[Buildroot] [PATCH] package/psmisc: bump to version 23.7

[Buildroot] [PATCH] package/psmisc: bump to version 23.7

[Shubham Chakraborty]

- Fix --disable-statx build option
- fuser: Add stat() fallback, ignore EACCES errors
- pstree: Fix assumption about root PID
- killall: Output formatting fixes
- Update gettext to 0.21

https://gitlab.com/psmisc/psmisc/-/tags/v23.7

Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
---
 package/psmisc/psmisc.hash | 5 +----
 package/psmisc/psmisc.mk   | 2 +-
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/package/psmisc/psmisc.hash b/package/psmisc/psmisc.hash
index fe146f90c9..646c01b3c6 100644
--- a/package/psmisc/psmisc.hash
+++ b/package/psmisc/psmisc.hash
@@ -1,6 +1,3 @@
 # From https://sourceforge.net/projects/psmisc/files/psmisc/
-md5  014f0b5d5ab32478a2c57812ad01e1fb  psmisc-23.5.tar.xz
-sha1  a16073f459a19288c1ea2b413a84e1b996cab595  psmisc-23.5.tar.xz
-# Locally computed:
-sha256  dc37ecc2f7e4a90a94956accc6e1c77adb71316b7c9cbd39b26738db0c3ae58b  psmisc-23.5.tar.xz
+sha256  58c55d9c1402474065adae669511c191de374b0871eec781239ab400b907c327  psmisc-23.7.tar.xz
 sha256  dcc100d4161cc0b7177545ab6e47216f84857cda3843847c792a25289852dcaa  COPYING
diff --git a/package/psmisc/psmisc.mk b/package/psmisc/psmisc.mk
index 3229184459..85caf30653 100644
--- a/package/psmisc/psmisc.mk
+++ b/package/psmisc/psmisc.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PSMISC_VERSION = 23.5
+PSMISC_VERSION = 23.7
 PSMISC_SITE = http://downloads.sourceforge.net/project/psmisc/psmisc
 PSMISC_SOURCE = psmisc-$(PSMISC_VERSION).tar.xz
 PSMISC_LICENSE = GPL-2.0+
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/psmisc: bump to version 23.7

[Julien Olivain via buildroot]

Hi Shubham,

Thanks for the patch.

On 18/04/2026 09:33, Shubham Chakraborty wrote:
> - Fix --disable-statx build option
> - fuser: Add stat() fallback, ignore EACCES errors
> - pstree: Fix assumption about root PID
> - killall: Output formatting fixes
> - Update gettext to 0.21
> 
> https://gitlab.com/psmisc/psmisc/-/tags/v23.7
> 
> Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
> ---
>  package/psmisc/psmisc.hash | 5 +----
>  package/psmisc/psmisc.mk   | 2 +-
>  2 files changed, 2 insertions(+), 5 deletions(-)
> 
> diff --git a/package/psmisc/psmisc.hash b/package/psmisc/psmisc.hash
> index fe146f90c9..646c01b3c6 100644
> --- a/package/psmisc/psmisc.hash
> +++ b/package/psmisc/psmisc.hash
> @@ -1,6 +1,3 @@
>  # From https://sourceforge.net/projects/psmisc/files/psmisc/
> -md5  014f0b5d5ab32478a2c57812ad01e1fb  psmisc-23.5.tar.xz
> -sha1  a16073f459a19288c1ea2b413a84e1b996cab595  psmisc-23.5.tar.xz
> -# Locally computed:

Why are you removing the upstream hashes and the "Locally computed" 
comment?
Sourceforge upstream is still publishing md5 and sha1 (and not sha256).

Could you put back those upstream hashes please and send an updated 
patch please?

