This upgrade incorporates the fixes for CVE-2024-27316,
CVE-2024-24795,CVE-2023-38709 and other bugfixes.
Adjusted 0004-apache2-log-the-SELinux-context-at-startup.patch
and 0007-apache2-allow-to-disable-selinux-support.patch to
align with upgraded version.
Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.59
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
- add it as runtime dependency to gnome-control-center because without it,
the file sharing options are hidden.
- configure the paths to fit to openembedded env
- add mod_dnssd runtime dependency for apache2 as this is a requirement
To enable the feature, PACKAGECONFIG httpd needs to be added.
This is not done by default to avoid apache2 runtime dependency just by
including this recipe.
NOTE: Apache2 httpd doesn't need to be running. It'll get
started and stopped on demand by systemd.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
currently this is chosen depending on machine at do_configure
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* fixed a few minor oelint-adv warnings in the recipe
* placed all SRC_URI lines in one block
Tested on Raspberry PI 4
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Providing the http sub module feature. The module works as a filter which
replaces a specific character string in a response with another character
string.
Signed-off-by: Michael Haener <michael.haener@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Upstream-Status: Backport from [6ceef192e7]
WARNING: nginx-1.24.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-44487)
This vulnerability exists between the following versions -> From(including) 1.9.5 Up to(including) 1.25.2
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
https://nginx.org/en/CHANGES
*) Change: improved detection of misbehaving clients when using HTTP/2.
*) Feature: startup speedup when using a large number of locations.
Thanks to Yusuke Nojima.
*) Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2 without SSL; the bug had appeared in 1.25.1.
*) Bugfix: the "Status" backend response header line with an empty
reason phrase was handled incorrectly.
*) Bugfix: memory leak during reconfiguration when using the PCRE2
library.
Thanks to ZhenZhong Wu.
*) Bugfixes and improvements in HTTP/3.
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Note that patch 0011-modules... is no longer needed as it's included in
the upgrade as well.
CVE: CVE-2023-43622
Signed-off-by: Dylan Turner <dylan.turner@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The Markdown was, at least at github.com, displayed as a paragraph.
And it reads beter as a list.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There was a warning in the systemd journaling about it.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The netdata recipe does want to create a netdata group. So add it to the
static id for the reproducibility tests.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
[2023-07-14] — Xdebug 3.2.2
-Fixed bug #2175: Crash with EXC_BAD_ACCESS in xdebug_str_create
-Fixed bug #2180: Crash on extended SplFixedArray
-Fixed bug #2182: Segfault with ArrayObject on stack
-Fixed bug #2186: Segfault with trampoline functions and debugger activation
[2023-03-21] — Xdebug 3.2.1
-Fixed bug #2144: Xdebug 3.2.0 ignores xdebug.mode and enables all features
-Fixed bug #2145: Xdebug 3.2.0 crash PHP on Windows if xdebug.mode = off
-Fixed bug #2146: apache2 segfaulting with version 3.2.0 on PHP 8.0
-Fixed bug #2148: Icon for link to docs in xdebug_info() HTML output does not always render correctly
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This recipe sets the product name used for CVE checking to
"http_server". However, the cve-check logic matches that name to all
products in the CVE database regardless of vendor. Currently, it is
matching to products from vendors other than apache. As a result,
CVE checking incorrectly reports CVEs for those vendors' products for
this package.
Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
In version 301, the default bridge implementation was changed to Python.
Adjust recipe to build and install new Python bridge.
Old bridge implementation is still available and can be enabled using
'--enable-old-bridge' flag. Add PACKAGECONFIG option for old bridge.
New bridge shows minor regressions like networking graph not generated
correctly. Probably additional dependencies are missing.
For this reason, keep the old bridge enabled by default.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Non-existing variable was used as a prefix for 'cockpit-askpass'.
Fix the path, so the binary will be correctly installed
in 'cockpit-bridge' package.
Fortunately, even with incorrect path, this binary was "caught"
by the main 'cockpit' package, so it was always installed in the final
image.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
libyaml dependency now required. See:
6ee42875c: Bundle libyaml
json-c also seems required now. If I don't enable it, I get compile errors.
compression and https options got renamed upstream to lz4 and openssl. See:
c74bf56ee: Code reorg and cleanup - enrichment of /api/v2
Signed-off-by: Sam Van Den Berge <sam.van.den.berge@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
In order to pass reproducible tests, recipes that use the
useradd class must have static ids configured.
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
These are test images to build all recipes in layer. Renaming them makes
them refect what they are. Moreover we can rename the ptest images to
match OE-Core naming conventions for meta-oe/meta-perl/meta-python
Signed-off-by: Khem Raj <raj.khem@gmail.com>
These were essentially duplicates of core-image-minimal, however
core-image-base is a better baseline for upper layers, so switched the
consumers of these images to use core-image-base
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Support --with-http_xslt_module configure option via a PACKAGECONFIG
option. The option is not added to the defaults.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Accepted was replaced with Backport in gatesgarth:
https://docs.yoctoproject.org/migration-guides/migration-3.2.html#miscellaneous-changes
* as detected with oe-core/scripts/contrib/patchreview.py:
meta-openembedded $ grep -A 3 Malformed *qa-patches
meta-gnome.qa-patches:Malformed Upstream-Status 'Malformed Upstream-Status in patch
meta-gnome.qa-patches-/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch
meta-gnome.qa-patches-Please correct according to https://docs.yoctoproject.org/contributor-guide/recipe-style-guide.html#patch-upstream-status :
meta-gnome.qa-patches-Upstream-Status: Accepted [dc9701e187]' (/OE/layers/meta-openembedded/meta-gnome/recipes-gnome/gnome-tweaks/gnome-tweaks/0002-meson-fix-invalid-positional-argument.patch)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Apps (Applications tab) is an optional Cockpit Project package.
