From patchwork Fri Sep 12 20:08:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9064 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4cNlqN03zDz3x5T for ; Fri, 12 Sep 2025 20:08:32 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4cNlqM5Xthz3pg for ; Fri, 12 Sep 2025 20:08:31 +0000 (UTC) Authentication-Results: mail01.ipfire.org; dkim=pass header.d=ipfire.org header.s=202003ed25519 header.b=epMU8IOL; dkim=pass header.d=ipfire.org header.s=202003rsa header.b=oiVumBJF; spf=softfail (mail01.ipfire.org: 2001:678:b28::201 is neither permitted nor denied by domain of "development+bounces-965-patchwork=ipfire.org@lists.ipfire.org") smtp.mailfrom="development+bounces-965-patchwork=ipfire.org@lists.ipfire.org"; dmarc=pass (policy=reject) header.from=ipfire.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1757707711; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=DAwooGb15cxu8H9DR2pOOgDxBRxQT+aeJNT9LFlFjgI=; b=Q5LKmD0IJHO8y37JZhIh1bo9OR3C7TF094yqOfJiAf38HU9fhWiRAPVFT/CWjQcQ9rqTNH GQfIo0ryLLudmZS4rsFLaL8QRm9JQ7aJDMw4UkaKU5CJ3erya/oGSNxuzjqXFefpsBf3re nJ1mDXUsBmTnB4hjENkdXbhv2DkTNPGhpGH8ndGy6ivSCLdz+boazXTB5lbHsXXRmCSSvz wI9YT5TIIkXg+CjxqZjBVaU4V/hy+rqJeWs1iJgudU5D+3MKtFwgMfHNUScnRIOE0PTeiK NwTaW3f8bjGrESe3pE2ig5+y+Qw+bRikKVT4iThaA78n95Ryde3nB0aACeRkUA== ARC-Seal: i=1; s=202003rsa; d=ipfire.org; t=1757707711; a=rsa-sha256; cv=none; b=QiORqGEUj+pzBdvSNQ4HWb517Ie6FQdjuL+pfqYwzrQGVPa6MN2zKUrcfJBW1nnlkKclMV WS8c4yHqMFQL/cWGwNMEbDCO3qeGhxJ8wiStcY//JZe3wkaG08l4UWZaK15Ancc33deixy y+wwseg2dP0hkzyeGosGO+18zMLmqnRncT4ntLAGoB328FjE8hO7qvvBhdRZdWU1YbZyMI RWd3PA6pYIxItOAIaVILUA7D2OqRERYTychf6t7GxzrTj+aEYaE2urw0CtOo3Qk3hwfjNk ANTE54GEOEyzJZqbe3ESYlp8JuKrGkrDcvrl2SqZgJc1i0gw5NTu/9DMLnqNvg== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=ipfire.org header.s=202003ed25519 header.b=epMU8IOL; dkim=pass header.d=ipfire.org header.s=202003rsa header.b=oiVumBJF; spf=softfail (mail01.ipfire.org: 2001:678:b28::201 is neither permitted nor denied by domain of "development+bounces-965-patchwork=ipfire.org@lists.ipfire.org") smtp.mailfrom="development+bounces-965-patchwork=ipfire.org@lists.ipfire.org"; dmarc=pass (policy=reject) header.from=ipfire.org Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cNlqG4Chjz3310 for ; Fri, 12 Sep 2025 20:08:26 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cNlq75sWZz32gv for ; Fri, 12 Sep 2025 20:08:19 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cNlq74Nk5zJ2; Fri, 12 Sep 2025 20:08:19 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1757707699; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DAwooGb15cxu8H9DR2pOOgDxBRxQT+aeJNT9LFlFjgI=; b=epMU8IOLfmQ7enhOITObURsRCUCKH0SZDV+o1VP3TfNoR3SKHih+WMu96GHW8btWZge3a0 xD6t4Q3jirkI1gAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1757707699; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=DAwooGb15cxu8H9DR2pOOgDxBRxQT+aeJNT9LFlFjgI=; b=oiVumBJFWbfDAfGzNm3CP0zd971FiCAVItSoKPulpkK6i2DvkWyhh/Io/ihHPVTeskWpz6 DPV8xjskJGGVS7uEIukzk5HNWmFMztz+xLfZyX7IqfUtD8td/23DbBJSuZWkqwxwAPFg5w +REmCntY9x0TeyrRa+QlFU5lUhyhFnnDPe26wRlcjCfrxh9/O3YNmr+KFc4ktDlf2FAsiZ G2IfcR7hS+6uA2GJgGwBUVKn6LNHahCrDPmNF9cqXOog3uj8CQosp0/rku+C3065twHs5D