> -sha256  
> dc37ecc2f7e4a90a94956accc6e1c77adb71316b7c9cbd39b26738db0c3ae58b  
> psmisc-23.5.tar.xz
> +sha256  
> 58c55d9c1402474065adae669511c191de374b0871eec781239ab400b907c327  
> psmisc-23.7.tar.xz
>  sha256  
> dcc100d4161cc0b7177545ab6e47216f84857cda3843847c792a25289852dcaa  
> COPYING
> diff --git a/package/psmisc/psmisc.mk b/package/psmisc/psmisc.mk
> index 3229184459..85caf30653 100644
> --- a/package/psmisc/psmisc.mk
> +++ b/package/psmisc/psmisc.mk
> @@ -4,7 +4,7 @@
>  #
>  
> ################################################################################
> 
> -PSMISC_VERSION = 23.5
> +PSMISC_VERSION = 23.7
>  PSMISC_SITE = http://downloads.sourceforge.net/project/psmisc/psmisc
>  PSMISC_SOURCE = psmisc-$(PSMISC_VERSION).tar.xz
>  PSMISC_LICENSE = GPL-2.0+
> --
> 2.53.0

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2] package/psmisc: bump to version 23.7

[Shubham Chakraborty]

- Fix --disable-statx build option
- fuser: Add stat() fallback, ignore EACCES errors
- pstree: Fix assumption about root PID
- killall: Output formatting fixes
- Update gettext to 0.21

https://gitlab.com/psmisc/psmisc/-/tags/v23.7

Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
---
 package/psmisc/psmisc.hash | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/package/psmisc/psmisc.hash b/package/psmisc/psmisc.hash
index 646c01b3c6..f16b95eee3 100644
--- a/package/psmisc/psmisc.hash
+++ b/package/psmisc/psmisc.hash
@@ -1,3 +1,6 @@
 # From https://sourceforge.net/projects/psmisc/files/psmisc/
+md5  53eae841735189a896d614cba440eb10  psmisc-23.7.tar.xz
+sha1  89046d35a8919def79200115c9cc78e91b98ad53  psmisc-23.7.tar.xz
+# Locally computed:
 sha256  58c55d9c1402474065adae669511c191de374b0871eec781239ab400b907c327  psmisc-23.7.tar.xz
 sha256  dcc100d4161cc0b7177545ab6e47216f84857cda3843847c792a25289852dcaa  COPYING
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/psmisc: bump to version 23.7

[Marcus Hoffmann via buildroot]

Hi Shubham,

On 4/28/26 22:45, Shubham Chakraborty wrote:
> - Fix --disable-statx build option
> - fuser: Add stat() fallback, ignore EACCES errors
> - pstree: Fix assumption about root PID
> - killall: Output formatting fixes
> - Update gettext to 0.21
> 
> https://gitlab.com/psmisc/psmisc/-/tags/v23.7

As you are bumping the package from 23.5 -> 23.7, you should also 
include the changelog of the 23.6 release [1] in the commit description.

> 
> Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
> ---
>   package/psmisc/psmisc.hash | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/package/psmisc/psmisc.hash b/package/psmisc/psmisc.hash
> index 646c01b3c6..f16b95eee3 100644
> --- a/package/psmisc/psmisc.hash
> +++ b/package/psmisc/psmisc.hash
> @@ -1,3 +1,6 @@
>   # From https://sourceforge.net/projects/psmisc/files/psmisc/
> +md5  53eae841735189a896d614cba440eb10  psmisc-23.7.tar.xz
> +sha1  89046d35a8919def79200115c9cc78e91b98ad53  psmisc-23.7.tar.xz
> +# Locally computed:

This patch does not apply. I assume it is currently based on top of your 
v1, but that is not how you should send a v2 patch. Any new version 
should contain all the previous changes.

Also it's nice to include a changelog in the new revision for what 
changed in the new revision (below a --- mark, so it's visible in the 
email but doesn't get included in the commit that gets applied).

See section "22.5.5. Patch revision changelog" in the manual[2]

 > [...]

Could you send a v3 with these changes incorporated?

