From 459c83435673c8b3e730e1037b9a2366fdfc1832 Mon Sep 17 00:00:00 2001 From: Adolf Belka Date: Fri, 12 Sep 2025 22:08:13 +0200 Subject: [PATCH] nginx: Update to version 1.29.1 - Update from version 1.26.2 to 1.29.1 - Update of rootfile not required - One CVE fix in 1.27.4, one CVE fix in 1.27.1, four CVE fixes in 1.27.0 - Changelog 1.29.1 *) Change: now TLSv1.3 certificate compression is disabled by default. *) Feature: the "ssl_certificate_compression" directive. *) Feature: support for 0-RTT in QUIC when using OpenSSL 3.5.1 or newer. *) Bugfix: the 103 response might be buffered when using HTTP/2 and the "early_hints" directive. *) Bugfix: in handling "Host" and ":authority" header lines with equal values when using HTTP/2; the bug had appeared in 1.17.9. *) Bugfix: in handling "Host" header lines with a port when using HTTP/3. *) Bugfix: nginx could not be built on NetBSD 10.0. *) Bugfix: in the "none" parameter of the "smtp_auth" directive. 1.29.0 *) Feature: support for response code 103 from proxy and gRPC backends; the "early_hints" directive. *) Feature: loading of secret keys from hardware tokens with OpenSSL provider. *) Feature: support for the "so_keepalive" parameter of the "listen" directive on macOS. *) Change: the logging level of SSL errors in a QUIC handshake has been changed from "error" to "crit" for critical errors, and to "info" for the rest; the logging level of unsupported QUIC transport parameters has been lowered from "info" to "debug". *) Change: the native nginx/Windows binary release is now built using Windows SDK 10. *) Bugfix: nginx could not be built by gcc 15 if ngx_http_v2_module or ngx_http_v3_module modules were used. *) Bugfix: nginx might not be built by gcc 14 or newer with -O3 -flto optimization if ngx_http_v3_module was used. *) Bugfixes and improvements in HTTP/3. 1.27.5 *) Feature: CUBIC congestion control in QUIC connections. *) Change: the maximum size limit for SSL sessions cached in shared memory has been raised to 8192. *) Bugfix: in the "grpc_ssl_password_file", "proxy_ssl_password_file", and "uwsgi_ssl_password_file" directives when loading SSL certificates and encrypted keys from variables; the bug had appeared in 1.23.1. *) Bugfix: in the $ssl_curve and $ssl_curves variables when using pluggable curves in OpenSSL. *) Bugfix: nginx could not be built with musl libc. Thanks to Piotr Sikora. *) Performance improvements and bugfixes in HTTP/3. 1.27.4 *) Security: insufficient check in virtual servers handling with TLSv1.3 SNI allowed to reuse SSL sessions in a different virtual server, to bypass client SSL certificates verification (CVE-2025-23419). *) Feature: the "ssl_object_cache_inheritable", "ssl_certificate_cache", "proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache", and "uwsgi_ssl_certificate_cache" directives. *) Feature: the "keepalive_min_timeout" directive. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. *) Bugfix: nginx could not build libatomic library using the library sources if the --with-libatomic=DIR option was used. *) Bugfix: QUIC connection might not be established when using 0-RTT; the bug had appeared in 1.27.1. *) Bugfix: nginx now ignores QUIC version negotiation packets from clients. *) Bugfix: nginx could not be built on Solaris 10 and earlier with the ngx_http_v3_module. *) Bugfixes in HTTP/3. 1.27.3 *) Feature: the "server" directive in the "upstream" block supports the "resolve" parameter. *) Feature: the "resolver" and "resolver_timeout" directives in the "upstream" block. *) Feature: SmarterMail specific mode support for IMAP LOGIN with untagged CAPABILITY response in the mail proxy module. *) Change: now TLSv1 and TLSv1.1 protocols are disabled by default. *) Change: an IPv6 address in square brackets and no port can be specified in the "proxy_bind", "fastcgi_bind", "grpc_bind", "memcached_bind", "scgi_bind", and "uwsgi_bind" directives, and as client address in ngx_http_realip_module. *) Bugfix: in the ngx_http_mp4_module. Thanks to Nils Bars. *) Bugfix: the "so_keepalive" parameter of the "listen" directive might be handled incorrectly on DragonFly BSD. *) Bugfix: in the "proxy_store" directive. 