Fix CVE-2025-23419 by upgrading nginx from 1.25.4 to 1.25.5, which allows the
upstream fix to be applied cleanly.
It appears that the CVE-2025-23419.patch for 1.24.0 can be applied to 1.25.4,
however this patch is a modified
version of the upstream patch. By upgrading 1.25.4 to 1.25.5, we are able
cleanly apply the upstream fix.
Since 1.25.x is not the default preference, I assume upgrading one patch
version is acceptable.
Changes in v2:
* Moved existing CVE-2025-23419.patch for 1.24.0 to "nginx-1.24.0" dir.
Colin Pinnell McAllister (2):
nginx: upgrade 1.25.4 -> 1.25.5
nginx: Fix CVE-2025-23419 for 1.25.5
.../CVE-2025-23419.patch | 0
.../nginx/nginx-1.25.5/CVE-2025-23419.patch | 119 ++++++++++++++++++
meta-webserver/recipes-httpd/nginx/nginx.inc | 1 +
.../recipes-httpd/nginx/nginx_1.24.0.bb | 3 +-
.../{nginx_1.25.4.bb => nginx_1.25.5.bb} | 2 +-
5 files changed, 122 insertions(+), 3 deletions(-)
rename meta-webserver/recipes-httpd/nginx/{files =>
nginx-1.24.0}/CVE-2025-23419.patch (100%)
create mode 100644
meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2025-23419.patch
rename meta-webserver/recipes-httpd/nginx/{nginx_1.25.4.bb => nginx_1.25.5.bb}
(74%)
--
2.52.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123159):
https://lists.openembedded.org/g/openembedded-devel/message/123159
Mute This Topic: https://lists.openembedded.org/mt/117091409/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
