From patchwork Sun Jul 21 11:41:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7931 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4WRhMP17ZLz3x10 for ; Sun, 21 Jul 2024 11:41:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4WRhMK40mZzPW; Sun, 21 Jul 2024 11:41:33 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4WRhMK1vGVz3407; Sun, 21 Jul 2024 11:41:33 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4WRhMF6tqMz33xW for ; Sun, 21 Jul 2024 11:41:29 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4WRhMF0lslzPW; Sun, 21 Jul 2024 11:41:29 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1721562089; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=1oH2I8GKdR3z8TPwIF17aF04u3LPacZZsh+cgG4r93o=; b=u0X15lOBbnxWAumQ0Oq93SU/pcoP41s+VgjLvhXkvRP3kooMTqv89m6QJkS2boUVU8Ra8Y ptnPlVvXN0JU/hCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1721562089; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=1oH2I8GKdR3z8TPwIF17aF04u3LPacZZsh+cgG4r93o=; b=GCyaxGlF2b2NIh4aPauBx585fo/fKET/r9JDyaGMYKytT9MO44TxV6+T6vwwT5J5UPvf6B mfT5B6D92J/dxUfxxT6TyENsU5J3trUaXzXjEMjdmoszfswilZolws2pxfxuN8b45+70hJ 16mbRhPiu38l9Dfu+SyMwbw3joeMtDNLVOqDv+1apZAlPL5BPbsgNDylZ2216kKntHv/QA sdavQLOLBKH4ySLjV3KPq3iJERX80x6opMqJCFCI+ufAhRhAyC1dEo0oJbaFEQpGl2KBaZ tpf7Z1E0vCSkgYy3hPVJVEm+MYSnD7fUG1Mtb1uYemxwzez/sGxNFOqFBbvMTg== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] nginx: Update to version 1.26.1 Date: Sun, 21 Jul 2024 13:41:22 +0200 Message-ID: <20240721114122.3447601-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: 5IPDYUVDHNXYSUF7DG7HIRAPAJ7V65WM X-Message-ID-Hash: 5IPDYUVDHNXYSUF7DG7HIRAPAJ7V65WM X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 1.24.0 to 1.26.1 - Update of rootfile not required - Version 1.24.0 is now a legacy version, no longer being supported. Stable version has changed to 1.26.x series. - Various CVE fixes in 1.26.1 and in 1.25.4, the development branch that became 1.26.0, that the legacy version 1.24.0 is also vulnerable to. - Changelog 1.26.1 *) Security: when using HTTP/3, processing of a specially crafted QUIC session might cause a worker process crash, worker process memory disclosure on systems with MTU larger than 4096 bytes, or might have potential other impact (CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161). *) Bugfix: reduced memory consumption for long-lived requests if "gzip", "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used. *) Bugfix: nginx could not be built by gcc 14 if the --with-atomic option was used. *) Bugfix: in HTTP/3. 1.26.0 *) 1.26.x stable branch. 1.25.5 *) Feature: virtual servers in the stream module. *) Feature: the ngx_stream_pass_module. *) Feature: the "deferred", "accept_filter", and "setfib" parameters of the "listen" directive in the stream module. *) Feature: cache line size detection for some architectures. *) Feature: support for Homebrew on Apple Silicon. *) Bugfix: Windows cross-compilation bugfixes and improvements. *) Bugfix: unexpected connection closure while using 0-RTT in QUIC. 1.25.4 *) Security: when using HTTP/3 a segmentation fault might occur in a worker process while processing a specially crafted QUIC session (CVE-2024-24989, CVE-2024-24990). *) Bugfix: connections with pending AIO operations might be closed prematurely during graceful shutdown of old worker processes. *) Bugfix: socket leak alerts no longer logged when fast shutdown was requested after graceful shutdown of old worker processes. *) Bugfix: a socket descriptor error, a socket leak, or a segmentation fault in a worker process (for SSL proxying) might occur if AIO was used in a subrequest. *) Bugfix: a segmentation fault might occur in a worker process if SSL proxying was used along with the "image_filter" directive and errors with code 415 were redirected with the "error_page" directive. *) Bugfixes and improvements in HTTP/3. 1.25.3 *) Change: improved detection of misbehaving clients when using HTTP/2. *) Feature: startup speedup when using a large number of locations. Thanks to Yusuke Nojima. *) Bugfix: a segmentation fault might occur in a worker process when using HTTP/2 without SSL; the bug had appeared in 1.25.1. *) Bugfix: the "Status" backend response header line with an empty reason phrase was handled incorrectly. *) Bugfix: memory leak during reconfiguration when using the PCRE2 library. *) Bugfixes and improvements in HTTP/3. 1.25.2 *) Feature: path MTU discovery when using HTTP/3. *) Feature: TLS_AES_128_CCM_SHA256 cipher suite support when using HTTP/3. *) Change: now nginx uses appname "nginx" when loading OpenSSL configuration. *) Change: now nginx does not try to load OpenSSL configuration if the --with-openssl option was used to built OpenSSL and the OPENSSL_CONF environment variable is not set. *) Bugfix: in the $body_bytes_sent variable when using HTTP/3. *) Bugfix: in HTTP/3. 1.25.1 *) Feature: the "http2" directive, which enables HTTP/2 on a per-server basis; the "http2" parameter of the "listen" directive is now deprecated. *) Change: HTTP/2 server push support has been removed. *) Change: the deprecated "ssl" directive is not supported anymore. *) Bugfix: in HTTP/3 when using OpenSSL. 1.25.0 *) Feature: experimental HTTP/3 support. Signed-off-by: Adolf Belka --- lfs/nginx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lfs/nginx b/lfs/nginx index ef314a177..c344b2955 100644 --- a/lfs/nginx +++ b/lfs/nginx @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -25,7 +25,7 @@ include Config SUMMARY = A HTTP server and IMAP/POP3 proxy server -VER = 1.24.0 +VER = 1.26.1 THISAPP = nginx-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nginx -PAK_VER = 15 +PAK_VER = 16 DEPS = @@ -47,7 +47,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 7f671c57666dec822bff72fcf0e4eec35ecf981b8f1e489827f9bbbf9179036f61c9fdc7e497c076ccaeb35b9ba3dfe7684e4fc91ee9cae52601f68859bb034d +$(DL_FILE)_BLAKE2 = 5df95f6771a93009f5bd1a4038857c29af580d18af841e8cffe073339578b3ae0492d3a4cc797cac03a1039096ac5206ed1fa01da11c98591bce2cc4b2d18679 install : $(TARGET)