Changelog:
===========
*) Change: now TLSv1.3 protocol is enabled by default.
*) Change: now nginx issues a warning if protocol parameters of a
listening socket are redefined.
*) Change: now nginx closes connections with lingering if pipelining was
used by the client.
*) Feature: byte ranges support in the ngx_http_gzip_static_module.
*) Bugfix: port ranges in the "listen" directive did not work; the bug
had appeared in 1.23.3.
*) Bugfix: incorrect location might be chosen to process a request if a
prefix location longer than 255 characters was used in the
configuration.
*) Bugfix: non-ASCII characters in file names on Windows were not
supported by the ngx_http_autoindex_module, the ngx_http_dav_module,
and the "include" directive.
*) Change: the logging level of the "data length too long", "length too
short", "bad legacy version", "no shared signature algorithms", "bad
digest length", "missing sigalgs extension", "encrypted length too
long", "bad length", "bad key update", "mixed handshake and non
handshake data", "ccs received early", "data between ccs and
finished", "packet length too long", "too many warn alerts", "record
too small", and "got a fin before a ccs" SSL errors has been lowered
from "crit" to "info".
*) Bugfix: a socket leak might occur when using HTTP/2 and the
"error_page" directive to redirect errors with code 400.
*) Bugfix: messages about logging to syslog errors did not contain
information that the errors happened while logging to syslog.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: in the mail proxy server.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
if we run opkg install nginx on our system (without systemd)
we end up getting the following message in the install process
$ opkg install nginx_1.20.1-r0_core2-64.ipk
...
//var/lib/opkg/info/nginx.postinst: line 3: type: systemd-tmpfiles: not found
this confused some of my coworkers.
as installation also finishes correctly without sytemd-tmpfiles
and not having systemd-tempfiles is not really a problem, I think
we should redirect the message also to /dev/NULL
Signed-off-by: Khem Raj <raj.khem@gmail.com>
CVE-2021-3618.patch
removed since it's included in 1.23.3
Changelog:
==========
*) Bugfix: an error might occur when reading PROXY protocol version 2
header with large number of TLVs.
*) Bugfix: a segmentation fault might occur in a worker process if SSI
was used to process subrequests created by other modules.
Thanks to Ciel Zhao.
*) Workaround: when a hostname used in the "listen" directive resolves
to multiple addresses, nginx now ignores duplicates within these
addresses.
*) Bugfix: nginx might hog CPU during unbuffered proxying if SSL
connections to backends were used.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
- rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
truncated without the initial logfile being truncated.
- mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
allow connections of any age to be reused. Up to now, a negative value
was handled as an error when parsing the configuration file. PR 66421.
- mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
of headers.
- mod_md:
- Enabling ED25519 support and certificate transparency information when
building with libressl v3.5.0 and newer.
- MDChallengeDns01 can now be configured for individual domains.
- Fixed a bug that caused the challenge
teardown not being invoked as it should.
- mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
reported in access logs and error documents. The processing of the
reset was correct, only unneccesary reporting was caused.
- mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* monkey-project.com doesn't resolve anymore
* use v1.6.9 tag from github
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Split out apache2-utils so this small package could be used by
other packages. For example, htpasswd could be used by docker-registry.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Do note that some collectors (a.k.a. plugins) moved from Python to
Go. And Go is not (yet) part of this recipe.
More info at https://github.com/netdata/netdata/releases/tag/v1.35.0
under 'Deprecated in this release'
The patch should be handled by recoding upstream.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
0004-apache2-log-the-SELinux-context-at-startup.patch
refresh for new version.
Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.54
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
* Removed support for Microsoft Internet Explorer
* Requires PHP 7.2 or newer
* Requires the openssl PHP extension
* Improved handling of system CA bundle and cacert.pem, falling back to Mozilla CA if needed
* Replace "master/slave" terms with "primary/replica"
* Add "NOT LIKE %...%" operator to Table search
* Add support for the Mroonga engine
* Add support for account locking
* Several fixes and improvements to the SQL parser library
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The nginx gunzip module is a filter that decompresses responses with
'Content-Encoding: gzip' for clients that do not support 'gzip' encoding
method. The module will be useful when it is desirable to store data
compressed to save space and reduce I/O costs.
Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Layer priority is the ultimate decider of what recipe is used: if layer
A has recipe foo_1 and layer B has recipe foo_2, if layer A's priority
is higher than B then foo_1 will be used, even though the version in B
is higher, and even if PREFERRED_VERSION_foo is set to 2.