sghgSra58GDkizlGtBtUv1cormHU/50ZT4ThHFjgTGe4xyvyYMZxKK6lOfLePA== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] nginx: Update to version 1.29.1 Date: Fri, 12 Sep 2025 22:08:13 +0200 Message-ID: <20250912200814.3489573-6-adolf.belka@ipfire.org> In-Reply-To: <20250912200814.3489573-1-adolf.belka@ipfire.org> References: <20250912200814.3489573-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 X-Spamd-Result: default: False [-10.71 / 11.00]; BAYES_HAM(-3.00)[100.00%]; FROM_INTERNAL_BULK_SENDERS(-2.00)[2001:678:b28::201]; DWL_DNSWL_MED(-2.00)[ipfire.org:dkim]; R_DKIM_ALLOW(-1.68)[ipfire.org:s=202003ed25519,ipfire.org:s=202003rsa]; NEURAL_HAM(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[]; DKIM_REPUTATION(-0.95)[-0.95086934352016]; IP_REPUTATION_HAM(-0.78)[asn: 204867(-0.22), country: DE(-0.00), ip: 2001:678:b28::(-0.56)]; DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[]; R_MISSING_CHARSET(0.50)[]; MAILLIST(-0.18)[generic]; MIME_GOOD(-0.10)[text/plain]; HAS_LIST_UNSUB(-0.01)[]; MX_GOOD(-0.01)[]; FROM_HAS_DN(0.00)[]; RECEIVED_HELO_LOCALHOST(0.00)[]; FUZZY_RATELIMITED(0.00)[rspamd.com]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_THREE(0.00)[3]; FROM_NEQ_ENVFROM(0.00)[adolf.belka@ipfire.org,development@lists.ipfire.org]; RCVD_TLS_LAST(0.00)[]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:204867, ipnet:2001:678:b28::/48, country:DE]; RCVD_VIA_SMTP_AUTH(0.00)[]; FORGED_SENDER_MAILLIST(0.00)[]; DKIM_TRACE(0.00)[ipfire.org:+]; R_SPF_SOFTFAIL(0.00)[~all:c]; ARC_SIGNED(0.00)[ipfire.org:s=202003rsa:i=1]; TAGGED_FROM(0.00)[bounces-965-patchwork=ipfire.org]; DMARC_POLICY_ALLOW(0.00)[ipfire.org,reject] X-Rspamd-Server: mail01.haj.ipfire.org X-Rspamd-Action: no action X-Rspamd-Queue-Id: 4cNlqM5Xthz3pg - Update from version 1.26.2 to 1.29.1 - Update of rootfile not required - One CVE fix in 1.27.4, one CVE fix in 1.27.1, four CVE fixes in 1.27.0 - Changelog 1.29.1 *) Change: now TLSv1.3 certificate compression is disabled by default. *) Feature: the "ssl_certificate_compression" directive. *) Feature: support for 0-RTT in QUIC when using OpenSSL 3.5.1 or newer. *) Bugfix: the 103 response might be buffered when using HTTP/2 and the "early_hints" directive. *) Bugfix: in handling "Host" and ":authority" header lines with equal values when using HTTP/2; the bug had appeared in 1.17.9. *) Bugfix: in handling "Host" header lines with a port when using HTTP/3. *) Bugfix: nginx could not be built on NetBSD 10.0. *) Bugfix: in the "none" parameter of the "smtp_auth" directive. 1.29.0 *) Feature: support for response code 103 from proxy and gRPC backends; the "early_hints" directive. *) Feature: loading of secret keys from hardware tokens with OpenSSL provider. *) Feature: support for the "so_keepalive" parameter of the "listen" directive on macOS. *) Change: the logging level of SSL errors in a QUIC handshake has been changed from "error" to "crit" for critical errors, and to "info" for the rest; the logging level of unsupported QUIC transport parameters has been lowered from "info" to "debug". *) Change: the native nginx/Windows binary release is now built using Windows SDK 10. *) Bugfix: nginx could not be built by gcc 15 if ngx_http_v2_module or ngx_http_v3_module modules were used. *) Bugfix: nginx might not be built by gcc 14 or newer with -O3 -flto optimization if ngx_http_v3_module was used. *) Bugfixes and improvements in HTTP/3. 