1.27.2 *) Feature: SSL certificates, secret keys, and CRLs are now cached on start or during reconfiguration. *) Feature: client certificate validation with OCSP in the stream module. *) Feature: OCSP stapling support in the stream module. *) Feature: the "proxy_pass_trailers" directive in the ngx_http_proxy_module. *) Feature: the "ssl_client_certificate" directive now supports certificates with auxiliary information. *) Change: now the "ssl_client_certificate" directive is not required for client SSL certificates verification. 1.27.1 *) Security: processing of a specially crafted mp4 file by the ngx_http_mp4_module might cause a worker process crash (CVE-2024-7347). Thanks to Nils Bars. *) Change: now the stream module handler is not mandatory. *) Bugfix: new HTTP/2 connections might ignore graceful shutdown of old worker processes. Thanks to Kasei Wang. *) Bugfixes in HTTP/3. 1.27.0 *) Security: when using HTTP/3, processing of a specially crafted QUIC session might cause a worker process crash, worker process memory disclosure on systems with MTU larger than 4096 bytes, or might have potential other impact (CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161). Thanks to Nils Bars of CISPA. *) Feature: variables support in the "proxy_limit_rate", "fastcgi_limit_rate", "scgi_limit_rate", and "uwsgi_limit_rate" directives. *) Bugfix: reduced memory consumption for long-lived requests if "gzip", "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used. *) Bugfix: nginx could not be built by gcc 14 if the --with-libatomic option was used. Thanks to Edgar Bonet. *) Bugfixes in HTTP/3. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer --- lfs/nginx | 59 +++++++++++++++++++++++++++---------------------------- 1 file changed, 29 insertions(+), 30 deletions(-) diff --git a/lfs/nginx b/lfs/nginx index 0468fed11..59b670c61 100644 --- a/lfs/nginx +++ b/lfs/nginx @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2024 IPFire Team # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -25,7 +25,7 @@ include Config SUMMARY = A HTTP server and IMAP/POP3 proxy server -VER = 1.26.2 +VER = 1.29.1 THISAPP = nginx-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nginx -PAK_VER = 17 +PAK_VER = 18 DEPS = @@ -47,7 +47,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = f054deb47bf21bf963fedc8f980d29c92325bbfcb39c5a2cc67cce15add32036f0b771c7abac018ded6354a0df0850ed5843d26e0cf5d9577b70ca3fa89a206c +$(DL_FILE)_BLAKE2 = ab2f49ff5564fa45f86732e92abf8a43ce5f225cfcffcd66f40c7e35377525fe18a7760c1946e6e9f48e7fc07e99fdefa4ea5c19deae3cde00121aefa3d7cc14 install : $(TARGET) @@ -81,32 +81,31 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && ./configure \ - --prefix=/usr/share/nginx \ - --conf-path=/etc/nginx/nginx.conf \ - --sbin-path=/usr/sbin/nginx \ - --pid-path=/var/run/nginx.pid \ - --lock-path=/var/lock/nginx.lock \ - --http-client-body-temp-path=/var/spool/nginx/client_body_temp \ - --http-proxy-temp-path=/var/spool/nginx/proxy_temp \ - --http-fastcgi-temp-path=/var/spool/nginx/fastcgi_temp \ - --http-log-path=/var/log/nginx/access.log \ - --error-log-path=/var/log/nginx/error.log \ - --user=nobody \ - --group=nobody \ - --with-mail \ - --with-mail_ssl_module \ - --with-http_ssl_module \ - --with-http_gunzip_module \ - --with-http_gzip_static_module \ - --with-http_random_index_module \ - --with-http_secure_link_module \ - --with-http_degradation_module \ - --with-http_stub_status_module \ - --with-http_dav_module \ - --with-http_sub_module \ - --with-http_v2_module \ - --with-pcre - + --prefix=/usr/share/nginx \ + --conf-path=/etc/nginx/nginx.conf \ + --sbin-path=/usr/sbin/nginx \ + --pid-path=/var/run/nginx.pid \ + --lock-path=/var/lock/nginx.lock \ + --http-client-body-temp-path=/var/spool/nginx/client_body_temp \ + --http-proxy-temp-path=/var/spool/nginx/proxy_temp \ + --http-fastcgi-temp-path=/var/spool/nginx/fastcgi_temp \ + --http-log-path=/var/log/nginx/access.log \ + --error-log-path=/var/log/nginx/error.log \ + --user=nobody \ + --group=nobody \ + --with-mail \ + --with-mail_ssl_module \ + --with-http_ssl_module \ + --with-http_gunzip_module \ + --with-http_gzip_static_module \ + --with-http_random_index_module \ + --with-http_secure_link_module \ + --with-http_degradation_module \ + --with-http_stub_status_module \ + --with-http_dav_module \ + --with-http_sub_module \ + --with-http_v2_module \ + --with-pcre cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install mkdir -p /var/log/nginx /var/spool/nginx -- 2.47.3