This complicates recipes moving between layers, for example when a newer
version of a recipe (say, python3-wheel) is taken from a layer with a
higher priority (say, meta-python) and moved to a layer with a lower
priority (say, oe-core) then it has to be removed before it is added:
there is no way to have it in both layers and work correctly.
Higher priorities are useful in distribution layers where you may want
to override specific recipes without any other fuss. However as all of
the layers in meta-oe simply add more recipes in defined areas, there's
no need to have a higher layer priority.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The json-c dependancy is only needed when cloud is enabled.
Almost no inpact on the size of the package.
Default disabled.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
=========
- Fix broken pagination links in the navigation sidebar
- Fix MariaDB has no support for system variable "disabled_storage_engines"
- Fix unsupported operand types in Results.php when running "SHOW PROCESSLIST" SQL query
- Fixed importing browser settings question box after login when having no pmadb
- Fix "First day of calendar" user override has no effect
- Fixed repeating headers are not working
- Fixed import of email-adresses or links from ODS results in empty contents
- Fixed a type error on ODS import with non string values
- Fixed header row show/hide columns buttons on each line after hover are shown on each row
- [security] Fix for path disclosure under certain server configurations (if display_errors is on, for instance)
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
https can now be enabled (default) or disabled.
The lz4 patch is now in this release.
Package size increase of 2%
Tested on RaspberryPi4-64
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Added the packageconfig to compress the data with lz4.
But disabled it by default.
Patch added to have it working without compression enabled.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
*) SECURITY: CVE-2021-44790: Possible buffer overflow when parsing
multipart content in mod_lua of Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A carefully crafted request body can cause a buffer overflow in
the mod_lua multipart parser (r:parsebody() called from Lua
scripts).
The Apache httpd team is not aware of an exploit for the
vulnerabilty though it might be possible to craft one.
This issue affects Apache HTTP Server 2.4.51 and earlier.
*) SECURITY: CVE-2021-44224: Possible NULL dereference or SSRF in
forward proxy configurations in Apache HTTP Server 2.4.51 and
earlier (cve.mitre.org)
A crafted URI sent to httpd configured as a forward proxy
(ProxyRequests on) can cause a crash (NULL pointer dereference)
or, for configurations mixing forward and reverse proxy
declarations, can allow for requests to be directed to a
declared Unix Domain Socket endpoint (Server Side Request
Forgery).
This issue affects Apache HTTP Server 2.4.7 up to 2.4.51
(included).
*) http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications.
*) OpenSSL autoconf detection improvement: pick up openssl.pc in the
specified openssl path.
*) mod_proxy_connect, mod_proxy: Do not change the status code after we
already sent it to the client.
*) mod_http: Correctly sent a 100 Continue status code when sending an interim
response as result of an Expect: 100-Continue in the request and not the
current status code of the request. PR 65725
*) mod_dav: Some DAV extensions, like CalDAV, specify both document
elements and property elements that need to be taken into account
when generating a property. The document element and property element
are made available in the dav_liveprop_elem structure by calling
dav_get_liveprop_element().
*) mod_dav: Add utility functions dav_validate_root_ns(),
dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
dav_find_attr() so that other modules get to play too.
*) mpm_event: Restart stopping of idle children after a load peak. PR 65626.
*) mod_http2: fixes 2 regressions in server limit handling.
1. When reaching server limits, such as MaxRequestsPerChild, the
HTTP/2 connection send a GOAWAY frame much too early on new
connections, leading to invalid protocol state and a client
failing the request. See PR65731.
The module now initializes the HTTP/2 protocol correctly and
allows the client to submit one request before the shutdown
via a GOAWAY frame is being announced.
2. A regression in v1.15.24 was fixed that could lead to httpd
child processes not being terminated on a graceful reload or
when reaching MaxConnectionsPerChild. When unprocessed h2
requests were queued at the time, these could stall.
See <https://github.com/icing/mod_h2/issues/212>.
*) mod_ssl: Add build support for OpenSSL v3.
*) mod_proxy_connect: Honor the smallest of the backend or client timeout
while tunneling.
*) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
half-close forwarding when tunneling protocols.
*) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
a third-party module. PR 65627.
*) mod_md: Fix memory leak in case of failures to load the private key.
