Re: [Buildroot] [PATCH] package/nginx: security update to 1.26.1

From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Waldemar Brodkorb <wbx@openadk.org>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/nginx: security update to 1.26.1
Date: Mon, 5 Aug 2024 15:55:19 +0200	[thread overview]
Message-ID: <20240805155519.2f15b386@windsurf> (raw)
In-Reply-To: <ZrDNQvSIPQNosVmQ@waldemar-brodkorb.de>

Hello Waldemar,

On Mon, 5 Aug 2024 15:01:54 +0200
Waldemar Brodkorb <wbx@openadk.org> wrote:

> See here for a Changelog and CVE's:
> http://nginx.org/en/CHANGES-1.26
> 
> Patch 0006 is no longer required as the openssl library is found without
> this patch, which does not apply anymore.
> 
> Patch 0009 is no longer required as it was fixed in another way upstream:
> https://hg.nginx.org/nginx/rev/fb989e24c60a
> 
> Patch 0011 is upstream:
> https://hg.nginx.org/nginx/rev/f58b6f636238
> 
> Reorder the remaining patches and update .checkpackageignore accordingly.
> 
> Signed-off-by: Waldemar Brodkorb <wbx@openadk.org>
> ---
>  .checkpackageignore                           |   8 +-
>  ...-auto-lib-libgd-conf-use-pkg-config.patch} |   0
>  ...auto-lib-openssl-conf-use-pkg-config.patch | 251 ------------------
>  ...inux_config.h-only-include-dlfcn.h-.patch} |   0
>  ...of-endianness-for-cross-compilation.patch} |   0
>  ...to-os-linux-fix-build-with-libxcrypt.patch |  38 ---
>  ...ix-compile-error-in-configure-script.patch |  33 ---
>  package/nginx/nginx.hash                      |   2 +-
>  package/nginx/nginx.mk                        |   2 +-
>  9 files changed, 5 insertions(+), 329 deletions(-)
>  rename package/nginx/{0007-auto-lib-libgd-conf-use-pkg-config.patch => 0006-auto-lib-libgd-conf-use-pkg-config.patch} (100%)
>  delete mode 100644 package/nginx/0006-auto-lib-openssl-conf-use-pkg-config.patch
>  rename package/nginx/{0008-src-os-unix-ngx_linux_config.h-only-include-dlfcn.h-.patch => 0007-src-os-unix-ngx_linux_config.h-only-include-dlfcn.h-.patch} (100%)
>  rename package/nginx/{0010-Allow-forcing-of-endianness-for-cross-compilation.patch => 0008-Allow-forcing-of-endianness-for-cross-compilation.patch} (100%)
>  delete mode 100644 package/nginx/0009-auto-os-linux-fix-build-with-libxcrypt.patch
>  delete mode 100644 package/nginx/0011-Fix-compile-error-in-configure-script.patch

This update breaks legal-info:

ERROR: while checking hashes from package/nginx/nginx.hash
ERROR: LICENSE has wrong sha256 hash:
ERROR: expected: ececed0b0e7243a4766cbc62b26df4bd3513b41de3a07425da1679c836d06320
ERROR: got     : f19c4caea60247490199c5a6d0134281e3fb20b3d7577e6873c628597f5381d9
ERROR: Incomplete download, or man-in-the-middle (MITM) attack

(the change of the license file hash must be explained in the commit
message)

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot