From patchwork Mon Jan 5 18:06:05 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Colin McAllister X-Patchwork-Id: 78030 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E1A35C79FB8 for ; Mon, 5 Jan 2026 18:14:02 +0000 (UTC) Received: from mx0a-000eb902.pphosted.com (mx0a-000eb902.pphosted.com [205.220.165.212]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.70768.1767636394648311096 for ; Mon, 05 Jan 2026 10:06:34 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@garmin.com header.s=pps1 header.b=yCx4uXkE; dkim=pass header.i=@garmin.com header.s=selector2 header.b=ZLeeALsi; spf=pass (domain: garmin.com, ip: 205.220.165.212, mailfrom: prvs=6465f1319b=colin.mcallister@garmin.com) Received: from pps.filterd (m0220295.ppops.net [127.0.0.1]) by mx0a-000eb902.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 605H27Rp009435 for ; Mon, 5 Jan 2026 12:06:34 -0600 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=garmin.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pps1; bh=P6bsO YeXm3bBNawHYFNFu4PUTCpaxoCukXjn2RMZN7Y=; b=yCx4uXkEBvt+MTGAhPOOY 7G9V0aY7DDdWtE/30pR+IwurweGBzRvGuqH164uLgwaHCyqMxmyKgSBSUwCtZpAk 98YnHNPd0m5ANKcNmfIxQTcal+RlUeqwYqeF1U+T/2y6Se52Jg+CKeqytXfKho9P 3FK112jLPiy0bM3CfWCU68F/ydfM0lTwZ+NJaDLTorbl92JhC5QvInr3Qb56aOUI fgenYtKRNyVik7UF1yxA+4EOLrcd/9q4O5/5Bc6nn2Oo6ll2uyfKdt/6XShjhQAZ brnBUlJzjELleAS54a3Fu9v0RtTaXV6luwN3ZdfSpul3CzRI1VMAB8i0SMVVNUgQ A== Received: from cy7pr03cu001.outbound.protection.outlook.com (mail-westcentralusazon11020099.outbound.protection.outlook.com [40.93.198.99]) by mx0a-000eb902.pphosted.com (PPS) with ESMTPS id 4bexev3d75-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 05 Jan 2026 12:06:34 -0600 (CST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=kssKoPX8Rj09vOa041wBOyF9Z+IJqvxtgRoXR/SlD6Cjk/4Oh1qCXY8EyOtOmYvkwoO5Hk7QeSSjh7HcH/rH9aOm1EKvz+jCNiDgW8Vi8/3XuUFebrAfTS78ZivqP1CI1VuiATk3Kww8hDIfYtb0DdSj5p0QWj2qqJOeNZQ4lKFAHnyvIjQd0teW/6boOs+H/0UOJB1PuKUOqt0hPm2XL0bStWvCzV39fcopmMm+moNIaIRT7rmwy6GPxW/9nNA0cB4aVVrA3049d1GIpP0Xy+i5/pDaBnhkCZ0NPL26N1l1SHWAdIkoWJIBApNo4W0KdgPJF1oHnjwivtdvJNk5Gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=P6bsOYeXm3bBNawHYFNFu4PUTCpaxoCukXjn2RMZN7Y=; b=D5GnXcU5CHFgcuPKqJJ0ofxPYGwcu/hwTe4YvE4eKcAoHBNti5CFnWxZZwIUofs9ukFIGRLSm3juVswv92yrYM4v0h+q3oPKEIDD7mK3Yo7WSWxCsvGTWMvDzXbQJtH0n9Y6mpzBLBpy0/7RhO7aI+5XyLTndS5bqrhizTjypp9z4CwNJaIzAUWX/bMugR1sBsXn5hknCgTk168IeFohZcZWkc7z92LgTDmxh/5zWCsB3xTLFmI+lUhMg3ySC59WDS8BwvBpvFx/rj3Rg/VkNYfL51ILidHk63TwtDcqRQoMHY2lx9CJBqx6lxzGmTWeGeplrws5Dzkos7Ln5awvDw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 204.77.163.244) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=garmin.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=garmin.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=garmin.