PR 65620
*) mod_md: adding v2.4.8 with the following changes
- Added support for ACME External Account Binding (EAB).
Use the new directive `MDExternalAccountBinding` to provide the
server with the value for key identifier and hmac as provided by
your CA.
While working on some servers, EAB handling is not uniform
across CAs. First tests with a Sectigo Certificate Manager in
demo mode are successful. But ZeroSSL, for example, seems to
regard EAB values as a one-time-use-only thing, which makes them
fail if you create a seconde account or retry the creation of the
first account with the same EAB.
- The directive 'MDCertificateAuthority' now checks if its parameter
is a http/https url or one of a set of known names. Those are
'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
for now and they are not case-sensitive.
The default of LetsEncrypt is unchanged.
- `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
section.
- Treating 401 HTTP status codes for orders like 403, since some ACME
servers seem to prefer that for accessing oders from other accounts.
- When retrieving certificate chains, try to read the repsonse even
if the HTTP Content-Type is unrecognized.
- Fixed a bug that reset the error counter of a certificate renewal
and prevented the increasing delays in further attempts.
- Fixed the renewal process giving up every time on an already existing
order with some invalid domains. Now, if such are seen in a previous
order, a new order is created for a clean start over again.
See <https://github.com/icing/mod_md/issues/268>
- Fixed a mixup in md-status handler when static certificate files
and renewal was configured at the same time.
*) mod_md: values for External Account Binding (EAB) can
now also be configured to be read from a separate JSON
file. This allows to keep server configuration permissions
world readable without exposing secrets.
*) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
PR 65616.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The previous commit was using a PACKAGECONFIG to enable or disable
the sending of anonymous data to Google Analytics.
This was giving QA issues.
Now the variable 'NETDATA_ANONYMOUS' is used to enable or disable
the opt-out.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Netdata is sending anonymous statics data to Google by default.
Disabling this by default in the recipe by adding the
.opt-out-from-anonymous-statistics file in the netdata config
directory.
@see: https://learn.netdata.cloud/docs/agent/anonymous-statistics#opt-out
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
libtool is now longer renamed to ${host}-libtool, so remove the changes
to support this.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
libtool is now longer renamed to ${host}-libtool, so remove the changes
to support this.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Added openssl so it can compile with default configuration.
* ebpf I had to disable. It seems to have issues with cross-compiling.
And the libbpf isn't available at all platforms.
Tested on raspberrypy4-64
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
/var/volatile is populated at runtime as it can be mounted from a
different partition, therefore its better to keep it empty and only
populate it during runtime.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This patch updates SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls as generated by the conversion script
in OE-Core.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Moved to the release archives instead of git.
* Added the UPSTREAM_CHECK_URI.
Note that the latest version of netdata is 1.31.0.
But this one doesn't compile on Linux in cross compilation.
The next version should have the fix.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The main repo is sourced from git://git.openembedded.org not github.
Don't think oe-core.git exists.
Lets be constent across all sub layers.
Drop Revisions and Prioriiy from repo references as they are not used.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The HOMEPAGE was updated in commit 371adeaa (netdata: Fixed the recipe),
but not the SRC_URI.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The netdata website was not accessable due to some (changed) permissions.
The systemd service file will start netdata deamon with the netdata user.
The netdata group as existing, but the netdata user was missing.
I moved some directory creations from systemd to the bitbake recipe.
The project website address changed too.
Removed the creation of the pid file in the service of systemd.
Netdata itself has an option to create the pid file. Because it's an
options, it's probably also not needed in systemd.
Tested with meta-raspberrypi on rpi4-32.
Signed-off-by: Jan Vermaete <jan.vermaete@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changes with Apache 2.4.49
*) SECURITY: CVE-2021-40438 (cve.mitre.org)
mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]
*) SECURITY: CVE-2021-39275 (cve.mitre.org)
core: ap_escape_quotes buffer overflow
*) SECURITY: CVE-2021-36160 (cve.mitre.org)
mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]
*) SECURITY: CVE-2021-34798 (cve.mitre.org)
core: null pointer dereference on malformed request
*) SECURITY: CVE-2021-33193 (cve.mitre.org)
mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing]
*) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
[Stefan Eissing]
*) mod_ssl: Support logging private key material for use with
wireshark via log file given by SSLKEYLOGFILE environment
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
*) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
"ProxyPassInterpolateEnv On" are configured. PR 65549.