Best,
Marcus

[1] https://gitlab.com/psmisc/psmisc/-/tags/v23.6
[2] https://nightly.buildroot.org/manual.html#submitting-patches

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v3] package/psmisc: bump to version 23.7

[Shubham Chakraborty]

Changelog:
- v23.6:
  - buildsys: Fix DEJAGNU work-around (Debian #1015089)
  - killall: Use kill if pidfd_send_signal fails (Debian #1015228)
  - fuser: Do not mention nonexistent -reset option (#42)
  - fuser: Use modern statn where possible
  - pstree: Better AppArmor support (!30)
- v23.7:
  - Fix --disable-statx build option
  - fuser: Add stat() fallback, ignore EACCES errors
  - pstree: Fix assumption about root PID
  - killall: Output formatting fixes
  - Update gettext to 0.21

https://gitlab.com/psmisc/psmisc/-/tags/v23.6
https://gitlab.com/psmisc/psmisc/-/tags/v23.7

Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>

---
v2 -> v3:
- Include 23.6 changelog in commit message (Marcus Hoffmann)
- Squash into a single patch (Marcus Hoffmann)

v1 -> v2:
- Put back upstream md5 and sha1 hashes (Julien Olivain)
- Restore "Locally computed" comment (Julien Olivain)
---
 package/psmisc/psmisc.hash | 6 +++---
 package/psmisc/psmisc.mk   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/psmisc/psmisc.hash b/package/psmisc/psmisc.hash
index fe146f90c9..f16b95eee3 100644
--- a/package/psmisc/psmisc.hash
+++ b/package/psmisc/psmisc.hash
@@ -1,6 +1,6 @@
 # From https://sourceforge.net/projects/psmisc/files/psmisc/
-md5  014f0b5d5ab32478a2c57812ad01e1fb  psmisc-23.5.tar.xz
-sha1  a16073f459a19288c1ea2b413a84e1b996cab595  psmisc-23.5.tar.xz
+md5  53eae841735189a896d614cba440eb10  psmisc-23.7.tar.xz
+sha1  89046d35a8919def79200115c9cc78e91b98ad53  psmisc-23.7.tar.xz
 # Locally computed:
-sha256  dc37ecc2f7e4a90a94956accc6e1c77adb71316b7c9cbd39b26738db0c3ae58b  psmisc-23.5.tar.xz
+sha256  58c55d9c1402474065adae669511c191de374b0871eec781239ab400b907c327  psmisc-23.7.tar.xz
 sha256  dcc100d4161cc0b7177545ab6e47216f84857cda3843847c792a25289852dcaa  COPYING
diff --git a/package/psmisc/psmisc.mk b/package/psmisc/psmisc.mk
index 3229184459..85caf30653 100644
--- a/package/psmisc/psmisc.mk
+++ b/package/psmisc/psmisc.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PSMISC_VERSION = 23.5
+PSMISC_VERSION = 23.7
 PSMISC_SITE = http://downloads.sourceforge.net/project/psmisc/psmisc
 PSMISC_SOURCE = psmisc-$(PSMISC_VERSION).tar.xz
 PSMISC_LICENSE = GPL-2.0+
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH] package/nginx: bump to version 1.29.7

[Shubham Chakraborty]

- Security fixes: CVE-2026-27654, CVE-2026-27784, CVE-2026-32647,
  CVE-2026-27651, CVE-2026-28753, CVE-2026-28755
- Feature: Multipath TCP support via "multipath" parameter
- Feature: "local" parameter of the "keepalive" directive in upstream block
- Change: keepalive in upstream block now enabled by default
- Change: ngx_http_proxy_module supports keepalive by default;
  default proxy_http_version is now "1.1"; Connection header not sent by default
- Bugfix: invalid HTTP/2 request after switching to next upstream
  with buffered body in ngx_http_grpc_module
- Fix bootlin-sparc-uclibc build by adding -latomic when needed this caused
  build errors in "bootlin-sparc-uclibc [24/32]: FAILED"