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P6bsOYeXm3bBNawHYFNFu4PUTCpaxoCukXjn2RMZN7Y=; b=ZLeeALsiMoJkB3bGBJdSUEj2cTeKD9uH4HX5IuGJ7N0FGp5OhDDm6rbQKLavAtcfTKMKArlapYoOme86djF55PwD8zMe9uevwhJsHAMHNtsZqciP85RnefjVOGSHCHSrCmBpqRtv1v9DyEkeEJyIZPfrsx1XpNHFBDn83TKeqwWas5vFOTbKAzXTIFuzzca2AmQE2FdRI5vSLTQpynnzyEDwQBA1PKg+8binsJJ2mgLQxYoxaUR2nZQ2b2zeKI/z1Xu/I3n1XGy4PIfOQHAJFhwLYjR9zlamsZbm1wCqNqv+bHYdQtLCRcZWJB53xgANL1O/EnmODMjffDi1LJFcFQ== Received: from CH0PR13CA0050.namprd13.prod.outlook.com (2603:10b6:610:b2::25) by DS4PR04MB9746.namprd04.prod.outlook.com (2603:10b6:8:278::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9478.4; Mon, 5 Jan 2026 18:06:28 +0000 Received: from DS2PEPF0000343D.namprd02.prod.outlook.com (2603:10b6:610:b2:cafe::2e) by CH0PR13CA0050.outlook.office365.com (2603:10b6:610:b2::25) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9499.1 via Frontend Transport; Mon, 5 Jan 2026 18:06:28 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 204.77.163.244) smtp.mailfrom=garmin.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=garmin.com; Received-SPF: Pass (protection.outlook.com: domain of garmin.com designates 204.77.163.244 as permitted sender) receiver=protection.outlook.com; client-ip=204.77.163.244; helo=edgetransport.garmin.com; pr=C Received: from edgetransport.garmin.com (204.77.163.244) by DS2PEPF0000343D.mail.protection.outlook.com (10.167.18.40) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9499.1 via Frontend Transport; Mon, 5 Jan 2026 18:06:28 +0000 Received: from KC3WPA-EXSE03.ad.garmin.com (10.65.32.86) by cv1wpa-edge1 (10.60.4.255) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Mon, 5 Jan 2026 12:06:08 -0600 Received: from cv1wpa-exmb1.ad.garmin.com (10.5.144.71) by KC3WPA-EXSE03.ad.garmin.com (10.65.32.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.2562.17; Mon, 5 Jan 2026 10:06:10 -0800 Received: from cv1wpa-exmb1.ad.garmin.com (10.5.144.71) by CV1WPA-EXMB1.ad.garmin.com (10.5.144.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.57; Mon, 5 Jan 2026 12:06:10 -0600 Received: from ola-jnrkg73.ad.garmin.com (10.5.209.17) by smtp.garmin.com (10.5.144.71) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Mon, 5 Jan 2026 12:06:10 -0600 From: "Colin McAllister" To: CC: Colin Pinnell McAllister Subject: [meta-webserver][scarthgap][PATCH v2 1/2] nginx: upgrade 1.25.4 -> 1.25.5 Date: Mon, 5 Jan 2026 12:06:05 -0600 Message-ID: <20260105180606.2192902-2-colin.mcallister@garmin.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105180606.2192902-1-colin.mcallister@garmin.com> References: <20251231153607.3978985-1-colin.mcallister@garmin.com> <20260105180606.2192902-1-colin.mcallister@garmin.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS2PEPF0000343D:EE_|DS4PR04MB9746:EE_ X-MS-Office365-Filtering-Correlation-Id: 0173a9a0-fc3d-42ca-1276-08de4c8525ff X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|82310400026|1800799024|36860700013; X-Microsoft-Antispam-Message-Info: injwdydt+0zn0JFqlIhOSDoh0l+Z4SamW0Gg+bHDHRA87A1bmeCSALPUToQ8dmM8Xti8p3fKkT/cDh0Yciov4fgLFMjYX/O4BAFF27NK2VvsyYGNc6uldkBS5ahBnj83Mm3S6S5rCW+GLzL2FkxbNCJxw55Ul3Cfbhvj30mFSqUqvUiAMAxqezWz2dGePEqFJ8jZnXoXQSvQCJiJ0kR4xxwAIL/wx8UiAquWL7Vw2NdW54TkRDprgi6Tza8nnGfEwRUBmaVvTW5/XbG7YmJx74CD5FB1zuM2iaNZUHsdLEajNieRFgVmlnRkDGSomZI3MeUB+P2XNG1ZvM56myKU7FjDI0exZgk2KrKqoEJlc1DY2LUxRbZa07hERuU7dZqXsoyipDWp9Cy6REUP8VcY4JA+etUl9RQGkbVk/NCkOYHw6lf2Fi/O089ogk6737J7z/N2LLiECIUOmmCkwEXGQ2CnvZVKPJv+fF6SXioY8zZuUpVFKhtC5ArwThGqGhDWu2IuaGjpJL2OR+qjxtx7b8qpH/BgidqdRDSEHT4iMD9lRDjw5L5jtR9ct/9w6ljrihMApx3fKRiKO9VrpU5NyV81AK8e81lZ/qdYRao2WiwYvkdBvTAC5pDggiTJYrpqUWTNmbQ22KfNKnZ1CRFz8ZvSxKRlLcTY1GxPzJTSeaRNVemO2eQ+fPfWdlnbp4a8tFRD3IQneQOAumxgvaPMtj9XWFZQXYJpRZasiimnopQS1eLgZbxvy3sh0ylgbj+uURxGxnIMtfJnk1RbpEh1FTtCEpBxsbsYNitfuziz/Ano/AkilxYQYdEkBxbIdCdoTO0TA0FR7GNeaDcQQBEreK5Oj1EnU22GcraewQvhffsJKBmsdpvauRsFc1SU89UNQa1A/ITjFOKyjCzuaYTEXvVjNQA+TgHHQBkrBdywIhxTpyrk+PstfzLLoYIDKjtnhQTU/s379fBFD4273p7aJRqCnZhRabAdkcN42OwEYT2H9j0LAePYrNHbdNEzQCSXdXz2RaUcy5FxmbIZFfiCBJdpvg5ZZOCY/gvuLNQrpCPdpP987xoQWGm75g9zAcexyxYt7CLoB/avsgEypEa7phKzyCeCvn4H9qLpIBXrOzsuSFr+meNvF/rjvmG+2UuJ/uXrRLM+1D25WHvUywxwOxANohxVbwW7u5T74TK6A230psoATHmd3ZjhksHfyuhUP7/69YtG/rIMqgC8btQwTKSdXy4DHfJjR6oEbrKBfFnn+p5iveKEe9JICPQ7AwjayI8a19x0j3sgorEnteAG3BLG5AMeG/gz4DVwCFh4OxLYfGHaudLankF3Ka6AhDrqrixaIQ+c08O/dQ5annuFjMQb1qa0Hnpfx/MV2FePXqLa7jShpGVBIw50LdRUg7/xtiHPisuQfQTj+5BnQWNpurtMrzPaWWaLsQM+N/wT4GD18+i0dUWXvD3339G5PQz0u1FxmknTh9WNhejZk8u90eyV7MbBw6VrxPFal72FU372iBTB2abtk+6kSiddhYxz6ByfNyC8mX9jk7lsgHFa7YuQ+oaJL+If3C+lnv4OisY= X-Forefront-Antispam-Report: CIP:204.77.163.244;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:edgetransport.garmin.com;PTR:extedge.garmin.com;CAT:NONE;SFS:(13230040)(376014)(82310400026)(1800799024)(36860700013);DIR:OUT;SFP:1102; X-OriginatorOrg: garmin.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2026 18:06:28.2423 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 0173a9a0-fc3d-42ca-1276-08de4c8525ff X-MS-Exchange-CrossTenant-Id: 38d0d425-ba52-4c0a-a03e-2a65c8e82e2d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38d0d425-ba52-4c0a-a03e-2a65c8e82e2d;Ip=[204.77.163.244];Helo=[edgetransport.garmin.com] X-MS-Exchange-CrossTenant-AuthSource: DS2PEPF0000343D.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS4PR04MB9746 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMTA1MDE1NyBTYWx0ZWRfXxJjXlDL9xoLA xKo4U9H6tP0WGcjxLl1qCUHGPKhC+tUwfrAmY6BzVFTLFl6q9OfCBZ5/R5drQUfn0SDrNzsE3bL mvdXNFSy08vHyhCAdT915nUeR8p5PNmA08L55PNVSQXUqidrtDsPtLUNbx8td1G1/1ifOdyHpOl 9LYy+6C+MyGNQVQrG+fpAP8NvMFbOLNUH53WGIxtuira7T2Y1ByLV1Wa7msIFWhBtmuSBUHyp8A A0jvA3nRxnzafwyHCONU3YbChkgw8rTYl26HzWjpiiHA5z3FpmATjZTA9eIKNhGFdwpAYXz7Mav zk4v4OuXAb5ay2cF0yQLSeCa/y6wynKd61hQI7odGF2WAv+HsYKf4aB3LL0HHsszLVWE/RnYed+ Csmsv05dAwF0sbH8XfAN4+kPOQFfWwXwIh/+KMFxkANpay+EHju0ebeaPOQ7DhzlIJyjpzf/SU3 CZovPUg0XkivLRz54nrNskuKSdB6xamajz6rbUDE= X-Proofpoint-ORIG-GUID: NssxrGTqVU8rSf4uET90aJ9DpLOkA8xY X-Authority-Analysis: v=2.4 cv=YJmSCBGx c=1 sm=1 tr=0 ts=695bfdaa cx=c_pps a=GknEWMF7HrfbFJOd498rxg==:117 a=YA0UzX50FYCGjWi3QxTvkg==:17 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=vUbySO9Y5rIA:10 a=qm69fr9Wx_0A:10 a=VkNPw1HP01LnGYTKEx00:22 a=9bLDTSi9AAAA:8 a=NbHB2C0EAAAA:8 a=b246G4cK6kZ7vuBO_y4A:9 cc=ntf X-Proofpoint-GUID: NssxrGTqVU8rSf4uET90aJ9DpLOkA8xY X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2026-01-05_01,2026-01-05_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 lowpriorityscore=0 adultscore=0 clxscore=1015 bulkscore=0 priorityscore=1501 impostorscore=0 suspectscore=0 phishscore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc=notification route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2512120000 definitions=main-2601050157 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 18:14:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123160 Changelog: ========== https://nginx.org/en/CHANGES *) Feature: virtual servers in the stream module. *) Feature: the ngx_stream_pass_module. *) Feature: the "deferred", "accept_filter", and "setfib" parameters of the "listen" directive in the stream module. *) Feature: cache line size detection for some architectures. *) Feature: support for Homebrew on Apple Silicon. *) Bugfix: Windows cross-compilation bugfixes and improvements. *) Bugfix: unexpected connection closure while using 0-RTT in QUIC. Signed-off-by: Colin Pinnell McAllister --- .../recipes-httpd/nginx/{nginx_1.25.4.bb => nginx_1.25.5.