[Joel Self <joelself gmail.com>]
*) mpm_event: Fix children processes possibly not stopped on graceful
restart. PR 63169. [Joel Self <joelself gmail.com>]
*) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
protocols from mod_proxy_http, and a timeout triggering falsely when
using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
upgrade= setting. PRs 65521 and 65519. [Yann Ylavic]
*) mod_unique_id: Reduce the time window where duplicates may be generated
PR 65159
[Christophe Jaillet]
*) mpm_prefork: Block signals for child_init hooks to prevent potential
threads created from there to catch MPM's signals.
[Ruediger Pluem, Yann Ylavic]
*) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159" added in 2.4.47.
This causes issue on Windows.
[Christophe Jaillet]
*) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic]
*) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
*) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
[Yann Ylavic]
*) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
*) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
with others when their URLs contain a '$' substitution. PR 65419 + 65429.
[Yann Ylavic]
*) mod_dav: Add method_precondition hook. WebDAV extensions define
conditions that must exist before a WebDAV method can be executed.
This hook allows a WebDAV extension to verify these preconditions.
[Graham Leggett]
*) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
modules apart from versioning implementations to handle the REPORT method.
[Graham Leggett]
*) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
dav_get_resource() to mod_dav.h. [Graham Leggett]
*) core: fix ap_escape_quotes substitution logic. [Eric Covener]
*) Easy patches: synch 2.4.x and trunk
- mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
- mod_ldap: log and abort locking errors.
- mod_ldap: style fix for r1831165
- mod_ldap: build break fix for r1831165
- mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
- mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
- mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
- mod_rewrite: Save a few cycles.
- mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
- core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
[Christophe Jaillet]
*) core/mpm: add hook 'child_stopping` that gets called when the MPM is
stopping a child process. The additional `graceful` parameter allows
registered hooks to free resources early during a graceful shutdown.
[Yann Ylavic, Stefan Eissing]
*) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
balancer-manager, which can lead to a crash. [Yann Ylavic]
*) mpm_event: Fix graceful stop/restart of children processes if connections
are in lingering close for too long. [Yann Ylavic]
*) mod_md: fixed a potential null pointer dereference if ACME/OCSP
server returned 2xx responses without content type. Reported by chuangwen.
[chuangwen, Stefan Eissing]
*) mod_md:
- Domain names in `<MDomain ...>` can now appear in quoted form.
- Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable.
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
[Stefan Eissing]
*) Add CPING to health check logic. [Jean-Frederic Clere]
*) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
*) core, h2: common ap_parse_request_line() and ap_check_request_header()
code. [Yann Ylavic]
*) core: Add StrictHostCheck to allow unconfigured hostnames to be
rejected. [Eric Covener]
*) htcacheclean: Improve help messages. [Christophe Jaillet]
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
For linux, nginx will always compile with '-D_FILE_OFFSET_BITS=64'. This
means that off_t will always be 8 bytes long, even on 32-bit targets.
This configuration change resolves some issues with nginx and handling
range headers.
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Backport with no change a patch from version 1.21.0. This patch
was not cherry-picked by nginx to version 1.20.1.
Information about this CVE comes from
https://ubuntu.com/security/CVE-2021-3618.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Hosting site seems to be dead so remove recipe.
http://www.nazgul.ch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The following changes have taken place in copyright:
-Copyright 2013 jQuery Foundation and other contributors
-http://jquery.com/
+Copyright JS Foundation and other contributors, https://js.foundation/
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
fcgiwrap is a simple server for running CGI applications over FastCGI.
It hopes to provide clean CGI support to Nginx and other web servers
that may need it. Homepage: https://github.com/gnosek/fcgiwrap.
Signed-off-by: Senthil Selvaganesan <SenthilKumaran.Selvaganesan@garmin.com>
Signed-off-by: Joshua Watt <Joshua.Watt@garmin.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The commit e789c3837c tries to create
log/run directory in initscript/systemd unit file. This is not a correct
method. We should create them in pkg_postinst.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
reproduce steps:
1. boot up target
2. scp apache2-2.4.41-r0.1.aarch64.rpm on target
3. rpm -i apache2-2.4.41-r0.1.aarch64.rpm
4. systemctl status apache2
Error:
httpd[7767]: (2)No such file or directory: AH02291: Cannot access directory '/var/log/apache2/' for main error log
with the old way, /var/log/apache2/ is created by service
systemd-tmpfiles-setup during boot, so only works when apache2
already installed before boot, in above scenario,
/var/log/apache2/ will not created. fix by creating it in the
service file. similar fix for sysV system
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cockpit uses udisks2 in order to manage storage on the host, without it
cockpit will just display an error when the storage tab is selected.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Remove directory /var/log/nginx when do_install because it is created by
volatiles file.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The 'tar -cf - | tar -xf' combo applies an invalid ownership.