https://nginx.org/en/CHANGES

Tested Using:
- utils/test-pkg -a -p nginx

Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
---
 package/nginx/nginx.hash |  4 ++--
 package/nginx/nginx.mk   | 13 ++++++++++---
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/package/nginx/nginx.hash b/package/nginx/nginx.hash
index 7b79036b20..6d2e957041 100644
--- a/package/nginx/nginx.hash
+++ b/package/nginx/nginx.hash
@@ -1,4 +1,4 @@
 # Locally calculated after checking pgp signature
-sha256  40e7a0916d121e8905ef50f2a738b675599e42b2224a582dd938603fed15788e  nginx-1.28.1.tar.gz
+sha256  673f8fb8c0961c44fbd9410d6161831453609b44063d3f2948253fc2b5692139  nginx-1.29.7.tar.gz
 # License files, locally calculated
-sha256  77c01620abf36ed747b7eca4bd271e49023fe3a8e2b3525bcf4b09c8e3aa28e4  LICENSE
+sha256  08845fe39e06b51dad7685c28140ab49577a86e947523e16b536a46caf89ad5c  LICENSE
diff --git a/package/nginx/nginx.mk b/package/nginx/nginx.mk
index 41490caee2..739d3cfe0f 100644
--- a/package/nginx/nginx.mk
+++ b/package/nginx/nginx.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-NGINX_VERSION = 1.28.1
+NGINX_VERSION = 1.29.7
 NGINX_SITE = https://nginx.org/download
 NGINX_LICENSE = BSD-2-Clause
 NGINX_LICENSE_FILES = LICENSE
@@ -16,8 +16,15 @@ NGINX_DEPENDENCIES = \
 NGINX_CONF_OPTS = \
 	--crossbuild=Linux::$(BR2_ARCH) \
 	--with-cc="$(TARGET_CC)" \
-	--with-cpp="$(TARGET_CC)" \
-	--with-ld-opt="$(TARGET_LDFLAGS)"
+	--with-cpp="$(TARGET_CC)"
+
+NGINX_LDFLAGS = $(TARGET_LDFLAGS)
+
+ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y)
+NGINX_LDFLAGS += -latomic
+endif
+
+NGINX_CONF_OPTS += --with-ld-opt="$(NGINX_LDFLAGS)"
 
 # www-data user and group are used for nginx. Because these user and group
 # are already set by buildroot, it is not necessary to redefine them.
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/nginx: bump to version 1.29.7

[Marcus Hoffmann via buildroot]

Hi Shubham,

On 4/29/26 19:08, Shubham Chakraborty wrote:
> - Security fixes: CVE-2026-27654, CVE-2026-27784, CVE-2026-32647,
>    CVE-2026-27651, CVE-2026-28753, CVE-2026-28755

If this version bump fixes security issues, it should be marked as such 
in the commit title.

> - Feature: Multipath TCP support via "multipath" parameter
> - Feature: "local" parameter of the "keepalive" directive in upstream block
> - Change: keepalive in upstream block now enabled by default
> - Change: ngx_http_proxy_module supports keepalive by default;
>    default proxy_http_version is now "1.1"; Connection header not sent by default
> - Bugfix: invalid HTTP/2 request after switching to next upstream
>    with buffered body in ngx_http_grpc_module
> - Fix bootlin-sparc-uclibc build by adding -latomic when needed this caused
>    build errors in "bootlin-sparc-uclibc [24/32]: FAILED"
> 
> https://nginx.org/en/CHANGES

I don't understand why you are updating this to 1.29.7 though. The 
latest *mainline* version is 1.29.8, which was released over 3 weeks 
ago. But also we are currently deliberately using the *stable* releases 
of nginx[1], which also recently got a new release with 1.30.0.
Bernd already sent a patch for updating to that[2], but I think we 
should update to 1.28.3 before.


