[Buildroot] [PATCH 0/5] nginx updates

[Buildroot] [PATCH 0/5] nginx updates

[Adam Duskett]

Just some nginx maintnence.

Changes include:
  - Update nginx to the latest LTS release.
  - Update nginx naxsi, dav-ext, and modsecurity.

The nginx-upload package also has updates, however, the current nginx-upload url
points to a fork of nginx-upload-module. The official project URL is fdintino
not vkholodkov. Should this be changed to fdintino and the version changed to
4423994c7d8fb491d95867f6af968585d949e7a9?

Adam

Adam Duskett (5):
  package/nginx: bump version to 1.20.1
  package/nginx: add stream_set_module support
  package/nginx-naxsi: bump version to 1.3
  package/nginx-dav-ext: bump version to 3.0.0
  package/nginx-modsecurity: bump to  version 1.0.2

 package/nginx-dav-ext/nginx-dav-ext.hash      |  4 +-
 package/nginx-dav-ext/nginx-dav-ext.mk        |  2 +-
 .../nginx-modsecurity/nginx-modsecurity.hash  |  6 +--
 .../nginx-modsecurity/nginx-modsecurity.mk    |  2 +-
 package/nginx-naxsi/nginx-naxsi.hash          |  4 +-
 package/nginx-naxsi/nginx-naxsi.mk            |  6 +--
 ...ture_run_force_result-for-each-featu.patch | 40 ++++++++-----------
 ...ake-sys_nerr-guessing-cross-friendly.patch | 27 ++++++-------
 ...to-os-linux-fix-build-with-libxcrypt.patch |  2 +-
 ...ff-by-one-write-in-ngx_resolver_copy.patch | 40 -------------------
 package/nginx/Config.in                       |  6 +++
 package/nginx/nginx.hash                      |  4 +-
 package/nginx/nginx.mk                        |  6 ++-
 13 files changed, 55 insertions(+), 94 deletions(-)
 delete mode 100644 package/nginx/0010-Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch

-- 
2.31.1

[Buildroot] [PATCH 1/5] package/nginx: bump version to 1.20.1

[Adam Duskett]

Tested with ./utils/test-pkg -p nginx -a on Fedora 34
45 builds, 6 skipped, 0 build failed, 0 legal-info failed

Other changes:
  - Rebase needed patches.
  - Update license hash due to year change.

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 ...ture_run_force_result-for-each-featu.patch | 40 ++++++++-----------
 ...ake-sys_nerr-guessing-cross-friendly.patch | 27 ++++++-------
 ...to-os-linux-fix-build-with-libxcrypt.patch |  2 +-
 ...ff-by-one-write-in-ngx_resolver_copy.patch | 40 -------------------
 package/nginx/nginx.hash                      |  4 +-
 package/nginx/nginx.mk                        |  2 +-
 6 files changed, 33 insertions(+), 82 deletions(-)
 delete mode 100644 package/nginx/0010-Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch

diff --git a/package/nginx/0003-auto-set-ngx_feature_run_force_result-for-each-featu.patch b/package/nginx/0003-auto-set-ngx_feature_run_force_result-for-each-featu.patch
index f186becdf8..ee7f3e9290 100644
--- a/package/nginx/0003-auto-set-ngx_feature_run_force_result-for-each-featu.patch
+++ b/package/nginx/0003-auto-set-ngx_feature_run_force_result-for-each-featu.patch
@@ -15,14 +15,16 @@ Signed-off-by: Samuel Martin <s.martin49@gmail.com>
 Refresh for 1.8.0.
 
 Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
+[rebased against v1.20.1]
+Signed-off-by: Adam Duskett <Aduskett@gmail.com>
 ---
  auto/cc/conf            | 3 +++
  auto/cc/name            | 1 +
  auto/lib/libatomic/conf | 1 +
  auto/os/darwin          | 3 +++
  auto/os/linux           | 4 ++++
- auto/unix               | 8 ++++++++
- 6 files changed, 20 insertions(+)
+ auto/unix               | 7 +++++++
+ 6 files changed, 19 insertions(+)
 