This is corrected by patching the install target to use
the --no-same-owner tar parameter.
Signed-off-by: Emmanuel Roullit <emmanuel.roullit@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cockpit is a server manager that makes it easy to
administer your GNU/Linux servers via a web browser.
Signed-off-by: Michael Haener <michael.haener@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
apache2 added cross-compilation support after 2.4.41, but
this conflicts with our own cross-compilation setup and causes
related recipes like apache-websocket to fail to find config
files (due to incorrect file paths) during build:
| cannot open
/ala-lpggp31/tgamblin/yocto/poky.git/build/tmp/work/core2-64-poky-linux/apache-websocket/0.1.1+gitAUTOINC+6968083264-r0/recipe-sysroot/ala-lpggp31/tgamblin/yocto/poky.git/build/tmp/work/core2-64-poky-linux/apache-websocket/0.1.1+gitAUTOINC+6968083264-r0/recipe-sysroot//usr/share/apache2/build/config_vars.mk:
No such file or directory at
/ala-lpggp31/tgamblin/yocto/poky.git/build/tmp/work/core2-64-poky-linux/apache-websocket/0.1.1+gitAUTOINC+6968083264-r0/recipe-sysroot/usr/bin/crossscripts/apxs
line 213.
Add this patch to ensure that the $destdir
variable used in apache2's cross-compilation scheme is always
the empty string so that apache-websocket can find the right
files.
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This patch fixes Nginx install paths. I tried to build the native variant
for testing purpose and had errors.
- Use path variable instead of /usr
- Replace the absolute path symlink with a relative one
Signed-off-by: Gaylord CHARLES <gaylord.charles@veo-labs.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
phpmyadmin rdeps on php-cli but we can ignore signatures for the deps
ERROR: phpmyadmin different signature for task do_package_write_ipk.sigdata
Hash for dependent task php/php_7.3.11.bb:do_packagedata changed
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The License of spawn-fcgi is BSD-3-Clause.
Signed-off-by: Christophe Priouzeau <christophe.priouzeau@st.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
I have no idea if this is the right thing to do, but without the patch I
can't actually buil OE because none of these layers are compatible
with the change in openembedded-core to move to zeus.
Fixes: a5c9709b8d ("layer.conf: Update for zeus series") # openembedded-core
Signed-off-by: Palmer Dabbelt <palmer@dabbelt.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The apache2 module's path has been changed from ${libdir} to
${libexecdir} in commit 8d4d608b4e.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There are errors of apache2 about files conflicts when multilib enabled:
| Error: Transaction check error:
| file /etc/apache2/extra/httpd-ssl.conf conflicts between attempted installs of lib32-apache2-2.4.41-r0.core2_32 and apache2-2.4.41-r0.core2_64
| file /etc/apache2/httpd.conf conflicts between attempted installs of lib32-apache2-2.4.41-r0.core2_32 and apache2-2.4.41-r0.core2_64
| file /usr/sbin/envvars conflicts between attempted installs of lib32-apache2-2.4.41-r0.core2_32 and apache2-2.4.41-r0.core2_64
| file /usr/sbin/envvars-std conflicts between attempted installs of lib32-apache2-2.4.41-r0.core2_32 and apache2-2.4.41-r0.core2_64
It makes libexecdir point to ${libdir}. Reset to ${libexecdir} which could
eliminate file conflicts of the conf files. And remove /usr/sbin/envvars and
/usr/sbin/envvars-std which only used by apachectl. They only add standard
library path ${libdir} to LD_LIBRARY_PATH, so remove them to avoid multilib
file conflicts.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixes
ERROR: webmin-1.850-r0 do_package_qa: QA Issue: /usr/libexec/webmin/ldap-client/stop.cgi contained in package webmin-module-ldap-client requires /usr/bin/perl, but no providers
found in RDEPENDS_webmin-module-ldap-client? [file-rdeps]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Remove add_foreign_to_AM_INIT_AUTOMAKE.patch as the issue had been fixed
upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
the kill utility is located in /bin/kill -> use base_bindir instead of bindir
Signed-off-by: Nicola Lunghi <nick83ola@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The LIC_FILES_CHKSUM needs also to be updated due to the updated year in the
LICENSE file
- * Copyright (C) 2002-2018 Igor Sysoev
- * Copyright (C) 2011-2018 Nginx, Inc.