Make it also an optional package in recipe.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Packagekit (Software Updates tab) is an optional Cockpit Project
package. Make it also an optional package in recipe.
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
*) Feature: path MTU discovery when using HTTP/3.
*) Feature: TLS_AES_128_CCM_SHA256 cipher suite support when using
HTTP/3.
*) Change: now nginx uses appname "nginx" when loading OpenSSL
configuration.
*) Change: now nginx does not try to load OpenSSL configuration if the
--with-openssl option was used to built OpenSSL and the OPENSSL_CONF
environment variable is not set.
*) Bugfix: in the $body_bytes_sent variable when using HTTP/3.
*) Bugfix: in HTTP/3.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
As per https://nvd.nist.gov/vuln/detail/CVE-2019-1010218, Cherokee uses
to use cherokee-project:cherokee_web_server.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
*) Feature: the "http2" directive, which enables HTTP/2 on a per-server
basis; the "http2" parameter of the "listen" directive is now
deprecated.
*) Change: HTTP/2 server push support has been removed.
*) Change: the deprecated "ssl" directive is not supported anymore.
*) Bugfix: in HTTP/3 when using OpenSSL.
*) Feature: experimental HTTP/3 support.
License-Update: Copyright year updated to 2023.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The READMEs are often viewed from websites markdown format which is
much as readable as text and yet friendlier in browsers.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It has paths to compiler and assembler which are technically cross
compilers in OE. We do have these names symlinked on target too but
paths needs to be removed.
Fixes
WARNING: monkey-1.6.9-r0 do_package_qa: QA Issue: File /usr/include/monkey/mk_env.h in package monkey-dev contains reference to TMPDIR [buildpaths]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
Changes with Apache 2.4.57
*) mod_proxy: Check before forwarding that a nocanon path has not been
rewritten with spaces during processing. [Yann Ylavic]
*) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
double encode encoded slashes in the URL sent by the reverse proxy to the
backend. [Ruediger Pluem]
*) mod_http2: fixed a crash during connection termination. See PR 66539.
[Stefan Eissing]
*) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
in a question mark. PR66547. [Eric Covener]
*) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded
characters on redirections without the "NE" flag.
[Yann Ylavic, Eric Covener]
*) mod_proxy: Fix double encoding of the uri-path of the request forwarded
to the origin server, when using mapping=encoded|servlet. [Yann Ylavic]
*) mod_mime: Do not match the extention against possible query string
parameters in case ProxyPass was used with the nocanon option.
[Ruediger Pluem]
New patch:
0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch
Accepted in upstream, expected to be removed at next apache2 2.4.58 update.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
===========
*) Change: now TLSv1.3 protocol is enabled by default.
*) Change: now nginx issues a warning if protocol parameters of a
listening socket are redefined.
*) Change: now nginx closes connections with lingering if pipelining was
used by the client.
*) Feature: byte ranges support in the ngx_http_gzip_static_module.
*) Bugfix: port ranges in the "listen" directive did not work; the bug
had appeared in 1.23.3.
*) Bugfix: incorrect location might be chosen to process a request if a
prefix location longer than 255 characters was used in the
configuration.
*) Bugfix: non-ASCII characters in file names on Windows were not
supported by the ngx_http_autoindex_module, the ngx_http_dav_module,
and the "include" directive.
*) Change: the logging level of the "data length too long", "length too
short", "bad legacy version", "no shared signature algorithms", "bad
digest length", "missing sigalgs extension", "encrypted length too
long", "bad length", "bad key update", "mixed handshake and non
handshake data", "ccs received early", "data between ccs and
finished", "packet length too long", "too many warn alerts", "record
too small", and "got a fin before a ccs" SSL errors has been lowered
from "crit" to "info".
*) Bugfix: a socket leak might occur when using HTTP/2 and the
"error_page" directive to redirect errors with code 400.
*) Bugfix: messages about logging to syslog errors did not contain
information that the errors happened while logging to syslog.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: in the mail proxy server.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
if we run opkg install nginx on our system (without systemd)
we end up getting the following message in the install process
$ opkg install nginx_1.20.1-r0_core2-64.ipk
...
//var/lib/opkg/info/nginx.postinst: line 3: type: systemd-tmpfiles: not found
this confused some of my coworkers.
as installation also finishes correctly without sytemd-tmpfiles
and not having systemd-tempfiles is not really a problem, I think
we should redirect the message also to /dev/NULL
Signed-off-by: Khem Raj <raj.khem@gmail.com>
