diff options
Diffstat (limited to 'meta-webserver/recipes-httpd')
23 files changed, 328 insertions, 183 deletions
diff --git a/meta-webserver/recipes-httpd/apache-mod/apache-websocket_git.bb b/meta-webserver/recipes-httpd/apache-mod/apache-websocket_git.bb index 040788609e..4dbf595c19 100644 --- a/meta-webserver/recipes-httpd/apache-mod/apache-websocket_git.bb +++ b/meta-webserver/recipes-httpd/apache-mod/apache-websocket_git.bb @@ -15,7 +15,7 @@ SRC_URI = "git://github.com/jchampio/apache-websocket.git;branch=master;protocol SRCREV = "0ee34c77fc78ff08fd548706300b80a7bc7874e4" -PV = "0.1.2+git${SRCPV}" +PV = "0.1.2+git" S = "${WORKDIR}/git" diff --git a/meta-webserver/recipes-httpd/apache-mod/mod-dnssd_0.6.bb b/meta-webserver/recipes-httpd/apache-mod/mod-dnssd_0.6.bb new file mode 100644 index 0000000000..5fac0a6ed4 --- /dev/null +++ b/meta-webserver/recipes-httpd/apache-mod/mod-dnssd_0.6.bb @@ -0,0 +1,20 @@ +DESCRIPTION = "Avahi Module for Apache2." +HOMEPAGE = "https://0pointer.de/lennart/projects/mod_dnssd/" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" + +DEPENDS = "apache2 avahi" + +SRC_URI = "git://git.0pointer.de/mod_dnssd;protocol=git;branch=master" +SRCREV = "be2fb9f6158f800685de7a1bc01c39b6cf1fa12c" + +S = "${WORKDIR}/git" + +EXTRA_OECONF = "--disable-lynx" + +inherit autotools pkgconfig + +do_install() { + install -Dm755 ${S}/src/.libs/mod_dnssd.so ${D}${libexecdir}/apache2/modules/mod_dnssd.so +} + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0001-make_exports.awk-not-expose-the-path.patch b/meta-webserver/recipes-httpd/apache2/apache2/0001-make_exports.awk-not-expose-the-path.patch new file mode 100644 index 0000000000..78f23f0f2d --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/0001-make_exports.awk-not-expose-the-path.patch @@ -0,0 +1,32 @@ +From 5b5eae9cdf3bae91756c717349f2f33a31888f24 Mon Sep 17 00:00:00 2001 +From: Mingli Yu <mingli.yu@windriver.com> +Date: Wed, 3 Aug 2022 12:35:16 +0800 +Subject: [PATCH] make_exports.awk: not expose the path + +Don't print the full path in the comment line. + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + build/make_exports.awk | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/build/make_exports.awk b/build/make_exports.awk +index 1cf0568..44d93c5 100644 +--- a/build/make_exports.awk ++++ b/build/make_exports.awk +@@ -47,7 +47,9 @@ function push(line) { + + function do_output() { + printf("/*\n") +- printf(" * %s\n", FILENAME) ++ file = FILENAME ++ sub("([^/]*[/])*", "", file) ++ printf(" * %s\n", file) + printf(" */\n") + + for (i = 0; i < stackptr; i++) { +-- +2.25.1 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch b/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch index 5d82919685..1abbe0c41f 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0004-apache2-log-the-SELinux-context-at-startup.patch @@ -1,4 +1,4 @@ -From 37699e9be04d83c5923644e298f400e077f76e85 Mon Sep 17 00:00:00 2001 +From e47cc405eadcbe37a579c375e824e20a5c53bfad Mon Sep 17 00:00:00 2001 From: Paul Eggleton <paul.eggleton@linux.intel.com> Date: Tue, 17 Jul 2012 11:27:39 +0100 Subject: [PATCH] Log the SELinux context at startup. @@ -14,10 +14,10 @@ Note: unlikely to be any interest in this upstream 2 files changed, 31 insertions(+) diff --git a/configure.in b/configure.in -index c799aec..76811e7 100644 +index 352711a..f58620f 100644 --- a/configure.in +++ b/configure.in -@@ -491,6 +491,11 @@ getloadavg +@@ -514,6 +514,11 @@ gettid dnl confirm that a void pointer is large enough to store a long integer