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-webserver/recipes-httpd/nginx/{nginx_1.25.4.bb => nginx_1.25.5.bb} (74%) diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.25.4.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.25.5.bb similarity index 74% rename from meta-webserver/recipes-httpd/nginx/nginx_1.25.4.bb rename to meta-webserver/recipes-httpd/nginx/nginx_1.25.5.bb index 5ea2f5726e..b8ab1ef59e 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.25.4.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.25.5.bb @@ -6,5 +6,5 @@ DEFAULT_PREFERENCE = "-1" LIC_FILES_CHKSUM = "file://LICENSE;md5=a6547d7e5628787ee2a9c5a3480eb628" -SRC_URI[sha256sum] = "760729901acbaa517996e681ee6ea259032985e37c2768beef80df3a877deed9" +SRC_URI[sha256sum] = "2fe2294f8af4144e7e842eaea884182a84ee7970e11046ba98194400902bbec0" From patchwork Mon Jan 5 18:06:06 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Colin McAllister X-Patchwork-Id: 78031 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E38B2C79FB3 for ; Mon, 5 Jan 2026 18:14:02 +0000 (UTC) Received: from mx0a-000eb902.pphosted.com (mx0a-000eb902.pphosted.com [205.220.165.212]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.70668.1767636386637828245 for ; Mon, 05 Jan 2026 10:06:26 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@garmin.com header.s=pps1 header.b=0TLJjiRF; dkim=pass header.i=@garmin.com header.s=selector2 header.b=Xh5Wo0BT; spf=pass (domain: garmin.com, ip: 205.220.165.212, mailfrom: prvs=6465f1319b=colin.mcallister@garmin.com) Received: from pps.filterd (m0220296.ppops.net [127.0.0.1]) by mx0a-000eb902.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 605H2Bf6022921 for ; Mon, 5 Jan 2026 12:06:26 -0600 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=garmin.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pps1; bh=r6PBl mSFiyMJHVesh0UGw9BbYjXuQIWFhqqv4Xs0BJg=; b=0TLJjiRFqXNmIvYNpqV7v 0+hjg7hZFtvL3fuxfphP1iRtt5aZBokhHHn8le8WTnkKtZfCMc+3DpBGafJu1hjf O72uhuZ3W9TvKYtI4nWHBy7c+N2Q0W6XwNJT47AAYxUFOuUs2MRncFyAy0BMesoN NGbWhubGNr0YcEy9jvv6AlOKu3Gjla97f7sJjewE3zknTkDd7/G1vQobQBuu5rX2 +a9ifOZQcGFw4SQQSA2YFeaczI/mN7eIHabJ3mX/M3lbN8oG9ZJn0YaJWylg7kgL NzF7nqo/IQgf1hrTCQWFBNHZZwc7COVFs2/yayhXR3ZMrM64gk9gE1SetGj+Bg3u A== Received: from ph8pr06cu001.outbound.protection.outlook.com (mail-westus3azon11022134.outbound.protection.outlook.com [40.107.209.134]) by mx0a-000eb902.pphosted.com (PPS) with ESMTPS id 4bgcbrrtk9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 05 Jan 2026 12:06:25 -0600 (CST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=XomispF7EnOgYKlvd41KR3H6KrUaZ/6Vyf3fdqlYLCQce9aH+elYY6GIwUzDelGrBgrOguklXKAys4W436MXDEjtEfANN8trzzL/729e8tLQoZ3TFQelCMLSm0x5gR9JJ3M7f+WcDWgCM3eQiGnYhXYuxtnEaa9HD+xxPF4Wz3kkJl91tOeEfAbEgWvui+CPG5FsrlmQ844rOJ00T2MjHn3tOUsaoRCLFqXiCliBt2phPespKer1xzlIZ8y0UoJmkTL8uHApzaLoQyTcGediSQShbUzZrhNGS1eebC1KRowDPPt+ddOsVxLnYB/ja/AaWXiBqjDXSFtOpt6lSods1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=r6PBlmSFiyMJHVesh0UGw9BbYjXuQIWFhqqv4Xs0BJg=; b=xg8f8PxeQmed7UrOMCUhJRUwYcfaouH1cx85C6PeYlkbTvvIYs/YroxS5a4MbkXWTZ2NAwvYO0ryjGiHbGmxR6WlsTJgx0kd1f0V5hLJdCnPNlrVs5C+iAyB2Xhlnlqdgo3z/R86MT/eKSPoqA9L7RHr3l+hcFGqG8fkHN+w9UTeP1qADqb5BHLJ72Z56tSMhHMjpfPmqBC4YYmWAnsc0oC2CV1OQpvXgyya+Ds3+xfBjaeuK/pqke6KYjawkOhMBJNZg/FS5bnzba6d1EUexaRth6KDMkBPDgCg9+muMtb+iNL8WbUgayc1f5GeeANkkyCioWsudDXGAdWwWyqYCQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 204.77.163.244) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=garmin.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=garmin.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=garmin.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r6PBlmSFiyMJHVesh0UGw9BbYjXuQIWFhqqv4Xs0BJg=; b=Xh5Wo0BTYUQpc9JGUMzM/JGWVk96uIA3SdXV7d0OqyMu21Q6AcRHBFRchd8JOCAQeAKz351qMHMGvtVXJvMYC6gwPylTShhzWxfQcUQuNZWtTiz3bk+FC3Qi2is21jbNbRIWAbmukn8a2M45z3gIr/jhSUWtOIy1+RsW528NNFwZ29Kh/vkwNTk9+MTLzM+MRZoPSX0wKkmdyx0w4DJRl1f+8WXxlXnwVHrHeQg1nV5chgqnyoE7EVW32rDSo/0L1E5APZ9qS2IDRClWoSSkNeMLWlv6lj43rYM3BOt9+d6oiSPF7WR+aqsHSjjnlideoWVSFyCL3Ms1hSlWvCVMJQ== Received: from IA4P220CA0009.NAMP220.PROD.OUTLOOK.COM (2603:10b6:208:558::10) by BY5PR04MB6341.namprd04.prod.outlook.com (2603:10b6:a03:1e3::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9478.4; Mon, 5 Jan 2026 18:06:23 +0000 Received: from MN1PEPF0000F0E5.namprd04.prod.outlook.com (2603:10b6:208:558:cafe::c9) by IA4P220CA0009.outlook.office365.com (2603:10b6:208:558::10) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9478.4 via Frontend Transport; Mon, 5 Jan 2026 18:06:49 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 204.77.163.244) smtp.mailfrom=garmin.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=garmin.com; Received-SPF: Pass (protection.outlook.com: domain of garmin.com designates 204.77.163.244 as permitted sender) receiver=protection.outlook.com; client-ip=204.77.163.244; helo=edgetransport.garmin.com; pr=C Received: from edgetransport.garmin.com (204.77.163.244) by MN1PEPF0000F0E5.mail.protection.outlook.com (10.167.242.43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9499.1 via Frontend Transport; Mon, 5 Jan 2026 18:06:22 +0000 Received: from KC3WPA-EXSE03.ad.garmin.com (10.65.32.86) by cv1wpa-edge3 (10.60.4.253) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.2562.17; Mon, 5 Jan 2026 12:06:08 -0600 Received: from cv1wpa-exmb1.ad.garmin.com (10.5.144.71) by KC3WPA-EXSE03.ad.garmin.com (10.65.32.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.2562.17; Mon, 5 Jan 2026 10:06:10 -0800 Received: from cv1wpa-exmb1.ad.garmin.com (10.5.144.71) by CV1WPA-EXMB1.ad.garmin.com (10.5.144.71) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.57; Mon, 5 Jan 2026 12:06:10 -0600 Received: from ola-jnrkg73.ad.garmin.com (10.5.209.17) by smtp.garmin.com (10.5.144.71) with Microsoft SMTP Server id 15.1.2507.57 via Frontend Transport; Mon, 5 Jan 2026 12:06:10 -0600 From: "Colin McAllister" To: CC: Colin Pinnell McAllister Subject: [meta-webserver][scarthgap][PATCH v2 2/2] nginx: Fix CVE-2025-23419 for 1.25.5 Date: Mon, 5 Jan 2026 12:06:06 -0600 Message-ID: <20260105180606.2192902-3-colin.mcallister@garmin.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260105180606.2192902-1-colin.mcallister@garmin.com> References: <20251231153607.3978985-1-colin.mcallister@garmin.com> <20260105180606.2192902-1-colin.mcallister@garmin.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MN1PEPF0000F0E5:EE_|BY5PR04MB6341:EE_ X-MS-Office365-Filtering-Correlation-Id: a5bc711c-6a58-4e56-ccc8-08de4c852273 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700013|82310400026|376014|1800799024; X-Microsoft-Antispam-Message-Info: sZ6Gsav4vTAz1YM03xOyYsz/1GiX42geMSxeGmcdLVCLbu7lN0WBrDtDg5Sk5+lOs6VRG7wjUDWpRotgCbU5xLL/Bgihs6LPcTy+hCwTjyq55haa0dui6+qDP4F7z0w8NlQrHvUTpA0bfzLJuUtnF00de2m+b6AoEI8dj3fVEb7wxTzWthA4n+PuI7LXlNkMZb42tPQYa17y586AxNlQn2n4BZnGUnc27zahWshtWSBG990Q6cZhZnIubWrkvIp3vrrXf2udMJwsi6sdkOYVSXOgqwD1w7sjpE/1AW8Tsy/2oUoDCO5p06Bg/FwyR7HTnTXCqmzBMO03f4OrG0Ggekcr+diwc9BOJFi1YtxsqfU9dBB68Eg2XS80xiWk6mcxD/JXFivPlXbiaw5udO2t7QXp0v0yAZ5k59Hjv9iLAU2MjP/9+OFFo5rM1ug4amz1vFxjiWjVeOKPy0OfZkn4exaIou54yvTevrQGRir6PCBagoSO1r/lsVD7L7pY6CoYMyHiLrsGShZ7r9QwfUM4PBgeknFPBSPAyDoxFs7irIPX4oFQENuc6qRLO3BT8lNmiffc1Q5/BEJ7WpmGPyZ37FrvcX1zDQzy+1MuuudzkCaCfr4EeoZYxeZ6PcJDH+zwAFw1cNn+vkfxEHrVISKvPWbj79wqkRdYLAtuMLQe0QteobNZ0ApfPK5d4XjPkeC86i00q9LlzQdpNcwmEuT/taGz2P5QRDKlEBqq/aPCUHWTIBDWcC+Icf/WQi0peC0o1DAcDyqnQM3Zmm7WcfFSVf93kUuAQ5cZdH37kYQgGMahRj3MUTFRJLm+R0HCkUYL2uVycv5tu8pPGsVo6Te2yXUy7pmBNL88RNzC2JwGytKar3Dx/+ceci0YM6NxWkmu7+MhwrpLNRbqa/QVcHP0qT338d6hEtcCI4R/FnETIcq5fncaIG2zpd1sizy16DS8eUc2x0U4e3nQSGXdLxZWV4cMPUquxo8aUYRE6y8pQVSiRy7OGO9bWeiYyKSk3rdw35wwjNFuA/KDLD5cgHnBL2f1+czUbzw2DRid5m5rfQU3ZII7cRQ6+JCMybUFRLXfvzL+VKKBTT1vSPiuh6XVILwOxnuGgDybRhFeNowXYpRxqFCQ3fHUsyHaXY5Qnu39ehMPQ1sa+b50ZeSMCrCKvGVbkls5Ea7Tb08nK3h98VpPi8/DoiCVl2l6zfogvdh5TfxXfdOp+yfKGLVZEfTQE47Rn0jWkKrbt1dhB0a+7WqyzX1rswty24/IrFM3Ws8bmq8mm6FOCZNv/g+Pj1B1rgI1AEh5khYfRy/2wlfqjelMJC+HaMZpf/vXtYmKoj9+HnDqIUcjpBTCQ0gXit8Jd44ARFM0DfQa9uAvwOBTi2j5piRNtSYLR0qj8hl7Mq4EwCM7Dg5XS04aTAd+uKg4Yy4cBynKUlfeJYzgYtazNeES3f2y7Aq0BHEKX/3p5COqCCtTTrWbhFEZmKBccuU1YixBgLC2JWC7fjElnHfhZR33tROXXi3hUkgK7uBXeGue0h//embGKmImwMDUKtGGL04ULT9o9gTFQBR0ETdVkDg= X-Forefront-Antispam-Report: CIP:204.77.163.244;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:edgetransport.garmin.com;PTR:extedge.garmin.com;CAT:NONE;SFS:(13230040)(36860700013)(82310400026)(376014)(1800799024);DIR:OUT;SFP:1102; X-OriginatorOrg: garmin.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2026 18:06:22.4137 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: a5bc711c-6a58-4e56-ccc8-08de4c852273 X-MS-Exchange-CrossTenant-Id: 38d0d425-ba52-4c0a-a03e-2a65c8e82e2d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38d0d425-ba52-4c0a-a03e-2a65c8e82e2d;Ip=[204.77.163.244];Helo=[edgetransport.garmin.com] X-MS-Exchange-CrossTenant-AuthSource: MN1PEPF0000F0E5.