[Buildroot] [PATCH v2] package/nginx: security bump to 1.28.1
Thomas Perale
thomas.perale at mind.be
Fri May 15 13:33:17 UTC 2026
In reply of:
> See here for changes:
> https://nginx.org/en/CHANGES-1.28
>
> Following security related issues are fixed:
> *) Security: processing of a specially crafted login/password when using
> the "none" authentication method in the ngx_mail_smtp_module might
> cause worker process memory disclosure to the authentication server
> (CVE-2025-53859).
> *) Security: insufficient check in virtual servers handling with TLSv1.3
> SNI allowed to reuse SSL sessions in a different virtual server, to
> bypass client SSL certificates verification (CVE-2025-23419).
> *) Security: processing of a specially crafted mp4 file by the
> ngx_http_mp4_module might cause a worker process crash
> (CVE-2024-7347).
> Thanks to Nils Bars.
> *) Security: when using HTTP/3, processing of a specially crafted QUIC
> session might cause a worker process crash, worker process memory
> disclosure on systems with MTU larger than 4096 bytes, or might have
> potential other impact (CVE-2024-32760, CVE-2024-31079,
> CVE-2024-35200, CVE-2024-34161).
> Thanks to Nils Bars of CISPA.
>
> Update patch 0007, which does not apply cleanly.
> License file was changed, year was bumped to 2025.
>
> Signed-off-by: Waldemar Brodkorb <wbx at openadk.org>
Applied to 2025.02.x. Thanks
> ---
> v1->v2:
> - forgot to mention license file update
> ---
> ...nix-ngx_linux_config.h-only-include-dlfcn.h-.patch | 11 ++++-------
> package/nginx/nginx.hash | 4 ++--
> package/nginx/nginx.mk | 2 +-
> 3 files changed, 7 insertions(+), 10 deletions(-)
>
> diff --git a/package/nginx/0007-src-os-unix-ngx_linux_config.h-only-include-dlfcn.h-.patch b/package/nginx/0007-src-os-unix-ngx_linux_config.h-only-include-dlfcn.h-.patch
> index c10fcd11c9..4656634bd3 100644
> --- a/package/nginx/0007-src-os-unix-ngx_linux_config.h-only-include-dlfcn.h-.patch
> +++ b/package/nginx/0007-src-os-unix-ngx_linux_config.h-only-include-dlfcn.h-.patch
> @@ -10,11 +10,11 @@ Signed-off-by: Martin Bark <martin at barkynet.com>
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/src/os/unix/ngx_linux_config.h b/src/os/unix/ngx_linux_config.h
> -index 2f6129d..4244086 100644
> +index d99358c93..612935524 100644
> --- a/src/os/unix/ngx_linux_config.h
> +++ b/src/os/unix/ngx_linux_config.h
> -@@ -55,10 +55,12 @@
> - #include <crypt.h>
> +@@ -54,10 +54,12 @@
> + #include <sys/ioctl.h>
> #include <sys/utsname.h> /* uname() */
>
> -#include <dlfcn.h>
> @@ -27,7 +27,4 @@ index 2f6129d..4244086 100644
> +#endif
>
>
> - #if (NGX_HAVE_POSIX_SEM)
> ---
> -2.8.2
> -
> + #if (NGX_HAVE_CRYPT_H)
> diff --git a/package/nginx/nginx.hash b/package/nginx/nginx.hash
> index 77220665f3..7b79036b20 100644
> --- a/package/nginx/nginx.hash
> +++ b/package/nginx/nginx.hash
> @@ -1,4 +1,4 @@
> # Locally calculated after checking pgp signature
> -sha256 69ee2b237744036e61d24b836668aad3040dda461fe6f570f1787eab570c75aa nginx-1.26.3.tar.gz
> +sha256 40e7a0916d121e8905ef50f2a738b675599e42b2224a582dd938603fed15788e nginx-1.28.1.tar.gz
> # License files, locally calculated
> -sha256 f19c4caea60247490199c5a6d0134281e3fb20b3d7577e6873c628597f5381d9 LICENSE
> +sha256 77c01620abf36ed747b7eca4bd271e49023fe3a8e2b3525bcf4b09c8e3aa28e4 LICENSE
> diff --git a/package/nginx/nginx.mk b/package/nginx/nginx.mk
> index 6ca1ac2075..41490caee2 100644
> --- a/package/nginx/nginx.mk
> +++ b/package/nginx/nginx.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -NGINX_VERSION = 1.26.3
> +NGINX_VERSION = 1.28.1
> NGINX_SITE = https://nginx.org/download
> NGINX_LICENSE = BSD-2-Clause
> NGINX_LICENSE_FILES = LICENSE
> --
> 2.47.3
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
More information about the buildroot
mailing list