[1] 
https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/#stable-and-mainline-versions
[2] https://patchwork.ozlabs.org/comment/3683711/

> 
> Tested Using:
> - utils/test-pkg -a -p nginx
> 
> Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
> ---
Best,
Marcus
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/nginx: bump to version 1.29.7

[Shubham Chakraborty]

[-- Attachment #1.1: Type: text/plain, Size: 2219 bytes --]

Hi Marcus,

My mistake on the version choice. I missed the latest mainline and stable
releases.

I will update the commit title to reflect the security fixes.

Regarding the version, I thought bumping to the latest available release
(1.29.7) was the goal, but I see the preference for 1.28.3 first, given
Bernd's patch.

I will withdraw this patch and prepare a new one for 1.28.3, ensuring the
security fixes are noted in the subject.

Best regards,
Shubham

On Thu, 30 Apr, 2026, 12:19 am Marcus Hoffmann, <buildroot@bubu1.eu> wrote:

> Hi Shubham,
>
> On 4/29/26 19:08, Shubham Chakraborty wrote:
> > - Security fixes: CVE-2026-27654, CVE-2026-27784, CVE-2026-32647,
> >    CVE-2026-27651, CVE-2026-28753, CVE-2026-28755
>
> If this version bump fixes security issues, it should be marked as such
> in the commit title.
>
> > - Feature: Multipath TCP support via "multipath" parameter
> > - Feature: "local" parameter of the "keepalive" directive in upstream
> block
> > - Change: keepalive in upstream block now enabled by default
> > - Change: ngx_http_proxy_module supports keepalive by default;
> >    default proxy_http_version is now "1.1"; Connection header not sent
> by default
> > - Bugfix: invalid HTTP/2 request after switching to next upstream
> >    with buffered body in ngx_http_grpc_module
> > - Fix bootlin-sparc-uclibc build by adding -latomic when needed this
> caused
> >    build errors in "bootlin-sparc-uclibc [24/32]: FAILED"
> >
> > https://nginx.org/en/CHANGES
>
> I don't understand why you are updating this to 1.29.7 though. The
> latest *mainline* version is 1.29.8, which was released over 3 weeks
> ago. But also we are currently deliberately using the *stable* releases
> of nginx[1], which also recently got a new release with 1.30.0.
> Bernd already sent a patch for updating to that[2], but I think we
> should update to 1.28.3 before.
>
>
> [1]
>
> https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/#stable-and-mainline-versions
> [2] https://patchwork.ozlabs.org/comment/3683711/
>
> >
> > Tested Using:
> > - utils/test-pkg -a -p nginx
> >
> > Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
> > ---
> Best,
> Marcus
>

[-- Attachment #1.2: Type: text/html, Size: 3311 bytes --]

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v3] package/psmisc: bump to version 23.7

[Marcus Hoffmann via buildroot]

On 4/29/26 15:06, Shubham Chakraborty wrote:
> Changelog:
> - v23.6:
>    - buildsys: Fix DEJAGNU work-around (Debian #1015089)
>    - killall: Use kill if pidfd_send_signal fails (Debian #1015228)
>    - fuser: Do not mention nonexistent -reset option (#42)
>    - fuser: Use modern statn where possible
>    - pstree: Better AppArmor support (!30)
> - v23.7:
>    - Fix --disable-statx build option
>    - fuser: Add stat() fallback, ignore EACCES errors
>    - pstree: Fix assumption about root PID
>    - killall: Output formatting fixes
>    - Update gettext to 0.21
> 
> https://gitlab.com/psmisc/psmisc/-/tags/v23.6
> https://gitlab.com/psmisc/psmisc/-/tags/v23.7
> 
> Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
> 
> ---
Applied to master, thanks!
Marcus
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2] package/nginx: security bump to version 1.28.3

[Shubham Chakraborty]

Fixes the following security issues:
- CVE-2026-27654: Buffer overflow in ngx_http_dav_module when using the
  alias directive with WebDAV COPY or MOVE requests.
- CVE-2026-27784 & CVE-2026-32647: Buffer overflows in ngx_http_mp4_module
  when processing specially crafted MP4 files.
- CVE-2026-27651: NULL pointer dereference in the mail proxy module
  during CRAM-MD5 or APOP authentication retries.
- CVE-2026-28753: DNS PTR record manipulation in auth_http or SMTP proxy.
- CVE-2026-28755: OCSP certificate check bypass in the stream module.