1.27.5 *) Feature: CUBIC congestion control in QUIC connections. *) Change: the maximum size limit for SSL sessions cached in shared memory has been raised to 8192. *) Bugfix: in the "grpc_ssl_password_file", "proxy_ssl_password_file", and "uwsgi_ssl_password_file" directives when loading SSL certificates and encrypted keys from variables; the bug had appeared in 1.23.1. *) Bugfix: in the $ssl_curve and $ssl_curves variables when using pluggable curves in OpenSSL. *) Bugfix: nginx could not be built with musl libc. Thanks to Piotr Sikora. *) Performance improvements and bugfixes in HTTP/3. 1.27.4 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache", "proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and "uwsgi_ssl_certificate_cache" directives. *) Feature: the "keepalive_min_timeout" directive. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: QUIC connection might not be established when using 0-RTT; the bug had appeared in 1.27.1. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. 1.27.3 *) Feature: the "server" directive in the "upstream" block supports the "resolve" parameter. *) Feature: the "resolver" and "resolver_timeout" directives in the "upstream" block. *) Feature: SmarterMail specific mode support for IMAP LOGIN with untagged CAPABILITY response in the mail proxy module. *) Change: now TLSv1 and TLSv1.1 protocols are disabled by default. *) Change: an IPv6 address in square brackets and no port can be specified in the "proxy_bind", "fastcgi_bind", "grpc_bind", "memcached_bind", "scgi_bind", and "uwsgi_bind" directives, and as client address in ngx_http_realip_module. *) Bugfix: in the ngx_http_mp4_module. Thanks to Nils Bars. *) Bugfix: the "so_keepalive" parameter of the "listen" directive might be handled incorrectly on DragonFly BSD. *) Bugfix: in the "proxy_store" directive. 1.27.2 *) Feature: SSL certificates, secret keys, and CRLs are now cached on start or during reconfiguration. *) Feature: client certificate validation with OCSP in the stream module. *) Feature: OCSP stapling support in the stream module. *) Feature: the "proxy_pass_trailers" directive in the ngx_http_proxy_module. *) Feature: the "ssl_client_certificate" directive now supports certificates with auxiliary information. *) Change: now the "ssl_client_certificate" directive is not required for client SSL certificates verification. 1.27.1 *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module might cause a worker process crash (CVE-2024-7347). Thanks to Nils Bars. *) Change: now the stream module handler is not mandatory. *) Bugfix: new HTTP/2 connections might ignore graceful shutdown of old worker processes. Thanks to Kasei Wang. *) Bugfixes in HTTP/3. 