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR04MB6341 X-Authority-Analysis: v=2.4 cv=HqV72kTS c=1 sm=1 tr=0 ts=695bfda2 cx=c_pps a=RSKkSjVyZ2Ta+HBtYZh2RQ==:117 a=YA0UzX50FYCGjWi3QxTvkg==:17 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=vUbySO9Y5rIA:10 a=qm69fr9Wx_0A:10 a=VkNPw1HP01LnGYTKEx00:22 a=NEAV23lmAAAA:8 a=NbHB2C0EAAAA:8 a=L4EWI0dvAAAA:8 a=QIhr-27iAAAA:8 a=A1X0JdhQAAAA:8 a=h4Fn2-qSoU_DnPKFBV8A:9 a=cgaYBWEFosGJW4rWv5Lf:22 cc=ntf X-Proofpoint-ORIG-GUID: UrysdDmm3qJ1sM2u92DmwTRunMidToVx X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMTA1MDE1NyBTYWx0ZWRfX+VHwFkJcV6Np bDu81q1MHJxZ4/xZYfrSIWnhXNi+QM7VykZQ2LNTBj6++2nH21BA2Y2z8bZiRbZGUYBqGvRh4fL Mp8CiN5LyA9f6unFsxZyovTnE0Wq8veA6v4Lw1aVY3LBVg3/MRToF+gQ3OXKpiLwaK2ldAe4rEk 4qSl1uvAvPoh1iq0ajcSDRiOMpB4Wq0vhav0agp6wFAdLAVPLIlt1hWu449JC0VWZv+1cx+BQfN Y9egkNBbko2qGSZXgUMyU9vlqEXCMLUA1wcGBJ4+6K34JGGqFMpIsKAcFixcFwDEUvFe9DquNPA H6GTxOuMuj+MO9xNBxtPI++zaRGypM8pzGJp/QBm/3lFNUaiPnmKQ5Jg6i7503UYa+PFfApfyLG faihkrFO+kXKMqehek1n3uWXGkKHJ9aiDn+WrC6z9ThPr2K4uVurq90LDw8KWJCUmuFbIZtPw2E p76Qy6xIwg1Vn3Kwvxw1/phOnf+iRXoYD5dVtguM= X-Proofpoint-GUID: UrysdDmm3qJ1sM2u92DmwTRunMidToVx X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2026-01-05_01,2026-01-05_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 malwarescore=0 bulkscore=0 phishscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 spamscore=0 priorityscore=1501 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc=notification route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2512120000 definitions=main-2601050157 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 05 Jan 2026 18:14:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/123158 Updates nginx.inc to apply CVE-2025-23419.patch to both 1.24.0 and 1.25.5. However, a unique patch is provided for 1.25.5 since the upstream patch for CVE-2025-23419 can be cleanly applied to 1.25.5. Signed-off-by: Colin Pinnell McAllister Change-Id: Ia7b8e16067781776cf0a39fac757f8d25ac118fa --- Changes in v2: * Moved existing CVE-2025-23419.patch for 1.24.0 to "nginx-1.24.0" dir. .../CVE-2025-23419.patch | 0 .../nginx/nginx-1.25.5/CVE-2025-23419.patch | 119 ++++++++++++++++++ meta-webserver/recipes-httpd/nginx/nginx.inc | 1 + .../recipes-httpd/nginx/nginx_1.24.0.bb | 3 +- 4 files changed, 121 insertions(+), 2 deletions(-) rename meta-webserver/recipes-httpd/nginx/{files => nginx-1.24.0}/CVE-2025-23419.patch (100%) create mode 100644 meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2025-23419.patch diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2025-23419.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2025-23419.patch similarity index 100% rename from meta-webserver/recipes-httpd/nginx/files/CVE-2025-23419.patch rename to meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2025-23419.patch diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2025-23419.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2025-23419.patch new file mode 100644 index 0000000000..d1c5bd9b40 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2025-23419.patch @@ -0,0 +1,119 @@ +From 2de0d3fd114e9d3d6a56bd7298aff8c637063509 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Wed, 22 Jan 2025 18:55:44 +0400 +Subject: [PATCH] SNI: added restriction for TLSv1.3 cross-SNI session + resumption. + +In OpenSSL, session resumption always happens in the default SSL context, +prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older +protocols, SSL_get_servername() returns values received in the resumption +handshake, which may be different from the value in the initial handshake. +Notably, this makes the restriction added in b720f650b insufficient for +sessions resumed with different SNI server