APACHE_CHECK_VOID_PTR_LEN @@ -26,11 +26,11 @@ index c799aec..76811e7 100644 + APR_ADDTO(AP_LIBS, [-lselinux]) +]) + - AC_CACHE_CHECK([for gettid()], ac_cv_gettid, - [AC_TRY_RUN(#define _GNU_SOURCE - #include <unistd.h> + if test $ac_cv_func_gettid = no; then + # On Linux before glibc 2.30, gettid() is only usable via syscall() + AC_CACHE_CHECK([for gettid() via syscall], ap_cv_gettid, diff --git a/server/core.c b/server/core.c -index 3020090..8fef5fd 100644 +index 30b317e..81f145f 100644 --- a/server/core.c +++ b/server/core.c @@ -65,6 +65,10 @@ @@ -43,8 +43,8 @@ index 3020090..8fef5fd 100644 + /* LimitRequestBody handling */ #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) - #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) -@@ -5126,6 +5130,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte + #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */ +@@ -5139,6 +5143,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte } #endif @@ -73,6 +73,5 @@ index 3020090..8fef5fd 100644 return OK; } --- -2.25.1 - +-- +2.40.0 diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch b/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch index 3ff6894409..7163dc2b80 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/0007-apache2-allow-to-disable-selinux-support.patch @@ -11,10 +11,10 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/configure.in b/configure.in -index 76811e7..4df3ff3 100644 +index f58620f..b5971b7 100644 --- a/configure.in +++ b/configure.in -@@ -491,10 +491,16 @@ getloadavg +@@ -514,10 +514,16 @@ gettid dnl confirm that a void pointer is large enough to store a long integer APACHE_CHECK_VOID_PTR_LEN @@ -33,8 +33,8 @@ index 76811e7..4df3ff3 100644 + ]) +fi - AC_CACHE_CHECK([for gettid()], ac_cv_gettid, - [AC_TRY_RUN(#define _GNU_SOURCE + if test $ac_cv_func_gettid = no; then + # On Linux before glibc 2.30, gettid() is only usable via syscall() -- -2.25.1 +2.40.0 diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.53.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.59.bb index 8413f53790..b96e8b4e17 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.53.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.59.bb @@ -15,6 +15,7 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ file://0007-apache2-allow-to-disable-selinux-support.patch \ file://0008-Fix-perl-install-directory-to-usr-bin.patch \ file://0009-support-apxs.in-force-destdir-to-be-empty-string.patch \ + file://0001-make_exports.awk-not-expose-the-path.patch \ " SRC_URI:append:class-target = " \ @@ -26,7 +27,7 @@ SRC_URI:append:class-target = " \ " LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3" -SRC_URI[sha256sum] = "d0bbd1121a57b5f2a6ff92d7b96f8050c5a45d3f14db118f64979d525858db63" +SRC_URI[sha256sum] = "ec51501ec480284ff52f637258135d333230a7d229c3afa6f6c2f9040e321323" S = "${WORKDIR}/httpd-${PV}" @@ -34,7 +35,7 @@ inherit autotools update-rc.d pkgconfig systemd update-alternatives DEPENDS = "openssl expat pcre apr apr-util apache2-native " -CVE_PRODUCT = "http_server" +CVE_PRODUCT = "apache:http_server" SSTATE_SCAN_FILES += "apxs config_vars.mk config.nice" @@ -62,6 +63,7 @@ EXTRA_OECONF:class-target = "\ --with-berkeley-db=no \ --enable-info \ --enable-rewrite \ + --with-mpm=prefork \ --enable-mpms-shared \ ap_cv_void_ptr_lt_long=no \ ac_cv_have_threadsafe_pollset=no \ @@ -176,13 +178,25 @@ SYSTEMD_AUTO_ENABLE:${PN} = "enable" ALTERNATIVE:${PN}-doc = "htpasswd.1" ALTERNATIVE_LINK_NAME[htpasswd.1] = "${mandir}/man1/htpasswd.1" -PACKAGES = "${PN}-scripts ${PN}-doc ${PN}-dev ${PN}-dbg ${PN}" +PACKAGES = "${PN}-utils ${PN}-scripts ${PN}-doc ${PN}-dev ${PN}-dbg ${PN}" CONFFILES:${PN} = "${sysconfdir}/${BPN}/httpd.conf \ ${sysconfdir}/${BPN}/magic \ ${sysconfdir}/${BPN}/mime.types \ ${sysconfdir}/${BPN}/extra/*" +FILES:${PN}-utils = "${bindir}/ab \ + ${bindir}/htdbm \ + ${bindir}/htdigest \ + ${bindir}/htpasswd \ + ${bindir}/logresolve \ + ${bindir}/httxt2dbm \ + ${sbindir}/htcacheclean \ + ${sbindir}/fcgistarter \ + ${sbindir}/checkgid \ + ${sbindir}/rotatelogs \ + " + # We override here rather than append so that .so links are # included in the runtime package rather than here (-dev) # and to get build, icons, error into the -dev package @@ -207,7 +221,7 @@ FILES:${PN} += "${datadir}/${BPN}/ ${libdir}/cgi-bin" FILES:${PN}-dbg += "${libdir}/${BPN}/modules/.debug" -RDEPENDS:${PN} += "openssl libgcc" +RDEPENDS:${PN} += "openssl libgcc ${PN}-utils" RDEPENDS:${PN}-scripts += "perl ${PN}" RDEPENDS:${PN}-dev = "perl" diff --git a/meta-webserver/recipes-httpd/apache2/files/apache2-volatile.conf b/meta-webserver/recipes-httpd/apache2/files/apache2-volatile.conf index ff2c587046..0852a8859a 100644 --- a/meta-webserver/recipes-httpd/apache2/files/apache2-volatile.conf +++ b/meta-webserver/recipes-httpd/apache2/files/apache2-volatile.conf @@ -1,2 +1,2 @@ -d /var/run/apache2 0755 root root - +d /run/apache2 0755 root root - d /var/log/apache2 0755 root root - diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee/0001-configure.ac-Add-foreign-to-AM_INIT_AUTOMAKE.patch b/meta-webserver/recipes-httpd/cherokee/cherokee/0001-configure.ac-Add-foreign-to-AM_INIT_AUTOMAKE.patch index f3be7c6e52..b16060f2a1 100644 --- a/meta-webserver/recipes-httpd/cherokee/cherokee/0001-configure.ac-Add-foreign-to-AM_INIT_AUTOMAKE.patch +++ b/meta-webserver/recipes-httpd/cherokee/cherokee/0001-configure.ac-Add-foreign-to-AM_INIT_AUTOMAKE.patch @@ -7,6 +7,7 @@ Fixes errors like | Makefile.am: error: required file './README' not found | Makefile.am: error: required file './ChangeLog' not found +Upstream-Status: Pending Signed-off-by: Khem Raj <raj.khem@gmail.com> --- configure.ac | 2 +- diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee/0001-make-Do-not-build-po-files.patch b/meta-webserver/recipes-httpd/cherokee/cherokee/0001-make-Do-not-build-po-files.patch index d4c0b6e8c6..1d6a2182bd 100644 --- a/meta-webserver/recipes-httpd/cherokee/cherokee/0001-make-Do-not-build-po-files.patch +++ b/meta-webserver/recipes-httpd/cherokee/cherokee/0001-make-Do-not-build-po-files.patch @@ -5,6 +5,7 @@ Subject: [PATCH] make: Do not build po files Target fails to build +Upstream-Status: Inappropriate [Cross-compile specific] Signed-off-by: Khem Raj <raj.khem@gmail.com> --- Makefile.am | 2 +- diff --git a/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb b/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb index 7100ef4341..7763a31881 100644 --- a/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb +++ b/meta-webserver/recipes-httpd/cherokee/cherokee_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" DEPENDS = "unzip-native libpcre openssl mysql5 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" SRCREV = "9a75e65b876bcc376cb6b379dca1f7ce4a055c59" -PV = "1.2.104+git${SRCPV}" +PV = "1.2.104+git" SRC_URI = "git://github.com/cherokee/webserver;branch=master;protocol=https \ file://cherokee.init \ file://cherokee.service \ @@ -75,3 +75,5 @@ python() { if 'meta-python2' not in d.getVar('BBFILE_COLLECTIONS').split(): raise bb.parse.SkipRecipe('Requires meta-python2 to be present.') } + +CVE_PRODUCT += "cherokee_web_server" diff --git a/meta-webserver/recipes-httpd/monkey/files/0001-configure-Respect-LIBS-variable-from-env.patch b/meta-webserver/recipes-httpd/monkey/files/0001-configure-Respect-LIBS-variable-from-env.patch deleted file mode 100644 index 7a229513b6..0000000000 --- a/meta-webserver/recipes-httpd/monkey/files/0001-configure-Respect-LIBS-variable-from-env.patch +++ /dev/null @@ -1,29 +0,0 @@ -From b0526a9b5325bd4758dad8d14efd85c98ef2ebff Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Fri, 14 Jul 2017 18:25:23 -0700 -Subject: [PATCH] configure: Respect LIBS variable from env - -For musl we need to pass -lexecinfo from env -this change accomodates that - -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - configure | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure b/configure -index 4286c34..f1c65db 100755 ---- a/configure -+++ b/configure -@@ -620,7 +620,7 @@ LIBDEFS = -DSHAREDLIB -fPIC \$(DEFS) - INCDIR = ./include - LDFLAGS = $LDFLAGS - DESTDIR = ../bin/monkey --LIBS = -ldl $libs -+LIBS = -ldl $libs ${LIBS} - OBJ = monkey.o mk_method.o mk_mimetype.o mk_vhost.o mk_request.o \\ - mk_header.o mk_config.o mk_signals.o \\ - mk_user.o mk_utils.o mk_epoll.o mk_scheduler.o \\ --- -2.13.3 - diff --git a/meta-webserver/recipes-httpd/monkey/files/0001-fastcgi-Use-value-instead-of-address-of-sin6_port.patch b/meta-webserver/recipes-httpd/monkey/files/0001-fastcgi-Use-value-instead-of-address-of-sin6_port.patch new file mode 100644 index 0000000000..f4bab49aa7 --- /dev/null +++ b/meta-webserver/recipes-httpd/monkey/files/0001-fastcgi-Use-value-instead-of-address-of-sin6_port.patch @@ -0,0 +1,30 @@ +From 7f724bbafbb1e170401dd5de201273ab8c8bc75f Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sun, 28 Aug 2022 14:24:02 -0700 +Subject: [PATCH] fastcgi: Use value instead of address of sin6_port + +This seems to be wrongly assigned where ipv4 sin_port is +equated to address of sin6_port and not value of sin6_port + +Upstream-Status: Submitted [https://github.com/monkey/monkey/pull/375] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + plugins/fastcgi/fcgi_handler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/plugins/fastcgi/fcgi_handler.c b/plugins/fastcgi/fcgi_handler.c +index 9e095e3c..e8e1eec1 100644 +--- a/plugins/fastcgi/fcgi_handler.c ++++ b/plugins/fastcgi/fcgi_handler.c +@@ -245,7 +245,7 @@ static inline int fcgi_add_param_net(struct fcgi_handler *handler) + struct sockaddr_in *s4 = (struct sockaddr_in *)&addr4; + memset(&addr4, 0, sizeof(addr4)); + addr4.sin_family = AF_INET; +- addr4.sin_port = &s->sin6_port; ++ addr4.sin_port = s->sin6_port; + memcpy(&addr4.sin_addr.s_addr, + s->sin6_addr.s6_addr + 12, + sizeof(addr4.sin_addr.s_addr)); +-- +2.37.2 + diff --git a/meta-webserver/recipes-httpd/monkey/monkey_1.6.9.bb b/meta-webserver/recipes-httpd/monkey/monkey_1.6.9.bb index fff406a3f2..ee5dc16198 100644 --- a/meta-webserver/recipes-httpd/monkey/monkey_1.6.9.bb +++ b/meta-webserver/recipes-httpd/monkey/monkey_1.6.9.bb @@ -7,11 +7,13 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2ee41112a44fe7014dce33e26468ba93" SECTION = "net" -SRC_URI = "http://monkey-project.com/releases/1.6/monkey-${PV}.tar.gz \ +SRC_URI = "git://github.com/monkey/monkey;branch=1.6;protocol=https \ + file://0001-fastcgi-Use-value-instead-of-address-of-sin6_port.patch \ file://monkey.service \ file://monkey.init" -SRC_URI[sha256sum] = "f1122e89cda627123286542b0a18fcaa131cbe9d4f5dd897d9455157289148fb" +SRCREV = "7999b487fded645381d387ec0e057e92407b0d2c" +S = "${WORKDIR}/git" UPSTREAM_CHECK_URI = "https://github.com/monkey/monkey/releases" UPSTREAM_CHECK_REGEX = "v(?P<pver>\d+(\.