+ * Copyright (C) 2002-2019 Igor Sysoev
+ * Copyright (C) 2011-2019 Nginx, Inc.
Signed-off-by: Nicola Lunghi <nick83ola@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The LIC_FILES_CHKSUM needs also to be updated due to the updated year in the
LICENSE file
- * Copyright (C) 2002-2018 Igor Sysoev
- * Copyright (C) 2011-2018 Nginx, Inc.
+ * Copyright (C) 2002-2019 Igor Sysoev
+ * Copyright (C) 2011-2019 Nginx, Inc.
Signed-off-by: Nicola Lunghi <nick83ola@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Add back this patch. Without this patch, apxs's shebang will use
perl under hosttools, which can be too long for shebang, and cause
error:
bad interpreter: No such file or directory
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The build related files (${datadir}/${BPN}/build and ${bindir}/apxs)
belong in the -dev package, and the manual belong in the -doc package.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
A missing space lead to problems if something else was already added to
SYSROOT_PREPROCESS_FUNCS.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Change http://xdebug.org to https://xdebug.org everywhere
php upgrade to 3.7.2, 2.6.1 not support php 3.x, need
upgrade to 2.7 which support php 3.x.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
As per Debian packaging - to use it, see
https://wiki.debian.org/Nginx/DirectoryStructure#Extra_Parameters
This file is most commonly included when Nginx is acting
as a reverse proxy:
include /etc/nginx/proxy_params;
proxy_pass http://localhost:8000;
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Restructure the main configuration file to simplify custom configuration:
* support inclusion of configuration fragments from subdirectories:
- /etc/nginx/modules-enabled/*.conf
- /etc/nginx/conf.d/*.conf
- /etc/nginx/sites-enabled/*
* default site (port 80):
- move into /etc/nginx/sites-available/default_server
and enable via symlink in /etc/nginx/sites-enabled/
- listen on IPv6
- drop unneeded example fragments
* configure and enable gzip
* update TLS settings to drop SSLv3 and enable TLSv1.3 for some safer
defaults
* update remaining bits to follow Debian standard configuration
62a54a8ba6/debian/conf/nginx.conf
* drop unneeded example configuration bits from /etc/nginx/*.default
These changes, in particular the configuration fragment
support allow to easily customise nginx based on individual
requirements.
In addition, it is now possible for other recipes / packages
to drop fragments into the respective directories in /etc/nginx
without having to meddle with /etc/nginx/nginx.conf
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Our systemd unit doesn't follow the official
recommendation, see
https://www.nginx.com/resources/wiki/start/topics/examples/systemd/
Most importantly:
* it should start after some additional specific
targets/units
* using PrivateTmp is a useful security feature, in
particular to avoid cross domain scripting via the
temp folder
* using systemd's $MAINPID, we can distinguish between
multiple running nginx instances correctly
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
mod_http2: connection IO event handling reworked.
Instead of reacting on incoming bytes, the state
machine now acts on incoming frames that are affecting
it. This reduces state transitions.
Reference: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-11763.html
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Security fixes:
CVE-2018-15605: An issue was discovered in phpMyAdmin before 4.8.3. A
Cross-Site Scripting vulnerability has been found where an attacker can
use a crafted file to manipulate an authenticated user who loads that
file through the import feature.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The default layout installs log files to /var/apache2/logs. But we
assume the log directory is /var/log/apache2 in volatile.conf. Specify
the layout to debian style to set the correct the log directory.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
phpmyadmin install some bin list below that depend on interpreter php,
without rdepend, will report "Not found the interpreter php"
/usr/share/phpmyadmin/vendor/phpmyadmin/sql-parser/bin/lint-query
/usr/share/phpmyadmin/vendor/phpmyadmin/sql-parser/bin/tokenize-query
/usr/share/phpmyadmin/vendor/phpmyadmin/sql-parser/bin/highlight-query
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Security fixes:
CVE-2018-8011
mod_md: DoS via Coredumps on specially crafted requests
CVE-2018-1333
mod_http2: DoS for HTTP/2 connections by specially crafted requests
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The thread pool feature can be enabled without significant extra binary size. Thread pools can increase performance by an order of magnitude on some configurations
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* License-Update: Correctly identify origin of util_pcre.c/ap_regex.h as
pcreposix[.ch] and correct LICENSE/NOTICE to match.