 diff --git a/auto/cc/conf b/auto/cc/conf
 index afbca62b..ad42c800 100644
@@ -116,7 +118,7 @@ index 2c8a9bb8..eb4513ee 100644
  ngx_feature_incs="#include <sys/epoll.h>"
  ngx_feature_path=
  ngx_feature_libs=
-@@ -111,6 +112,7 @@ CC_AUX_FLAGS="$cc_aux_flags -D_GNU_SOURCE"
+@@ -136,6 +137,7 @@ CC_AUX_FLAGS="$cc_aux_flags -D_GNU_SOURCE"
  ngx_feature="sendfile()"
  ngx_feature_name="NGX_HAVE_SENDFILE"
  ngx_feature_run=yes
@@ -124,7 +126,7 @@ index 2c8a9bb8..eb4513ee 100644
  ngx_feature_incs="#include <sys/sendfile.h>
                    #include <errno.h>"
  ngx_feature_path=
-@@ -132,6 +134,7 @@ CC_AUX_FLAGS="$cc_aux_flags -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64"
+@@ -157,6 +159,7 @@ CC_AUX_FLAGS="$cc_aux_flags -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64"
  ngx_feature="sendfile64()"
  ngx_feature_name="NGX_HAVE_SENDFILE64"
  ngx_feature_run=yes
@@ -132,7 +134,7 @@ index 2c8a9bb8..eb4513ee 100644
  ngx_feature_incs="#include <sys/sendfile.h>
                    #include <errno.h>"
  ngx_feature_path=
-@@ -150,6 +153,7 @@ ngx_include="sys/prctl.h"; . auto/include
+@@ -175,6 +178,7 @@ ngx_include="sys/prctl.h"; . auto/include
  ngx_feature="prctl(PR_SET_DUMPABLE)"
  ngx_feature_name="NGX_HAVE_PR_SET_DUMPABLE"
  ngx_feature_run=yes
@@ -152,31 +154,23 @@ index 43d3b25a..3da00537 100644
          ngx_feature_incs="#include <sys/event.h>
                            #include <sys/time.h>"
          ngx_feature_path=
-@@ -730,6 +731,7 @@ ngx_feature_test="char buf[1]; struct iovec vec[1]; ssize_t n;
- ngx_feature="sys_nerr"
- ngx_feature_name="NGX_SYS_NERR"
- ngx_feature_run=value
-+ngx_feature_run_force_result="$ngx_force_sys_nerr"
- ngx_feature_incs='#include <errno.h>
-                   #include <stdio.h>'
- ngx_feature_path=
-@@ -744,6 +746,7 @@ if [ $ngx_found = no ]; then
-     ngx_feature="_sys_nerr"
+@@ -722,6 +723,7 @@ if [ $ngx_found = no ]; then
+     ngx_feature="sys_nerr"
      ngx_feature_name="NGX_SYS_NERR"
      ngx_feature_run=value
 +    ngx_feature_run_force_result="$ngx_force_sys_nerr"
      ngx_feature_incs='#include <errno.h>
                        #include <stdio.h>'
      ngx_feature_path=
-@@ -759,6 +762,7 @@ if [ $ngx_found = no ]; then
-     ngx_feature='maximum errno'
-     ngx_feature_name=NGX_SYS_NERR
+@@ -737,6 +739,7 @@ if [ $ngx_found = no ]; then
+     ngx_feature="_sys_nerr"
+     ngx_feature_name="NGX_SYS_NERR"
      ngx_feature_run=value
 +    ngx_feature_run_force_result="$ngx_force_sys_nerr"
      ngx_feature_incs='#include <errno.h>
-                       #include <string.h>
                        #include <stdio.h>'
-@@ -841,6 +845,7 @@ ngx_feature_test="void *p; p = memalign(4096, 4096);
+     ngx_feature_path=
+@@ -806,6 +809,7 @@ ngx_feature_test="void *p; p = memalign(4096, 4096);
  ngx_feature="mmap(MAP_ANON|MAP_SHARED)"
  ngx_feature_name="NGX_HAVE_MAP_ANON"
  ngx_feature_run=yes
@@ -184,7 +178,7 @@ index 43d3b25a..3da00537 100644
  ngx_feature_incs="#include <sys/mman.h>"
  ngx_feature_path=
  ngx_feature_libs=
-@@ -854,6 +859,7 @@ ngx_feature_test="void *p;
+@@ -819,6 +823,7 @@ ngx_feature_test="void *p;
  ngx_feature='mmap("/dev/zero", MAP_SHARED)'
  ngx_feature_name="NGX_HAVE_MAP_DEVZERO"
  ngx_feature_run=yes
@@ -192,7 +186,7 @@ index 43d3b25a..3da00537 100644
  ngx_feature_incs="#include <sys/mman.h>
                    #include <sys/stat.h>
                    #include <fcntl.h>"
-@@ -869,6 +875,7 @@ ngx_feature_test='void *p; int  fd;
+@@ -834,6 +839,7 @@ ngx_feature_test='void *p; int  fd;
  ngx_feature="System V shared memory"
  ngx_feature_name="NGX_HAVE_SYSVSHM"
  ngx_feature_run=yes
@@ -200,7 +194,7 @@ index 43d3b25a..3da00537 100644
  ngx_feature_incs="#include <sys/ipc.h>
                    #include <sys/shm.h>"
  ngx_feature_path=
-@@ -883,6 +890,7 @@ ngx_feature_test="int  id;
+@@ -848,6 +854,7 @@ ngx_feature_test="int  id;
  ngx_feature="POSIX semaphores"
  ngx_feature_name="NGX_HAVE_POSIX_SEM"
  ngx_feature_run=yes
diff --git a/package/nginx/0005-auto-unix-make-sys_nerr-guessing-cross-friendly.patch b/package/nginx/0005-auto-unix-make-sys_nerr-guessing-cross-friendly.patch
index 747a034aee..79fa4970cb 100644
--- a/package/nginx/0005-auto-unix-make-sys_nerr-guessing-cross-friendly.patch
+++ b/package/nginx/0005-auto-unix-make-sys_nerr-guessing-cross-friendly.patch
@@ -15,10 +15,12 @@ Signed-off-by: Samuel Martin <s.martin49@gmail.com>
 Refresh for 1.8.0.
 