\d+)+).tar.gz" @@ -37,6 +39,10 @@ inherit cmake pkgconfig update-rc.d systemd OECMAKE_GENERATOR = "Unix Makefiles" +do_configure:append() { + sed -i -e 's|${STAGING_BINDIR_TOOLCHAIN}/||g' ${S}/include/monkey/mk_env.h +} + do_install:append() { rmdir ${D}${localstatedir}/log/${BPN} ${D}${localstatedir}/run ${D}${localstatedir}/log rmdir --ignore-fail-on-non-empty ${D}${localstatedir} diff --git a/meta-webserver/recipes-httpd/nginx/files/0001-configure-libxslt-conf.patch b/meta-webserver/recipes-httpd/nginx/files/0001-configure-libxslt-conf.patch new file mode 100644 index 0000000000..7ba2a1fb85 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/0001-configure-libxslt-conf.patch @@ -0,0 +1,39 @@ +From 0c3c669464a514cf8d0cac08282ecb2b486f440f Mon Sep 17 00:00:00 2001 +From: Joe Slater <joe.slater@windriver.com> +Date: Tue, 3 Oct 2023 19:21:17 +0000 +Subject: [PATCH] configure: libxslt conf + +Modify to find libxslt related include files under sysroot. + +Upstream-Status: Pending + +Signed-off-by: Joe Slater <joe.slater@windriver.com> +--- + auto/lib/libxslt/conf | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/auto/lib/libxslt/conf b/auto/lib/libxslt/conf +index 3063ac7..eb77886 100644 +--- a/auto/lib/libxslt/conf ++++ b/auto/lib/libxslt/conf +@@ -12,7 +12,7 @@ + #include <libxslt/xsltInternals.h> + #include <libxslt/transform.h> + #include <libxslt/xsltutils.h>" +- ngx_feature_path="/usr/include/libxml2" ++ ngx_feature_path="=/usr/include/libxml2" + ngx_feature_libs="-lxml2 -lxslt" + ngx_feature_test="xmlParserCtxtPtr ctxt = NULL; + xsltStylesheetPtr sheet = NULL; +@@ -100,7 +100,7 @@ fi + ngx_feature_name=NGX_HAVE_EXSLT + ngx_feature_run=no + ngx_feature_incs="#include <libexslt/exslt.h>" +- ngx_feature_path="/usr/include/libxml2" ++ ngx_feature_path="=/usr/include/libxml2" + ngx_feature_libs="-lexslt" + ngx_feature_test="exsltRegisterAll();" + . auto/feature +-- +2.35.5 + diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch deleted file mode 100644 index be42a1ed5e..0000000000 --- a/meta-webserver/recipes-httpd/nginx/files/CVE-2021-3618.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 6dafcdebde58577f4fcb190be46a0eb910cf1b96 Mon Sep 17 00:00:00 2001 -From: Maxim Dounin <mdounin@mdounin.ru> -Date: Wed, 19 May 2021 03:13:31 +0300 -Subject: [PATCH 1/1] Mail: max_errors directive. - -Similarly to smtpd_hard_error_limit in Postfix and smtp_max_unknown_commands -in Exim, specifies the number of errors after which the connection is closed. ---- end of original header --- - -CVE: CVE-2021-3618 - -Upstream-Status: Backport - https://github.com/nginx/nginx.git - commit 173f16f736c10eae46cd15dd861b04b82d91a37a - -Signed-off-by: Joe Slater <joe.slater@windriver.com> ---- - src/mail/ngx_mail.h | 3 +++ - src/mail/ngx_mail_core_module.c | 10 ++++++++++ - src/mail/ngx_mail_handler.c | 15 ++++++++++++++- - 3 files changed, 27 insertions(+), 1 deletion(-) - -diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h -index b865a3b9..76cae37a 100644 ---- a/src/mail/ngx_mail.h -+++ b/src/mail/ngx_mail.h -@@ -115,6 +115,8 @@ typedef struct { - ngx_msec_t timeout; - ngx_msec_t resolver_timeout; - -+ ngx_uint_t max_errors; -+ - ngx_str_t server_name; - - u_char *file_name; -@@ -231,6 +233,7 @@ typedef struct { - ngx_uint_t command; - ngx_array_t args; - -+ ngx_uint_t errors; - ngx_uint_t login_attempt; - - /* used to parse POP3/IMAP/SMTP command */ -diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c -index 40831242..115671ca 100644 ---- a/src/mail/ngx_mail_core_module.c -+++ b/src/mail/ngx_mail_core_module.c -@@ -85,6 +85,13 @@ static ngx_command_t ngx_mail_core_commands[] = { - offsetof(ngx_mail_core_srv_conf_t, resolver_timeout), - NULL }, - -+ { ngx_string("max_errors"), -+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1, -+ ngx_conf_set_num_slot, -+ NGX_MAIL_SRV_CONF_OFFSET, -+ offsetof(ngx_mail_core_srv_conf_t, max_errors), -+ NULL }, -+ - ngx_null_command - }; - -@@ -163,6 +170,8 @@ ngx_mail_core_create_srv_conf(ngx_conf_t *cf) - cscf->timeout = NGX_CONF_UNSET_MSEC; - cscf->resolver_timeout = NGX_CONF_UNSET_MSEC; - -+ cscf->max_errors = NGX_CONF_UNSET_UINT; -+ - cscf->resolver = NGX_CONF_UNSET_PTR; - - cscf->file_name = cf->conf_file->file.name.data; -@@ -182,6 +191,7 @@ ngx_mail_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) - ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout, - 30000); - -+ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5); - - ngx_conf_merge_str_value(conf->server_name, prev->server_name, ""); - -diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c -index 0aaa0e78..71b81512 100644 ---- a/src/mail/ngx_mail_handler.c -+++ b/src/mail/ngx_mail_handler.c -@@ -871,7 +871,20 @@ ngx_mail_read_command(ngx_mail_session_t *s, ngx_connection_t *c) - return NGX_MAIL_PARSE_INVALID_COMMAND; - } - -- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) { -+ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) { -+ -+ s->errors++; -+ -+ if (s->errors >= cscf->max_errors) { -+ ngx_log_error(NGX_LOG_INFO, c->log, 0, -+ "client sent too many invalid commands"); -+ s->quit = 1; -+ } -+ -+ return rc; -+ } -+ -+ if (rc == NGX_IMAP_NEXT) { - return rc; - } - --- -2.25.1 - diff --git a/meta-webserver/recipes-httpd/nginx/files/CVE-2023-44487.patch b/meta-webserver/recipes-httpd/nginx/files/CVE-2023-44487.patch new file mode 100644 index 0000000000..2fc6a60f6f --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/files/CVE-2023-44487.patch @@ -0,0 +1,78 @@ +From 6ceef192e7af1c507826ac38a2d43f08bf265fb9 Mon Sep 17 00:00:00 2001 +From: Maxim Dounin <mdounin@mdounin.ru> +Date: Wed, 10 Jan 2024 18:52:11 +0000 +Subject: [PATCH] HTTP/2: per-iteration stream handling limit. + +To ensure that attempts to flood servers with many streams are detected +early, a limit of no more than 2 * max_concurrent_streams new streams per one +event loop iteration was introduced. This limit is applied even if +max_concurrent_streams is not yet reached - for example, if corresponding +streams are handled synchronously or reset. + +Further, refused streams are now limited to maximum of max_concurrent_streams +and 100, similarly to priority_limit initial value, providing some tolerance +to clients trying to open several streams at the connection start, yet +low tolerance to flooding attempts. + +Upstream-Status: Backport [https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9] +CVE: CVE-2023-44487 + +Signed-off-by: alperak <alperyasinak1@gmail.com> +--- + src/http/v2/ngx_http_v2.c | 15 +++++++++++++++ + src/http/v2/ngx_http_v2.h | 2 ++ + 2 files changed, 17 insertions(+) + +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index ea3f27c..1116e56 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -361,6 +361,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev) + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler"); + + h2c->blocked = 1; ++ h2c->new_streams = 0; + + if (c->close) { + c->close = 0; +@@ -1321,6 +1322,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, + goto rst_stream; + } + ++ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many streams at once"); ++ ++ status = NGX_HTTP_V2_REFUSED_STREAM; ++ goto rst_stream; ++ } ++ + if (!h2c->settings_ack + && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG) + && h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW) +@@ -1386,6 +1395,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, + + rst_stream: + ++ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many refused streams"); ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR); ++ } ++ + if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) { + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); + } +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index 4e25293..b9daf92 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -124,6 +124,8 @@ struct ngx_http_v2_connection_s { + ngx_uint_t processing; + ngx_uint_t frames; + ngx_uint_t idle; ++ ngx_uint_t new_streams; ++ ngx_uint_t refused_streams; + ngx_uint_t priority_limit; + + ngx_uint_t pushing; diff --git a/meta-webserver/recipes-httpd/nginx/nginx.inc b/meta-webserver/recipes-httpd/nginx/nginx.inc index dfced33300..83ae90c40c 100644 --- a/meta-webserver/recipes-httpd/nginx/nginx.inc +++ b/meta-webserver/recipes-httpd/nginx/nginx.inc @@ -22,6 +22,7 @@ SRC_URI = " \ file://nginx-volatile.conf \ file://nginx.service \ file://nginx-fix-pidfile.patch \ + file://0001-configure-libxslt-conf.patch \ " inherit siteinfo update-rc.d useradd systemd @@ -37,12 +38,18 @@ NGINX_USER ?= "www" EXTRA_OECONF = "" DISABLE_STATIC = "" -PACKAGECONFIG ??= "ssl" +PACKAGECONFIG ??= "ssl ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}" PACKAGECONFIG[gunzip] = "--with-http_gunzip_module,," PACKAGECONFIG[http2] = "--with-http_v2_module,," PACKAGECONFIG[ssl] = "--with-http_ssl_module,,openssl" PACKAGECONFIG[http-auth-request] = "--with-http_auth_request_module,," +PACKAGECONFIG[ipv6] = "--with-ipv6,," +PACKAGECONFIG[webdav] = "--with-http_dav_module,," +PACKAGECONFIG[stream] = "--with-stream,," +PACKAGECONFIG[http-sub-module] = "--with-http_sub_module,," + +PACKAGECONFIG[xslt] = "--with-http_xslt_module,,libxslt" do_configure () { if [ "${SITEINFO_BITS}" = "64" ]; then @@ -146,7 +153,7 @@ do_install () { pkg_postinst:${PN} () { if [ -z "$D" ]; then - if type systemd-tmpfiles >/dev/null; then + if type systemd-tmpfiles >/dev/null 2>&1; then systemd-tmpfiles --create elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then ${sysconfdir}/init.d/populate-volatile.sh update @@ -179,4 +186,5 @@ USERADD_PARAM:${PN} = " \ --system --no-create-home \ --home ${NGINX_WWWDIR} \ --groups www-data \ + --shell ${base_sbindir}/nologin \ --user-group ${NGINX_USER}" diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.20.1.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.20.1.bb deleted file mode 100644 index d686c627f2..0000000000 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.20.1.bb +++ /dev/null @@ -1,9 +0,0 @@ -require nginx.inc - -SRC_URI += "file://CVE-2021-3618.patch" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=206629dc7c7b3e87acb31162363ae505" - -SRC_URI[md5sum] = "8ca6edd5076bdfad30a69c9c9b41cc68" -SRC_URI[sha256sum] = "e462e11533d5c30baa05df7652160ff5979591d291736cfa5edb9fd2edb48c49" - diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.21.1.