For a full list of changes, see:
https://nginx.org/en/CHANGES-1.28

---
v1 -> v2:
  - Bump to 1.28.3 (stable) instead of 1.29.7 (mainline) as requested
    by Marcus Hoffmann.
  - Highlight security fixes in the commit message.

Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
---
 package/nginx/nginx.hash | 2 +-
 package/nginx/nginx.mk   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/nginx/nginx.hash b/package/nginx/nginx.hash
index 7b79036b20..1d11937987 100644
--- a/package/nginx/nginx.hash
+++ b/package/nginx/nginx.hash
@@ -1,4 +1,4 @@
 # Locally calculated after checking pgp signature
-sha256  40e7a0916d121e8905ef50f2a738b675599e42b2224a582dd938603fed15788e  nginx-1.28.1.tar.gz
+sha256  2c96a946bfb0882a21744ed429770a2123ae1828c7c48665092993ddee91a918  nginx-1.28.3.tar.gz
 # License files, locally calculated
 sha256  77c01620abf36ed747b7eca4bd271e49023fe3a8e2b3525bcf4b09c8e3aa28e4  LICENSE
diff --git a/package/nginx/nginx.mk b/package/nginx/nginx.mk
index 41490caee2..a8b7ee7319 100644
--- a/package/nginx/nginx.mk
+++ b/package/nginx/nginx.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-NGINX_VERSION = 1.28.1
+NGINX_VERSION = 1.28.3
 NGINX_SITE = https://nginx.org/download
 NGINX_LICENSE = BSD-2-Clause
 NGINX_LICENSE_FILES = LICENSE
-- 
2.54.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/nginx: security bump to version 1.28.3

[Marcus Hoffmann via buildroot]

Hi Shubham,

On 4/30/26 07:40, Shubham Chakraborty wrote:
> Fixes the following security issues:
> - CVE-2026-27654: Buffer overflow in ngx_http_dav_module when using the
>    alias directive with WebDAV COPY or MOVE requests.
> - CVE-2026-27784 & CVE-2026-32647: Buffer overflows in ngx_http_mp4_module
>    when processing specially crafted MP4 files.
> - CVE-2026-27651: NULL pointer dereference in the mail proxy module
>    during CRAM-MD5 or APOP authentication retries.
> - CVE-2026-28753: DNS PTR record manipulation in auth_http or SMTP proxy.
> - CVE-2026-28755: OCSP certificate check bypass in the stream module.
> 
> For a full list of changes, see:
> https://nginx.org/en/CHANGES-1.28
> 
> ---
> v1 -> v2:
>    - Bump to 1.28.3 (stable) instead of 1.29.7 (mainline) as requested
>      by Marcus Hoffmann.
>    - Highlight security fixes in the commit message.
> 
> Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
> ---
Your sign-off needs to be above the first --- line which separates the 
commit message from additional patch commentary.

I moved it up while applying.

Marcus

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/nginx: security bump to version 1.28.3

[Shubham Chakraborty]

[-- Attachment #1.1: Type: text/plain, Size: 1413 bytes --]

Hi Marcus,

Thanks for applying the patch and for correcting the sign-off placement.
I'll make sure to follow that convention going forward.