 Signed-off-by: Danomi Manchego <danomimanchego123@gmail.com>
+[rebased against v1.20.1]
+Signed-off-by: Adam Duskett <Aduskett@gmail.com>
 ---
- auto/os/sys_nerr | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- auto/unix        | 10 ++++++++
- 2 files changed, 88 insertions(+)
+ auto/os/sys_nerr | 78 ++++++++++++++++++++++++++++++++++++++++++++++++
+ auto/unix        |  8 +++++
+ 2 files changed, 86 insertions(+)
  create mode 100644 auto/os/sys_nerr
 
 diff --git a/auto/os/sys_nerr b/auto/os/sys_nerr
@@ -109,18 +111,13 @@ diff --git a/auto/unix b/auto/unix
 index 7dbf9d1..00a7370 100755
 --- a/auto/unix
 +++ b/auto/unix
-@@ -736,6 +736,10 @@ ngx_feature_incs='#include <errno.h>
-                   #include <stdio.h>'
- ngx_feature_path=
- ngx_feature_libs=
-+
-+if false ; then
-+# Disabled because only valid for native build.
-+
- ngx_feature_test='printf("%d", sys_nerr);'
- . auto/feature
- 
-@@ -784,6 +788,12 @@ if [ $ngx_found = no ]; then
+@@ -744,10 +744,18 @@ if [ $ngx_found = no ]; then
+                       #include <stdio.h>'
+     ngx_feature_path=
+     ngx_feature_libs=
++    if false ; then
++    # Disabled because only valid for native build.
+     ngx_feature_test='printf("%d", _sys_nerr);'
      . auto/feature
  fi
  
diff --git a/package/nginx/0009-auto-os-linux-fix-build-with-libxcrypt.patch b/package/nginx/0009-auto-os-linux-fix-build-with-libxcrypt.patch
index 7e430ffc37..8b368d946f 100644
--- a/package/nginx/0009-auto-os-linux-fix-build-with-libxcrypt.patch
+++ b/package/nginx/0009-auto-os-linux-fix-build-with-libxcrypt.patch
@@ -23,7 +23,7 @@ diff --git a/auto/os/linux b/auto/os/linux
 index 5e280eca..04682812 100644
 --- a/auto/os/linux
 +++ b/auto/os/linux
-@@ -203,6 +203,9 @@ ngx_feature_test="struct crypt_data  cd;
+@@ -232,6 +232,9 @@ ngx_feature_test="struct crypt_data  cd;
                    crypt_r(\"key\", \"salt\", &cd);"
  . auto/feature
  