1.27.0 *) Security: when using HTTP/3, processing of a specially crafted QUIC session might cause a worker process crash, worker process memory disclosure on systems with MTU larger than 4096 bytes, or might have potential other impact (CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161). Thanks to Nils Bars of CISPA. *) Feature: variables support in the "proxy_limit_rate", "fastcgi_limit_rate", "scgi_limit_rate", and "uwsgi_limit_rate" directives. *) Bugfix: reduced memory consumption for long-lived requests if "gzip", "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used. *) Bugfix: nginx could not be built by gcc 14 if the --with-libatomic option was used. Thanks to Edgar Bonet. *) Bugfixes in HTTP/3. Signed-off-by: Adolf Belka --- lfs/nginx | 59 +++++++++++++++++++++++++++---------------------------- 1 file changed, 29 insertions(+), 30 deletions(-) diff --git a/lfs/nginx b/lfs/nginx index 0468fed11..59b670c61 100644 --- a/lfs/nginx +++ b/lfs/nginx @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2024 IPFire Team # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -25,7 +25,7 @@ include Config SUMMARY = A HTTP server and IMAP/POP3 proxy server -VER = 1.26.2 +VER = 1.29.1 THISAPP = nginx-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nginx -PAK_VER = 17 +PAK_VER = 18 DEPS = @@ -47,7 +47,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = f054deb47bf21bf963fedc8f980d29c92325bbfcb39c5a2cc67cce15add32036f0b771c7abac018ded6354a0df0850ed5843d26e0cf5d9577b70ca3fa89a206c +$(DL_FILE)_BLAKE2 = ab2f49ff5564fa45f86732e92abf8a43ce5f225cfcffcd66f40c7e35377525fe18a7760c1946e6e9f48e7fc07e99fdefa4ea5c19deae3cde00121aefa3d7cc14 install : $(TARGET) @@ -81,32 +81,31 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && ./configure \ - --prefix=/usr/share/nginx \ - --conf-path=/etc/nginx/nginx.conf \ - --sbin-path=/usr/sbin/nginx \ - --pid-path=/var/run/nginx.pid \ - --lock-path=/var/lock/nginx.lock \ - --http-client-body-temp-path=/var/spool/nginx/client_body_temp \ - --http-proxy-temp-path=/var/spool/nginx/proxy_temp \ - --http-fastcgi-temp-path=/var/spool/nginx/fastcgi_temp \ - --http-log-path=/var/log/nginx/access.log \ - --error-log-path=/var/log/nginx/error.log \ - --user=nobody \ - --group=nobody \ - --with-mail \ - --with-mail_ssl_module \ - --with-http_ssl_module \ - --with-http_gunzip_module \ - --with-http_gzip_static_module \ - --with-http_random_index_module \ - --with-http_secure_link_module \ - --with-http_degradation_module \ - --with-http_stub_status_module \ - --with-http_dav_module \ - --with-http_sub_module \ - --with-http_v2_module \ - --with-pcre - + --prefix=/usr/share/nginx \ + --conf-path=/etc/nginx/nginx.conf \ + --sbin-path=/usr/sbin/nginx \ + --pid-path=/var/run/nginx.pid \ + --lock-path=/var/lock/nginx.lock \ + --http-client-body-temp-path=/var/spool/nginx/client_body_temp \ + --http-proxy-temp-path=/var/spool/nginx/proxy_temp \ + --http-fastcgi-temp-path=/var/spool/nginx/fastcgi_temp \ + --http-log-path=/var/log/nginx/access.log \ + --error-log-path=/var/log/nginx/error.log \ + --user=nobody \ + --group=nobody \ + --with-mail \ + --with-mail_ssl_module \ + --with-http_ssl_module \ + --with-http_gunzip_module \ + --with-http_gzip_static_module \ + --with-http_random_index_module \ + --with-http_secure_link_module \ + --with-http_degradation_module \ + --with-http_stub_status_module \ + --with-http_dav_module \ + --with-http_sub_module \ + --with-http_v2_module \ + --with-pcre cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install mkdir -p /var/log/nginx /var/spool/nginx