* Refresh patches with devtool
* Drop useless patch apache-ssl-ltmain-rpath.patch
* Move all patches to one directory
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The configure options '--enable-deflate' or '--with-z' make
the package depends on zlib. PACKAGECONFIG should be defined
to clear the dependency.
Signed-off-by: Haiqing Bai <Haiqing.Bai@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Update to latest from upstream. This adds pkg-config support.
Fix_EOF_not_declared_issue.patch is obsolete, fix is upstream.
Signed-off-by: Adrian Freihofer <adrian.freihofer@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There is a failure to install both of sthttpd-doc and
apache2-doc to rootfs.
...
|Error: Transaction check error:
| file /usr/share/man/man1/htpasswd.1 conflicts
between attempted installs of sthttpd-doc-2.27.1
-r0.0.armv7ahf_neon and apache2-doc-2.4.27
-r0.0.armv7ahf_neon
...
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
fixes:
checking Check for supported PHP versions... configure: error: not supported. Need a PHP version >= 5.5.0 and < 7.2.0 (found 7.2.4)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
WARNING: nginx-1.12.2-r0 do_patch:
Some of the context lines in patches were ignored. This can lead to incorrectly applied patches.
The context lines in the patches can be updated with devtool:
devtool modify <recipe>
devtool finish --force-patch-refresh <recipe> <layer_path>
Then the updated patches and the source tree (in devtool's workspace)
should be reviewed to make sure the patches apply in the correct place
and don't introduce duplicate lines (which can, and does happen
when some of the context is ignored). Further information:
http://lists.openembedded.org/pipermail/openembedded-core/2018-March/148675.htmlhttps://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
Details:
Applying patch nginx-cross.patch
patching file auto/feature
patching file auto/options
Hunk #1 succeeded at 386 (offset 33 lines).
Hunk #2 succeeded at 580 (offset 35 lines).
Hunk #3 succeeded at 599 (offset 22 lines).
patching file auto/types/sizeof
patching file auto/unix
Hunk #1 succeeded at 587 (offset 194 lines).
Hunk #2 succeeded at 604 with fuzz 1 (offset 188 lines).
Hunk #3 succeeded at 620 with fuzz 2 (offset 188 lines).
Now at patch nginx-cross.patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
WARNING: webmin-1.850-r0 do_patch:
Some of the context lines in patches were ignored. This can lead to incorrectly applied patches.
The context lines in the patches can be updated with devtool:
devtool modify <recipe>
devtool finish --force-patch-refresh <recipe> <layer_path>
Then the updated patches and the source tree (in devtool's workspace)
should be reviewed to make sure the patches apply in the correct place
and don't introduce duplicate lines (which can, and does happen
when some of the context is ignored). Further information:
http://lists.openembedded.org/pipermail/openembedded-core/2018-March/148675.htmlhttps://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
Details:
Applying patch nfs-export.patch
patching file exports/save_export.cgi
Hunk #1 succeeded at 50 (offset 10 lines).
Hunk #2 succeeded at 87 with fuzz 2 (offset 17 lines).
Now at patch nfs-export.patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
WARNING: apache2-2.4.29-r0 do_patch:
Some of the context lines in patches were ignored. This can lead to incorrectly applied patches.
The context lines in the patches can be updated with devtool:
devtool modify <recipe>
devtool finish --force-patch-refresh <recipe> <layer_path>
Then the updated patches and the source tree (in devtool's workspace)
should be reviewed to make sure the patches apply in the correct place
and don't introduce duplicate lines (which can, and does happen
when some of the context is ignored). Further information:
http://lists.openembedded.org/pipermail/openembedded-core/2018-March/148675.htmlhttps://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
Details:
Applying patch apache-configure_perlbin.patch
patching file configure.in
Hunk #1 succeeded at 855 with fuzz 2 (offset 217 lines).
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add an inherit for siteinfo to get access to SITEINFO_ENDIANNESS
Add a patch to have nginx actually use the user provided --with-endian
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Update license checksum for copyright updates
Rebase existing patch to remove contrib dir from the build
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