name. + +Considering the example from b720f650b, previously, a client was able to +request example.org by presenting a certificate for example.org, then to +resume and request example.com. + +The fix is to reject handshakes resumed with a different server name, if +verification of client certificates is enabled in a corresponding server +configuration. + +CVE: CVE-2025-23419 +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e] +Signed-off-by: Colin Pinnell McAllister +--- + src/http/ngx_http_request.c | 27 +++++++++++++++++++++++++-- + src/stream/ngx_stream_ssl_module.c | 27 +++++++++++++++++++++++++-- + 2 files changed, 50 insertions(+), 4 deletions(-) + +diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c +index 3cca57cf5..9593b7fb5 100644 +--- a/src/http/ngx_http_request.c ++++ b/src/http/ngx_http_request.c +@@ -932,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + goto done; + } + ++ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); ++ ++#if (defined TLS1_3_VERSION \ ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ if (sscf->verify) { ++ const char *hostname; ++ ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ c->ssl->handshake_rejected = 1; ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } ++ ++#endif ++ + hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); + if (hc->ssl_servername == NULL) { + goto error; +@@ -945,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + + ngx_set_connection_log(c, clcf->error_log); + +- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); +- + c->ssl->buffer_size = sscf->buffer_size; + + if (sscf->ssl.ctx) { +diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c +index ba444776a..6dee106de 100644 +--- a/src/stream/ngx_stream_ssl_module.c ++++ b/src/stream/ngx_stream_ssl_module.c +@@ -521,12 +521,35 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + goto done; + } + ++ sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module); ++ ++#if (defined TLS1_3_VERSION \ ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ if (sscf->verify) { ++ const char *hostname; ++ ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ c->ssl->handshake_rejected = 1; ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } ++ ++#endif ++ + s->srv_conf = cscf->ctx->srv_conf; + + ngx_set_connection_log(c, cscf->error_log); + +- sscf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module); +- + if (sscf->ssl.ctx) { + if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) { + goto error; +-- +2.52.0 + diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc index 945be05c6a..865d7f86ee 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc @@ -26,6 +26,7 @@ SRC_URI = " \ file://CVE-2024-7347-1.patch \ file://CVE-2024-7347-2.patch \ file://CVE-2025-53859.patch \ + file://CVE-2025-23419.patch \ " inherit siteinfo update-rc.d useradd systemd diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb index ed18b6471d..e5666f6fe6 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb @@ -2,8 +2,7 @@ require nginx.inc LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632" -SRC_URI:append = " file://CVE-2023-44487.patch \ - file://CVE-2025-23419.patch" +SRC_URI:append = " file://CVE-2023-44487.patch" SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"