diff --git a/package/nginx/0010-Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch b/package/nginx/0010-Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
deleted file mode 100644
index ba47768fe5..0000000000
--- a/package/nginx/0010-Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 9f1dcb0c0473641730b871dee984016ff19d2c53 Mon Sep 17 00:00:00 2001
-From: Maxim Dounin <mdounin@mdounin.ru>
-Date: Tue, 25 May 2021 15:17:36 +0300
-Subject: [PATCH] Resolver: fixed off-by-one write in ngx_resolver_copy().
-
-Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH.
-
-[peter at korsgaard.com: backport from upstream]
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
----
- src/core/ngx_resolver.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
-index 79390701..63b26193 100644
---- a/src/core/ngx_resolver.c
-+++ b/src/core/ngx_resolver.c
-@@ -4008,15 +4008,15 @@ done:
-             n = *src++;
- 
-         } else {
-+            if (dst != name->data) {
-+                *dst++ = '.';
-+            }
-+
-             ngx_strlow(dst, src, n);
-             dst += n;
-             src += n;
- 
-             n = *src++;
--
--            if (n != 0) {
--                *dst++ = '.';
--            }
-         }
- 
-         if (n == 0) {
--- 
-2.20.1
-
diff --git a/package/nginx/nginx.hash b/package/nginx/nginx.hash
index 8d17931a26..06d3392a2e 100644
--- a/package/nginx/nginx.hash
+++ b/package/nginx/nginx.hash
@@ -1,4 +1,4 @@
 # Locally calculated after checking pgp signature
-sha256  4c373e7ab5bf91d34a4f11a0c9496561061ba5eee6020db272a17a7228d35f99  nginx-1.18.0.tar.gz
+sha256  e462e11533d5c30baa05df7652160ff5979591d291736cfa5edb9fd2edb48c49  nginx-1.20.1.tar.gz
 # License files, locally calculated
-sha256  28ad30e2f64bd89ac1287b4606906bb99ed04d9f4e13fb6564a0be9c8a23f509  LICENSE
+sha256  b57270c1f73eb6624b38b2d0a1affcec56b21fab39efbf8c837428f05cef1d73  LICENSE
diff --git a/package/nginx/nginx.mk b/package/nginx/nginx.mk
index e93e802fd3..c68811e276 100644
--- a/package/nginx/nginx.mk
+++ b/package/nginx/nginx.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-NGINX_VERSION = 1.18.0
+NGINX_VERSION = 1.20.1
 NGINX_SITE = http://nginx.org/download
 NGINX_LICENSE = BSD-2-Clause
 NGINX_LICENSE_FILES = LICENSE
-- 
2.31.1

[Buildroot] [PATCH 2/5] package/nginx: add stream_set_module support

[Adam Duskett]

This is a new module in 1.20

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 package/nginx/Config.in | 6 ++++++
 package/nginx/nginx.mk  | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/package/nginx/Config.in b/package/nginx/Config.in
index 6ae790a949..1200b2bf4c 100644
--- a/package/nginx/Config.in
+++ b/package/nginx/Config.in
@@ -339,6 +339,12 @@ config BR2_PACKAGE_NGINX_STREAM_REALIP_MODULE
 	help
 	  Enable ngx_stream_realip_module
 
+config BR2_PACKAGE_NGINX_STREAM_SET_MODULE
+	bool "ngx_stream_set_module"
+	default y
+	help
+	  Enable ngx_stream_set_module
+
 config BR2_PACKAGE_NGINX_STREAM_SSL_MODULE
 	bool "ngx_stream_ssl_module"
 	select BR2_PACKAGE_OPENSSL
diff --git a/package/nginx/nginx.mk b/package/nginx/nginx.mk
index c68811e276..616ada9000 100644
--- a/package/nginx/nginx.mk
+++ b/package/nginx/nginx.mk
@@ -235,6 +235,10 @@ ifeq ($(BR2_PACKAGE_NGINX_STREAM_REALIP_MODULE),y)
 NGINX_CONF_OPTS += --with-stream_realip_module
 endif
 
+ifeq ($(BR2_PACKAGE_NGINX_STREAM_SET_MODULE),)
+NGINX_CONF_OPTS += --without-stream_set_module
+endif
+
 ifeq ($(BR2_PACKAGE_NGINX_STREAM_SSL_MODULE),y)
 NGINX_DEPENDENCIES += openssl
 NGINX_CONF_OPTS += --with-stream_ssl_module
-- 
2.31.1

[Buildroot] [PATCH 3/5] package/nginx-naxsi: bump version to 1.3

[Adam Duskett]

Other changes:
  - Change license to GPL-3.0
  - Change license file to LICENSE
  - Update license hash in nginx-naxsi.hash

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 package/nginx-naxsi/nginx-naxsi.hash | 4 ++--
 package/nginx-naxsi/nginx-naxsi.mk   | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/nginx-naxsi/nginx-naxsi.hash b/package/nginx-naxsi/nginx-naxsi.hash
index 1f289c56cd..bd3fcd1ae9 100644
--- a/package/nginx-naxsi/nginx-naxsi.hash
+++ b/package/nginx-naxsi/nginx-naxsi.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256	0a66dcadd32432460fab180be9f2efe24e911e3798917b2787ee710e02901eb4	nginx-naxsi-0.56.tar.gz
-sha256	046812ddc8f250f85b5d6e04218c185849c618b309271ef9d8b01e92c6f7a6ac	naxsi_src/naxsi_json.c
+sha256  439c8677372d2597b4360bbcc10bc86490de1fc75695b193ad5df154a214d628  nginx-naxsi-1.3.tar.gz
+sha256  589ed823e9a84c56feb95ac58e7cf384626b9cbf4fda2a907bc36e103de1bad2  LICENSE
diff --git a/package/nginx-naxsi/nginx-naxsi.mk b/package/nginx-naxsi/nginx-naxsi.mk
index 7cfa94a5d4..3de1f684f9 100644
--- a/package/nginx-naxsi/nginx-naxsi.mk
+++ b/package/nginx-naxsi/nginx-naxsi.mk
@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-NGINX_NAXSI_VERSION = 0.56
+NGINX_NAXSI_VERSION = 1.3
 NGINX_NAXSI_SITE = $(call github,nbs-system,naxsi,$(NGINX_NAXSI_VERSION))
-NGINX_NAXSI_LICENSE = GPL-2.0+ with OpenSSL exception
-NGINX_NAXSI_LICENSE_FILES = naxsi_src/naxsi_json.c
+NGINX_NAXSI_LICENSE = GPL-3.0 with OpenSSL exception
+NGINX_NAXSI_LICENSE_FILES = LICENSE
 
 $(eval $(generic-package))
-- 
2.31.1

[Buildroot] [PATCH 4/5] package/nginx-dav-ext: bump version to 3.0.0

[Adam Duskett]

Other changes:
  - Update license hash due to year changes

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 package/nginx-dav-ext/nginx-dav-ext.hash | 4 ++--
 package/nginx-dav-ext/nginx-dav-ext.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/nginx-dav-ext/nginx-dav-ext.hash b/package/nginx-dav-ext/nginx-dav-ext.hash
index fbed87f0c0..07deab08db 100644
--- a/package/nginx-dav-ext/nginx-dav-ext.hash
+++ b/package/nginx-dav-ext/nginx-dav-ext.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256 6b004eed8ea16ad8de4d304027bf0413cc323a95914e58625a7dc066481aae3a  nginx-dav-ext-0.1.0.tar.gz
-sha256 40581cf424621965adaf1461e97129520ff4fcfb62ed9965ec6fd50b7f4ddfca  LICENSE
+sha256 d2499d94d82d4e4eac8425d799e52883131ae86a956524040ff2fd230ef9f859  nginx-dav-ext-3.0.0.tar.gz
+sha256 e377bb81e5024682a66438306e8ff9541d843d3831e480aec2f58eb8d83e48de  LICENSE
diff --git a/package/nginx-dav-ext/nginx-dav-ext.mk b/package/nginx-dav-ext/nginx-dav-ext.mk
index 695287ee2c..1b3071851a 100644
--- a/package/nginx-dav-ext/nginx-dav-ext.mk
+++ b/package/nginx-dav-ext/nginx-dav-ext.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-NGINX_DAV_EXT_VERSION = 0.1.0
+NGINX_DAV_EXT_VERSION = 3.0.0
 NGINX_DAV_EXT_SITE = $(call github,arut,nginx-dav-ext-module,v$(NGINX_DAV_EXT_VERSION))
 NGINX_DAV_EXT_LICENSE = BSD-2-Clause
 NGINX_DAV_EXT_LICENSE_FILES = LICENSE
-- 
2.31.1

[Buildroot] [PATCH 5/5] package/nginx-modsecurity: bump to version 1.0.2

[Adam Duskett]

Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
 package/nginx-modsecurity/nginx-modsecurity.hash | 6 +++---
 package/nginx-modsecurity/nginx-modsecurity.mk   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/nginx-modsecurity/nginx-modsecurity.hash b/package/nginx-modsecurity/nginx-modsecurity.hash
index d2dd266ac1..fbaf1ca239 100644
--- a/package/nginx-modsecurity/nginx-modsecurity.hash
+++ b/package/nginx-modsecurity/nginx-modsecurity.hash
@@ -1,4 +1,4 @@
-# From https://github.com/SpiderLabs/ModSecurity-nginx/releases/download/v1.0.1/modsecurity-nginx-v1.0.1.tar.gz.sha256
-sha256 def45a8db5bc9da14765eda75363457209a86c89538ccf5bfbd3aa02fa10833c modsecurity-nginx-v1.0.1.tar.gz
+# From https://github.com/SpiderLabs/ModSecurity-nginx/releases/download/v1.0.2/modsecurity-nginx-v1.0.2.tar.gz.sha256
+sha256  41a6660c50508c60df59f8f09c444d18ef8112a4c118cdc791a3992390b78c32  modsecurity-nginx-v1.0.2.tar.gz
 # Localy calculated
-sha256 c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4 LICENSE
+sha256  c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4  LICENSE
diff --git a/package/nginx-modsecurity/nginx-modsecurity.mk b/package/nginx-modsecurity/nginx-modsecurity.mk
index 6d33403d66..90ef8ecd51 100644
--- a/package/nginx-modsecurity/nginx-modsecurity.mk
+++ b/package/nginx-modsecurity/nginx-modsecurity.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-NGINX_MODSECURITY_VERSION = 1.0.1
+NGINX_MODSECURITY_VERSION = 1.0.2
 NGINX_MODSECURITY_SOURCE = modsecurity-nginx-v$(NGINX_MODSECURITY_VERSION).tar.gz
 NGINX_MODSECURITY_SITE = https://github.com/SpiderLabs/ModSecurity-nginx/releases/download/v$(NGINX_MODSECURITY_VERSION)
 NGINX_MODSECURITY_LICENSE = Apache-2.0
-- 
2.31.1

[Buildroot] [PATCH 1/5] package/nginx: bump version to 1.20.1

[Baruch Siach]

On Mon, Jun 28 2021, Adam Duskett wrote:
> diff --git a/package/nginx/0010-Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch b/package/nginx/0010-Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
> deleted file mode 100644
> index ba47768fe5..0000000000
> --- a/package/nginx/0010-Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
> +++ /dev/null
> @@ -1,40 +0,0 @@
> -From 9f1dcb0c0473641730b871dee984016ff19d2c53 Mon Sep 17 00:00:00 2001
> -From: Maxim Dounin <mdounin@mdounin.ru>
> -Date: Tue, 25 May 2021 15:17:36 +0300
> -Subject: [PATCH] Resolver: fixed off-by-one write in ngx_resolver_copy().
> -
> -Reported by Luis Merino, Markus Vervier, Eric Sesterhenn, X41 D-Sec GmbH.
> -
> -[peter at korsgaard.com: backport from upstream]
> -Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

I think you can also drop NGINX_IGNORE_CVES.

baruch

-- 
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -

[Buildroot] [PATCH 0/5] nginx updates

[Robert Hancock]

On Mon, 2021-06-28 at 09:16 -0700, Adam Duskett wrote:
> Just some nginx maintnence.
> 
> Changes include:
>   - Update nginx to the latest LTS release.
>   - Update nginx naxsi, dav-ext, and modsecurity.
> 
> The nginx-upload package also has updates, however, the current nginx-upload
> url
> points to a fork of nginx-upload-module. The official project URL is fdintino
> not vkholodkov. Should this be changed to fdintino and the version changed to
> 4423994c7d8fb491d95867f6af968585d949e7a9?
> 

I believe at one point the fdintino repository was quite behind and was missing
a bunch of features like HTTP/2 support that were in the vkholodkov fork. It
looks like the vkholodkov version is only 1 commit ahead of fdintino right now
however, so we might be able to switch to the "official" version.

> Adam
> 
> Adam Duskett (5):
>   package/nginx: bump version to 1.20.1
>   package/nginx: add stream_set_module support
>   package/nginx-naxsi: bump version to 1.3
>   package/nginx-dav-ext: bump version to 3.0.0
>   package/nginx-modsecurity: bump to  version 1.0.2
> 
>  package/nginx-dav-ext/nginx-dav-ext.hash      |  4 +-
>  package/nginx-dav-ext/nginx-dav-ext.mk        |  2 +-
>  .../nginx-modsecurity/nginx-modsecurity.hash  |  6 +--
>  .../nginx-modsecurity/nginx-modsecurity.mk    |  2 +-
>  package/nginx-naxsi/nginx-naxsi.hash          |  4 +-
>  package/nginx-naxsi/nginx-naxsi.mk            |  6 +--
>  ...ture_run_force_result-for-each-featu.patch | 40 ++++++++-----------
>  ...ake-sys_nerr-guessing-cross-friendly.patch | 27 ++++++-------
>  ...to-os-linux-fix-build-with-libxcrypt.patch |  2 +-
>  ...ff-by-one-write-in-ngx_resolver_copy.patch | 40 -------------------
>  package/nginx/Config.in                       |  6 +++
>  package/nginx/nginx.hash                      |  4 +-
>  package/nginx/nginx.mk                        |  6 ++-
>  13 files changed, 55 insertions(+), 94 deletions(-)
>  delete mode 100644 package/nginx/0010-Resolver-fixed-off-by-one-write-in-
> ngx_resolver_copy.patch
> 
-- 
Robert Hancock
Senior Hardware Designer, Calian Advanced Technologies
www.calian.com

[Buildroot] [PATCH 3/5] package/nginx-naxsi: bump version to 1.3

[Yann E. MORIN]

Adam, All,

On 2021-06-28 09:16 -0700, Adam Duskett spake thusly:
> Other changes:
>   - Change license to GPL-3.0
>   - Change license file to LICENSE
>   - Update license hash in nginx-naxsi.hash
> 
> Signed-off-by: Adam Duskett <aduskett@gmail.com>
> ---
>  package/nginx-naxsi/nginx-naxsi.hash | 4 ++--
>  package/nginx-naxsi/nginx-naxsi.mk   | 6 +++---
>  2 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/package/nginx-naxsi/nginx-naxsi.hash b/package/nginx-naxsi/nginx-naxsi.hash
> index 1f289c56cd..bd3fcd1ae9 100644
> --- a/package/nginx-naxsi/nginx-naxsi.hash
> +++ b/package/nginx-naxsi/nginx-naxsi.hash
> @@ -1,3 +1,3 @@
>  # Locally calculated
> -sha256	0a66dcadd32432460fab180be9f2efe24e911e3798917b2787ee710e02901eb4	nginx-naxsi-0.56.tar.gz
> -sha256	046812ddc8f250f85b5d6e04218c185849c618b309271ef9d8b01e92c6f7a6ac	naxsi_src/naxsi_json.c
> +sha256  439c8677372d2597b4360bbcc10bc86490de1fc75695b193ad5df154a214d628  nginx-naxsi-1.3.tar.gz
> +sha256  589ed823e9a84c56feb95ac58e7cf384626b9cbf4fda2a907bc36e103de1bad2  LICENSE
> diff --git a/package/nginx-naxsi/nginx-naxsi.mk b/package/nginx-naxsi/nginx-naxsi.mk
> index 7cfa94a5d4..3de1f684f9 100644
> --- a/package/nginx-naxsi/nginx-naxsi.mk
> +++ b/package/nginx-naxsi/nginx-naxsi.mk
> @@ -4,9 +4,9 @@
>  #
>  ################################################################################
>  
> -NGINX_NAXSI_VERSION = 0.56
> +NGINX_NAXSI_VERSION = 1.3
>  NGINX_NAXSI_SITE = $(call github,nbs-system,naxsi,$(NGINX_NAXSI_VERSION))
> -NGINX_NAXSI_LICENSE = GPL-2.0+ with OpenSSL exception
> -NGINX_NAXSI_LICENSE_FILES = naxsi_src/naxsi_json.c
> +NGINX_NAXSI_LICENSE = GPL-3.0 with OpenSSL exception

Where did you see the OpennSSL exception?

There is also part of bundled code that is BSD-3c, in
naxsi_src/ext/libinjection

> +NGINX_NAXSI_LICENSE_FILES = LICENSE

... and so we'd need naxsi_src/ext/libinjection/COPYING axs well.

Also, from README:

    [Naxsi] depends on libpcre for its regexp support

So maybe a dependency on libpcre (or libpcre2?) is missing?

Regards,
Yann E. MORIN.

>  $(eval $(generic-package))
> -- 
> 2.31.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 0/5] nginx updates

[Yann E. MORIN]

Adam, All,

On 2021-06-28 09:16 -0700, Adam Duskett spake thusly:
> Just some nginx maintnence.

Yeah, welcome to the world of typoes. You'll see, we live very well
with them! ;-)

> Changes include:
>   - Update nginx to the latest LTS release.
>   - Update nginx naxsi, dav-ext, and modsecurity.
> 
> The nginx-upload package also has updates, however, the current nginx-upload url
> points to a fork of nginx-upload-module. The official project URL is fdintino
> not vkholodkov. Should this be changed to fdintino and the version changed to
> 4423994c7d8fb491d95867f6af968585d949e7a9?

Given the explanations by Roberts, I think it would be a good idea to
switch back to the official repo, yes.

Also, given Baruch review and mine, I've marked the series as changes
requested.

Thanks!

Regards,
Yann E. MORIN.

> Adam
> 
> Adam Duskett (5):
>   package/nginx: bump version to 1.20.1
>   package/nginx: add stream_set_module support
>   package/nginx-naxsi: bump version to 1.3
>   package/nginx-dav-ext: bump version to 3.0.0
>   package/nginx-modsecurity: bump to  version 1.0.2
> 
>  package/nginx-dav-ext/nginx-dav-ext.hash      |  4 +-
>  package/nginx-dav-ext/nginx-dav-ext.mk        |  2 +-
>  .../nginx-modsecurity/nginx-modsecurity.hash  |  6 +--
>  .../nginx-modsecurity/nginx-modsecurity.mk    |  2 +-
>  package/nginx-naxsi/nginx-naxsi.hash          |  4 +-
>  package/nginx-naxsi/nginx-naxsi.mk            |  6 +--
>  ...ture_run_force_result-for-each-featu.patch | 40 ++++++++-----------
>  ...ake-sys_nerr-guessing-cross-friendly.patch | 27 ++++++-------
>  ...to-os-linux-fix-build-with-libxcrypt.patch |  2 +-
>  ...ff-by-one-write-in-ngx_resolver_copy.patch | 40 -------------------
>  package/nginx/Config.in                       |  6 +++
>  package/nginx/nginx.hash                      |  4 +-
>  package/nginx/nginx.mk                        |  6 ++-
>  13 files changed, 55 insertions(+), 94 deletions(-)
>  delete mode 100644 package/nginx/0010-Resolver-fixed-off-by-one-write-in-ngx_resolver_copy.patch
> 
> -- 
> 2.31.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 0/5] nginx updates

[Yann E. MORIN]

Robert, All,

On 2021-06-28 18:02 +0000, Robert Hancock via buildroot spake thusly:
> On Mon, 2021-06-28 at 09:16 -0700, Adam Duskett wrote:
> > Just some nginx maintnence.
[--SNIP--]
> > The nginx-upload package also has updates, however, the current nginx-upload
> > url
> > points to a fork of nginx-upload-module. The official project URL is fdintino
> > not vkholodkov. Should this be changed to fdintino and the version changed to
> > 4423994c7d8fb491d95867f6af968585d949e7a9?
> 
> I believe at one point the fdintino repository was quite behind and was missing
> a bunch of features like HTTP/2 support that were in the vkholodkov fork. It
> looks like the vkholodkov version is only 1 commit ahead of fdintino right now
> however, so we might be able to switch to the "official" version.

Thanks for the explanations. :-)

Would you be willing to send a patch doing the switch, then?

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 0/5] nginx updates

[Adam Duskett]

After the v2 patch series is approved (or marked as Changed requested)
I can also update nginx-upload.

Adam

On Wed, Jun 30, 2021 at 2:16 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> Robert, All,
>
> On 2021-06-28 18:02 +0000, Robert Hancock via buildroot spake thusly:
> > On Mon, 2021-06-28 at 09:16 -0700, Adam Duskett wrote:
> > > Just some nginx maintnence.
> [--SNIP--]
> > > The nginx-upload package also has updates, however, the current nginx-upload
> > > url
> > > points to a fork of nginx-upload-module. The official project URL is fdintino
> > > not vkholodkov. Should this be changed to fdintino and the version changed to
> > > 4423994c7d8fb491d95867f6af968585d949e7a9?
> >
> > I believe at one point the fdintino repository was quite behind and was missing
> > a bunch of features like HTTP/2 support that were in the vkholodkov fork. It
> > looks like the vkholodkov version is only 1 commit ahead of fdintino right now
> > however, so we might be able to switch to the "official" version.
>
> Thanks for the explanations. :-)
>
> Would you be willing to send a patch doing the switch, then?
>
> Regards,
> Yann E. MORIN.
>
> --
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> '------------------------------^-------^------------------^--------------------'