Best regards,
Shubham

On Mon, 4 May, 2026, 2:01 pm Marcus Hoffmann, <buildroot@bubu1.eu> wrote:

> Hi Shubham,
>
> On 4/30/26 07:40, Shubham Chakraborty wrote:
> > Fixes the following security issues:
> > - CVE-2026-27654: Buffer overflow in ngx_http_dav_module when using the
> >    alias directive with WebDAV COPY or MOVE requests.
> > - CVE-2026-27784 & CVE-2026-32647: Buffer overflows in
> ngx_http_mp4_module
> >    when processing specially crafted MP4 files.
> > - CVE-2026-27651: NULL pointer dereference in the mail proxy module
> >    during CRAM-MD5 or APOP authentication retries.
> > - CVE-2026-28753: DNS PTR record manipulation in auth_http or SMTP proxy.
> > - CVE-2026-28755: OCSP certificate check bypass in the stream module.
> >
> > For a full list of changes, see:
> > https://nginx.org/en/CHANGES-1.28
> >
> > ---
> > v1 -> v2:
> >    - Bump to 1.28.3 (stable) instead of 1.29.7 (mainline) as requested
> >      by Marcus Hoffmann.
> >    - Highlight security fixes in the commit message.
> >
> > Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
> > ---
> Your sign-off needs to be above the first --- line which separates the
> commit message from additional patch commentary.
>
> I moved it up while applying.
>
> Marcus
>
>

[-- Attachment #1.2: Type: text/html, Size: 2115 bytes --]

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2] package/nginx: security bump to version 1.28.3

[Thomas Perale via buildroot]

In reply of:
> Fixes the following security issues:
> - CVE-2026-27654: Buffer overflow in ngx_http_dav_module when using the
>   alias directive with WebDAV COPY or MOVE requests.
> - CVE-2026-27784 & CVE-2026-32647: Buffer overflows in ngx_http_mp4_module
>   when processing specially crafted MP4 files.
> - CVE-2026-27651: NULL pointer dereference in the mail proxy module
>   during CRAM-MD5 or APOP authentication retries.
> - CVE-2026-28753: DNS PTR record manipulation in auth_http or SMTP proxy.
> - CVE-2026-28755: OCSP certificate check bypass in the stream module.
> 
> For a full list of changes, see:
> https://nginx.org/en/CHANGES-1.28
> 

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
> v1 -> v2:
>   - Bump to 1.28.3 (stable) instead of 1.29.7 (mainline) as requested
>     by Marcus Hoffmann.
>   - Highlight security fixes in the commit message.
> 
> Signed-off-by: Shubham Chakraborty <chakrabortyshubham66@gmail.com>
> ---
>  package/nginx/nginx.hash | 2 +-
>  package/nginx/nginx.mk   | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/package/nginx/nginx.hash b/package/nginx/nginx.hash
> index 7b79036b20..1d11937987 100644
> --- a/package/nginx/nginx.hash
> +++ b/package/nginx/nginx.hash
> @@ -1,4 +1,4 @@
>  # Locally calculated after checking pgp signature
> -sha256  40e7a0916d121e8905ef50f2a738b675599e42b2224a582dd938603fed15788e  nginx-1.28.1.tar.gz
> +sha256  2c96a946bfb0882a21744ed429770a2123ae1828c7c48665092993ddee91a918  nginx-1.28.3.tar.gz
>  # License files, locally calculated
>  sha256  77c01620abf36ed747b7eca4bd271e49023fe3a8e2b3525bcf4b09c8e3aa28e4  LICENSE
> diff --git a/package/nginx/nginx.mk b/package/nginx/nginx.mk
> index 41490caee2..a8b7ee7319 100644
> --- a/package/nginx/nginx.mk
> +++ b/package/nginx/nginx.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -NGINX_VERSION = 1.28.1
> +NGINX_VERSION = 1.28.3
>  NGINX_SITE = https://nginx.org/download
>  NGINX_LICENSE = BSD-2-Clause
>  NGINX_LICENSE_FILES = LICENSE
> -- 
> 2.54.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot