" parameters of the "listen" directive in the stream module. *) Feature: cache line size detection for some architectures. *) Feature: support for Homebrew on Apple Silicon. *) Bugfix: Windows cross-compilation bugfixes and improvements. *) Bugfix: unexpected connection closure while using 0-RTT in QUIC. Signed-off-by: Colin Pinnell McAllister --- .../recipes-httpd/nginx/{nginx_1.25.4.bb => nginx_1.25.5.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-webserver/recipes-httpd/nginx/{nginx_1.25.4.bb => nginx_1.25.5.bb} (74%) diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.25.4.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.25.5.bb similarity index 74% rename from meta-webserver/recipes-httpd/nginx/nginx_1.25.4.bb rename to meta-webserver/recipes-httpd/nginx/nginx_1.25.5.bb index 5ea2f5726e..b8ab1ef59e 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.25.4.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.25.5.bb @@ -6,5 +6,5 @@ DEFAULT_PREFERENCE = "-1" LIC_FILES_CHKSUM = "file://LICENSE;md5=a6547d7e5628787ee2a9c5a3480eb628" -SRC_URI[sha256sum] = "760729901acbaa517996e681ee6ea259032985e37c2768beef80df3a877deed9" +SRC_URI[sha256sum] = "2fe2294f8af4144e7e842eaea884182a84ee7970e11046ba98194400902bbec0" From patchwork Wed Dec 31 15:36:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Colin McAllister X-Patchwork-Id: 77839 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18FEAEE6457 for ; Wed, 31 Dec 2025 15:39:33 +0000 (UTC) Received: from mx0a-000eb902.pphosted.com (mx0a-000eb902.pphosted.com [205.220.165.212]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.87151.1767195379038499848 for ; Wed, 31 Dec 2025 07:36:19 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@garmin.com header.s=pps1 header.b=B++zASIN; dkim=pass header.i=@garmin.com header.s=selector2 header.b=Uuh9XF1n; spf=pass (domain: garmin.com, ip: 205.220.165.212, mailfrom: prvs=6460acd53d=colin.mcallister@garmin.com) Received: from pps.filterd (m0220294.ppops.net [127.0.0.1]) by mx0a-000eb902.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5BVDiDGl019659 for ; Wed, 31 Dec 2025 09:36:18 -0600 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=garmin.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pps1; bh=Hk1ot VlVGCFJsSFx+HKHRzLfbPqas/b5ayXiXqkgfSQ=; b=B++zASIN1aeTtPEN9wIGO 0FtyBC5/2wL5d0e9LX3Obi5GOk2zo4ffR8Wq0TSwbGZvGTlXZLUQBwQBjSqpHAIa AJE9qeYqkVKdRiT3gAuxSCcBqSMLx4/Bn5AczDbnl3DPZ2EG/bs7/Jxztv9bQgkn QVSpa/wDmM2aN9Y8zxjrOTICUeYe7briw9wxjTo6KaWmJUwTIeWxed8fp/5Z9Ayb JRX7QLrnhzLLNaePlNxBDWjWvPlVJYy2oiR9M3CnttOho1Zxn6vk6crAABzVuzTi pv9nURXkgn/VheGtOMY5+vJpoE8XQTmfyY5ttpMPvGaelY1eKI7fIgyBHmdIiWwd g== Received: from sj2pr03cu001.outbound.protection.outlook.com (mail-westusazon11022141.outbound.protection.outlook.com [52.101.43.141]) by mx0a-000eb902.pphosted.com (PPS) with ESMTPS id 4bd19jrd9h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 31 Dec 2025 09:36:18 -0600 (CST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=H4z10Y8zVYAA1nraYvxOK2Orgzk9nHhSMac+kE9ZwR98t2/QQmPBQfSoiwdSYd+Qx31QIMQXWPoF/+bDlS+YdKpMRIB7WbXyzJqX/YdHfOQ1lc7oumWpFZqyD+y/ZgP/vlYLRu2mnSUjs15SDgnL+3pYJcnHGf8ELW4081qFn4vO6+B3RpVx4Dh7WZ0ojaL1WXRvtCxLezZ8HCQUPFIEE4MS7CaJLTy8euMCcUJElFKOmMpUfIC4JD4IpZTn3f+ociSj+3NohPYyP5ui5iuv7IEDZEyIP97b16z6CDOabgOMHy1mMFsK7YmR1K7FEbuRYu2NKXUuDl4T4n9y+PpYMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Hk1otVlVGCFJsSFx+HKHRzLfbPqas/b5ayXiXqkgfSQ=; b=YcHFjdoTppU1n1NWzmLT1ZiRFhruMqm9wcaBcPihvi4D+PPtu1RRl7NQlNLGvS6UTxYHemmT7CW70MWVqkzVEJozDdZQVcwSt4vkMkoznDwAXvdkqwDs6+kRQe9v1g6v4KFB9I82TtIblvalck6Wg9jlm5q0btyoLGAydmJHjzmywhMGoaN82PvJxFfShmfyONz+IO0g1E6BA8ene/8iXmAhojUSwhg36CsWIAnDFa832+C78iHSkIVrOyNOX9us2n1yPpFC1+ziLzyHYpyYpVgbiJwWjLVokSrSVL2m9xYefkj2t41jtRcqMElq7Tri427vCT8uY9aSJA0kDlvhUw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 204.77.163.244) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=garmin.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=garmin.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=garmin.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hk1otVlVGCFJsSFx+HKHRzLfbPqas/b5ayXiXqkgfSQ=; b=Uuh9XF1nj6zpO+swbXb+X089wNcSWkFNcZ8ZhXLJV9zD7ihLSYBjZT1KAV39ZG2vCI/uSuwUZM1/WhfCnq4ve9STSq3czi7apKsdZrFPAz/2aYotxAWaJdFUl6x1FkHObPiC2/YwUkS1mfXbEFjUmqhQDCkPF7IbL6TaGLRP5xfx+r0KRKgSdw63zQt4lMGSFxUpqb+rtRqtwi30IsXN6TUgc4MuDPDyuNG+gzAcx18iopwcKEdB1nHKahk3yS138oyRua/pAen59eDVgrgHmsfXpyBvAHhfhPpQP3Fl8IhOA5d+7fE7B6uJL5taA/WYViSRiGQmiX6Eg3CogAuuCA== Received: from MN2PR22CA0020.namprd22.prod.outlook.com (2603:10b6:208:238::25) by BY5PR04MB7043.namprd04.prod.outlook.com (2603:10b6:a03:223::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9478.4; Wed, 31 Dec 2025 15:36:16 +0000 Received: from BL02EPF00021F6C.namprd02.prod.outlook.com (2603:10b6:208:238:cafe::c6) by MN2PR22CA0020.outlook.office365.com (2603:10b6:208:238::25) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9478.4 via Frontend Transport; Wed, 31 Dec 2025 15:36:16 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 204.77.163.244) smtp.mailfrom=garmin.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=garmin.com; Received-SPF: Pass (protection.outlook.com: domain of garmin.com designates 204.77.163.244 as permitted sender) receiver=protection.outlook.com; client-ip=204.77.163.244; helo=edgetransport.garmin.com; pr=C Received: from edgetransport.garmin.com (204.77.163.244) by BL02EPF00021F6C.mail.protection.outlook.com (10.167.249.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9478.4 via Frontend Transport; Wed, 31 Dec 2025 15:36:16 +0000 Received: from cv1wpa-exmb6.ad.garmin.com (10.5.144.76) by cv1wpa-edge1 (10.60.4.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Wed, 31 Dec 2025 09:36:14 -0600 Received: from cv1wpa-exmb2.ad.garmin.com (10.5.144.72) by cv1wpa-exmb6.ad.garmin.com (10.5.144.76) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.1748.26; Wed, 31 Dec 2025 09:36:15 -0600 Received: from cv1wpa-exmb1.ad.garmin.com (10.5.144.71) by CV1WPA-EXMB2.ad.garmin.com (10.5.144.72) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.57; Wed, 31 Dec 2025 09:36:14 -0600 Received: from ola-jnrkg73.ad.garmin.com (10.5.209.17) by smtp.garmin.com (10.5.144.71) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Wed, 31 Dec 2025 09:36:14 -0600 From: "Colin McAllister" To: CC: Colin Pinnell McAllister Subject: [meta-webserver][scarthgap][PATCH 2/2] nginx: Fix CVE-2025-23419 for 1.25.5 Date: Wed, 31 Dec 2025 09:36:07 -0600 Message-ID: <20251231153607.3978985-3-colin.mcallister@garmin.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251231153607.3978985-1-colin.mcallister@garmin.com> References: <20251231153607.3978985-1-colin.mcallister@garmin.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL02EPF00021F6C:EE_|BY5PR04MB7043:EE_ X-MS-Office365-Filtering-Correlation-Id: 85620dce-235d-4a94-a733-08de4882562d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|82310400026|36860700013|376014; X-Microsoft-Antispam-Message-Info: LqLbm/Z7+sf+uanzkZC8yadK+Zh4qeAK3wiLcLAqFvP8rqjx4mhCtu2FfLFQB2LoFf1w3TtdY1sHIi2SvmBL8gBDVWP12qxQxC0B/Pk3SpDxMHm9AxddsBs7j9SndmG6vIvJLbNT/eueW6GR5j40V6yArdLbs4nwtpAWPqgx19xgRCRVEdG8vpKkXDQfRAjg5PzX2Af/0yaCEDYZm79/bF50jp7UuwsF6AfjWgwokRRT3inDVEjnLNRky1pbwJCKFHXXoQxE8jGb17smvNcLaBBMyGDfa22ys6NJK/HUFB+XPno/G1T9Jhv9vNH5ndQ2+ie36YqoJEoCHfTOTHNnM2CbGe+BPY/criZ0XmQapmpYMdcp9bT4ziM3CM0wees2YhofZX7MHlVHKhajHkgbHPa7FD2UoqR8PIr7mvNJSPsWNWAeqtPM98lASbIS/c5dL9JkJALY/iXiMpuDt7Nrv4roIYWkXiUxpqiUAoEXXInKrkJDY4mr4BpXoIqQ3MS7dLQh5QhazNeZjBhJPB/0+2yKRasR8+DO2tWPOOVVaVA4cNXPLnRcRNFVHLTCdn9q+T7p6FoU6LdsaDgobG+NzWDZ3xna4X9mGVR3jkIRrF2fsKNTWoA+1Xpl82ALwjEE+WwJHHSgGTnpMb8fGRB5DpblW3H2DRwb13ouXoXGWyJ+hh7AXZgQoMyur6Um1YDDdawdw7QmIBJgkOTQ56fwNDJjL8/ps2VN0i9SfIJyUTTrLOdUD9j37awQZlizT3ApyWo4Mv/gThmeqX0DhIrZwjCkuNqhyc4XX4HPUr/GcYoQ8ow5rChy0QPYzN25zn1kiwftn2YGH0UedLPV365jY+2SwNciLVILZVcBhXlMSyueEFBXJjl7202U8T6uFFJrrrdfj3z6ulF1/kIkkfgWhaB4VAZfDOh0eZ/5ra2RRsUAlWVFgeHwlJU4wIGYhdRuayyn4Z9i+DDXazngfWMerKTKUxpfHBRl5XaEGnuKIa8p/B2RxJ4wrAXwzR1MVr/uPDcH546ZLsixDe20OssaNylSO7J+nY9gvS20U3gCfXQKRMIDMYsF3E/yPgZ0EiYYK5VssqlWXYNfsLN4kptXZMZoE6L7CJZ5SDAtzKTXdOivWkyZINH0ur4tP/DFtOA/Z7C6f/bGO8EUKcV8tAtg+9OgvrNRApbSgqLIhadUCYXxWjLQXNvy+zmgwzm1y0TX4eQqyU19eLT7yg13SiqtOVSk2n9T0f1aB2mowtsr4ocyhIj9IdIA0jn8idx6QmycazQrjLAR+Rkx1IDOQd3F/LrPkAwQoo7A7aieVjXRZFuA9HIltLYpUgSOkXTFfCc8FLfhip3IbohdbqieCv7zdJhZhybx8Wau7e5y74Vwko4biUZW6l7aCsRsPW4uDZ41RhAT8ZnFmIO8pf+E2HMmE3zZOwWmCswTfhuDzHUs0PeJMJgnn9B5q2z4BUeCm9LIH7eVW5EFc1Zpkkg7bduGMDL6rnWYmBSe0TVnDtLqfs3f4/r4P6cIfh6vIQO/0WEO49Fv3Jxz8ZX9NesD76uwJimuLL75ci8luF90pjDC1l0= X-Forefront-Antispam-Report: CIP:204.77.163.244;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:edgetransport.garmin.com;PTR:extedge.garmin.com;CAT:NONE;SFS:(13230040)(1800799024)(82310400026)(36860700013)(376014);DIR:OUT;SFP:1102; X-OriginatorOrg: garmin.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Dec 2025 15:36:16.0676 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 85620dce-235d-4a94-a733-08de4882562d X-MS-Exchange-CrossTenant-Id: 38d0d425-ba52-4c0a-a03e-2a65c8e82e2d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38d0d425-ba52-4c0a-a03e-2a65c8e82e2d;Ip=[204.77.163.244];Helo=[edgetransport.garmin.com] X-MS-Exchange-CrossTenant-AuthSource: BL02EPF00021F6C.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR04MB7043 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjMxMDEzNyBTYWx0ZWRfX3c8Pf6rm16bt 2VIcdAlXGbMy0QiG/LUyJcexsk3zEB+bMD6UGhXzKAOnEp7GnZh0sN8tLUzV3f+FpCq4aJS3tEG LzP8L7HGwDA0zUadGzSG7bYAPJ3kPBubMQAow8DrvNCdJcdHWMmYG8jlRkpzeF2ULnfAwNlZJqB EbBxRcv3xiHswl6b8/y2Y1P9JEeM0D9yzX4b8qPxGf1Vrnd2/Fz4IzYbDPaz3y4ZTpa09jyFO1l EP2CVQcu/JeGoLXnwT6acQEvuikxeASbNUHHGycBbJiJBHYU8GrupyTvzhW0v0JMaAtYqn3QETe uoTKm1AiZGiy7r5hEnmufQVqEb1/o+nd6+by+bWEhbi9WtNunek/DcjmQ07zBs5tAeSVlaNlQc4 tVTQsgebhRN4M8IF2DB9Mybigw+wYlAxGqY6V8ZsUKzHGCK0MH4vZcutUKLDQ4COu592O+eX6eu F5y470QQRvta08NsV9s6jf2837w6ShzO1z7ZidSQ= X-Proofpoint-GUID: MB2KUXLa0Cy0s0XeAQugZGVvnMEeMo35 X-Proofpoint-ORIG-GUID: MB2KUXLa0Cy0s0XeAQugZGVvnMEeMo35 X-Authority-Analysis: v=2.4 cv=J/ynLQnS c=1 sm=1 tr=0 ts=695542f2 cx=c_pps a=fy38adKFcSgT6GDlyky2Fw==:117 a=YA0UzX50FYCGjWi3QxTvkg==:17 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=wP3pNCr1ah4A:10 a=qm69fr9Wx_0A:10 a=VkNPw1HP01LnGYTKEx00:22 a=NEAV23lmAAAA:8 a=NbHB2C0EAAAA:8 a=L4EWI0dvAAAA:8 a=QIhr-27iAAAA:8 a=A1X0JdhQAAAA:8 a=pGYSgU9NIrG6GRB8l4gA:9 a=cgaYBWEFosGJW4rWv5Lf:22 cc=ntf X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-31_05,2025-12-31_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 clxscore=1011 suspectscore=0 bulkscore=0 malwarescore=0 adultscore=0 spamscore=0 impostorscore=0 lowpriorityscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc=notification route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2512120000 definitions=main-2512310137 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 31 Dec 2025 15:39:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123077 Updates nginx.inc to apply CVE-2025-23419.patch to both 1.24.0 and 1.25.5. However, a unique patch is provided for 1.25.5 since the upstream patch for CVE-2025-23419 can be cleanly applied to 1.25.5. Signed-off-by: Colin Pinnell McAllister --- I'm not 100% sure if this is the best way to handle overriding the patch for 1.25.5. I figured this was better than having two patch files both in the files directory with nearly identical names. Please let me know if there is a better way to do this. .../nginx/nginx-1.25.5/CVE-2025-23419.patch | 119 ++++++++++++++++++ meta-webserver/recipes-httpd/nginx/nginx.inc | 1 + .../recipes-httpd/nginx/nginx_1.24.0.bb | 3 +- 3 files changed, 121 insertions(+), 2 deletions(-) create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2025-23419.patch diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2025-23419.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2025-23419.patch new file mode 100644 index 0000000000..d1c5bd9b40 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2025-23419.patch @@ -0,0 +1,119 @@ +From 2de0d3fd114e9d3d6a56bd7298aff8c637063509 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Wed, 22 Jan 2025 18:55:44 +0400 +Subject: [PATCH] SNI: added restriction for TLSv1.3 cross-SNI session + resumption. + +In OpenSSL, session resumption always happens in the default SSL context, +prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older +protocols, SSL_get_servername() returns values received in the resumption +handshake, which may be different from the value in the initial handshake. +Notably, this makes the restriction added in b720f650b insufficient for +sessions resumed with different SNI server name. + +Considering the example from b720f650b, previously, a client was able to +request example.org by presenting a certificate for example.org, then to +resume and request example.com. + +The fix is to reject handshakes resumed with a different server name, if +verification of client certificates is enabled in a corresponding server +configuration. + +CVE: CVE-2025-23419 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e] +Signed-off-by: Colin Pinnell McAllister +--- + src/http/ngx_http_request.c | 27 +++++++++++++++++++++++++-- + src/stream/ngx_stream_ssl_module.c | 27 +++++++++++++++++++++++++-- + 2 files changed, 50 insertions(+), 4 deletions(-) + +diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c +index 3cca57cf5..9593b7fb5 100644 +--- a/src/http/ngx_http_request.c ++++ b/src/http/ngx_http_request.c +@@ -932,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + goto done; + } + ++ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); ++ ++#if (defined TLS1_3_VERSION \ ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ if (sscf->verify) { ++ const char *hostname; ++ ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ c->ssl->handshake_rejected = 1; ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } ++ ++#endif ++ + hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); + if (hc->ssl_servername == NULL) { + goto error; +@@ -945,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + + ngx_set_connection_log(c, clcf->error_log); + +- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); +- + c->ssl->buffer_size = sscf->buffer_size; + + if (sscf->ssl.ctx) { +diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c +index ba444776a..6dee106de 100644 +--- a/src/stream/ngx_stream_ssl_module.c ++++ b/src/stream/ngx_stream_ssl_module.c +@@ -521,12 +521,35 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + goto done; + } + ++ sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module); ++ ++#if (defined TLS1_3_VERSION \ ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ if (sscf->verify) { ++ const char *hostname; ++ ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ c->ssl->handshake_rejected = 1; ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } ++ ++#endif ++ + s->srv_conf = cscf->ctx->srv_conf; + + ngx_set_connection_log(c, cscf->error_log); + +- sscf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); +- + if (sscf->ssl.ctx) { + if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) { + goto error; +-- +2.52.0 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc index 945be05c6a..865d7f86ee 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc @@ -26,6 +26,7 @@ SRC_URI = " \ file://CVE-2024-7347-1.patch \ file://CVE-2024-7347-2.patch \ file://CVE-2025-53859.patch \ + file://CVE-2025-23419.patch \ " inherit siteinfo update-rc.d useradd systemd diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index ed18b6471d..e5666f6fe6 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb @@ -2,8 +2,7 @@ require nginx.inc LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632" -SRC_URI:append = " file://CVE-2023-44487.patch \ - file://CVE-2025-23419.patch" +SRC_URI:append = " file://CVE-2023-44487.patch" SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"