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.21.1.bb deleted file mode 100644 index b69fd7dab0..0000000000 --- a/meta-webserver/recipes-httpd/nginx/nginx_1.21.1.bb +++ /dev/null @@ -1,10 +0,0 @@ -require nginx.inc - -# 1.20.x branch is the current stable branch, the recommended default -# 1.21.x is the current mainline branches containing all new features -DEFAULT_PREFERENCE = "-1" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=206629dc7c7b3e87acb31162363ae505" - -SRC_URI[md5sum] = "7dce9e2136ec32dfd823736e871815b1" -SRC_URI[sha256sum] = "68ba0311342115163a0354cad34f90c05a7e8bf689dc498abf07899eda155560" diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb new file mode 100644 index 0000000000..e5666f6fe6 --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb @@ -0,0 +1,8 @@ +require nginx.inc + +LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632" + +SRC_URI:append = " file://CVE-2023-44487.patch" + +SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d" + diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.25.3.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.25.3.bb new file mode 100644 index 0000000000..d0371dd3cc --- /dev/null +++ b/meta-webserver/recipes-httpd/nginx/nginx_1.25.3.bb @@ -0,0 +1,10 @@ +require nginx.inc + +# 1.24.x branch is the current stable branch, the recommended default +# 1.25.x is the current mainline branches containing all new features +DEFAULT_PREFERENCE = "-1" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=79ad2eb837299421c4435dedc8897b3d" + +SRC_URI[sha256sum] = "64c5b975ca287939e828303fa857d22f142b251f17808dfe41733512d9cded86" + diff --git a/meta-webserver/recipes-httpd/sthttpd/sthttpd/0001-Define-_GNU_SOURCE-if-HAVE_SIGSET-is-set.patch b/meta-webserver/recipes-httpd/sthttpd/sthttpd/0001-Define-_GNU_SOURCE-if-HAVE_SIGSET-is-set.patch new file mode 100644 index 0000000000..a1783a7adb --- /dev/null +++ b/meta-webserver/recipes-httpd/sthttpd/sthttpd/0001-Define-_GNU_SOURCE-if-HAVE_SIGSET-is-set.patch @@ -0,0 +1,51 @@ +From f3889e5870e9761ee6113fac7f38aa44cc43e46c Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Wed, 7 Sep 2022 00:30:52 -0700 +Subject: [PATCH] Define _GNU_SOURCE if HAVE_SIGSET is set + +This enforces using sigset() API which needs _GNU_SOURCE macro to be +defined + +Upstream-Status: Submitted [https://github.com/blueness/sthttpd/pull/16] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + src/libhttpd.c | 5 ++++- + src/thttpd.c | 4 ++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/libhttpd.c b/src/libhttpd.c +index fa42c10..669be11 100644 +--- a/src/libhttpd.c ++++ b/src/libhttpd.c +@@ -25,9 +25,12 @@ + ** SUCH DAMAGE. + */ + +- + #include <config.h> + ++#ifdef HAVE_SIGSET ++#define _GNU_SOURCE ++#endif ++ + //system headers + #include <sys/types.h> + #include <sys/param.h> +diff --git a/src/thttpd.c b/src/thttpd.c +index ad97188..3c7a449 100644 +--- a/src/thttpd.c ++++ b/src/thttpd.c +@@ -28,6 +28,10 @@ + + #include <config.h> + ++#ifdef HAVE_SIGSET ++#define _GNU_SOURCE ++#endif ++ + //system headers + #include <sys/param.h> + #include <sys/types.h> +-- +2.37.3 + diff --git a/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb b/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb index 4134a0e524..b40b148512 100644 --- a/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb +++ b/meta-webserver/recipes-httpd/sthttpd/sthttpd_2.27.1.bb @@ -8,6 +8,7 @@ DEPENDS += "base-passwd virtual/crypt" SRCREV = "2845bf5bff2b820d2336c8c8061cbfc5f271e720" SRC_URI = "git://github.com/blueness/${BPN};branch=master;protocol=https \ + file://0001-Define-_GNU_SOURCE-if-HAVE_SIGSET-is-set.patch \ file://thttpd.service \ file://thttpd.conf \ file://init" |