Created attachment 260997 [details] update www/angie 1.8.1 -> 1.9.1 The attached diff brings angie to the current version 1.9.1, which includes amongst many bugfixes also this security fix: Angie 1.8.2 - Security: Insufficient validation while handling virtual servers with TLSv1.3 SNI allowed SSL sessions to be reused in a different virtual server, bypassing client SSL certificate verification (CVE-2025-23419); the fix was ported from nginx 1.27.4. [...] I couldn't catch any 'testport' errors for www/angie and www/angie-modules-* ports (on 14.2-RELEASE with quarterly and latest ports tree) and the new angie version has been running for 2 days on a rather busy reverse-proxy without issues. Full list of changes (taken from https://github.com/webserver-llc/angie/releases): (1.8.2) - Security: Insufficient validation while handling virtual servers with TLSv1.3 SNI allowed SSL sessions to be reused in a different virtual server, bypassing client SSL certificate verification (CVE-2025-23419); the fix was ported from nginx 1.27.4. - Bugfix: API requests to retrieve statistic values from an individual zone, which was set via variables, could cause a worker process to enter an infinite loop. - Bugfix: HTTP/3 requests were not counted in zone statistics; the bug had appeared in 1.8.0. - Bugfix: TLS handshakes using QUIC protocol were not counted in SSL statistics. - Bugfix: Certificate renewal via the ACME protocol could fail for server names prefixed with a dot in the server_name directive. (1.8.3) - Bugfix: The server statistics in the HTTP module's server block could be miscalculated if requests within the same connection belonged to different statistics zones, or if an error occurred during early request processing; the bug had appeared in 1.8.2. (1.9.0) - Feature: The ability to specify a file in the proxy_cache_path directive, where the contents of the shared memory zone with the cache index will be saved between server startups; this eliminates the need to reload the cache after a restart and allows the server to come back online almost immediately. - Feature: Support of TLS 1.3 Early Data (0-RTT) in the stream module using the ssl_early_data directive. - Feature: New busy state for upstream peers in the statistics API, indicating that a peer has reached the limit configured by the max_conns option. - Feature: The uri= parameter in the acme_hook directive allows redefining the hook request URI and supports variables. - Feature: The renew_on_load parameter of the acme_client directive allows forcing certificate renewal on config load. - Feature: Build time is now displayed via the build_time field of the /status/angie statistics API object and in the output of the -V command-line option. - Feature: All functionality of nginx 1.27.4, except for the keepalive_min_timeout directive (a similar feature has existed since version 1.8.0). - Change: The enabled=off parameter in the acme_client directive now disables only certificate renewal for the given client while preserving all other functionality; the key and certificate (if available) can be accessed via the $acme_cert_* variables, while the use of $acme_hook_* variables and the acme directives doesn't cause errors. - Change: The no valid domain name defined for ACME client error is now issued only if no valid (i.e., ACME-compliant) domain name is found in the server block that references an ACME client using the acme directive. - Bugfix: If built with NTLS support, inheritance of the proxy_ssl_certificate and proxy_ssl_certificate_key directives with variables did not work properly. (1.9.1) - Feature: Support for IP addresses along with port numbers in the acme_dns_port directive; both IPv4 and IPv6 are allowed. - Bugfix: Using both a wildcard domain and matching third-level domains in server_name directives could cause the ACME server to fail when issuing a certificate for these domains under a single ACME client. - Bugfix: In the stream module, after a successful connection to the proxied server during a passive check, its status in the statistics API was erroneously displayed as unavailable until the session ended. - Bugfix: HTTP/3 requests might stall and time out; the fix was ported from nginx 1.29.0. - Bugfix: An early error while establishing an HTTP/3 connection to a proxied server could cause a worker process to crash. - Bugfix: When proxying via the HTTP/3 protocol, the number of active connections in the statistics could be displayed incorrectly.
Did you tested at least build of all modules? Check this PR for information: bug #282394.
Created attachment 261008 [details] v1 Full list: www/angie: Update 1.8.1 => 1.9.1 https://github.com/webserver-llc/angie/releases/tag/Angie-1.8.2 https://github.com/webserver-llc/angie/releases/tag/Angie-1.8.3 https://github.com/webserver-llc/angie/releases/tag/Angie-1.9.0 https://github.com/webserver-llc/angie/releases/tag/Angie-1.9.1 CVE-2025-23419 www/angie-module-auth-jwt www/angie-module-auth-spnego: Update 1.1.2 => 1.1.3 https://github.com/stnoonan/spnego-http-auth-nginx-module/releases/tag/v1.1.3 www/angie-module-brotli www/angie-module-cache-purge www/angie-module-dav-ext www/angie-module-echo www/angie-module-enhanced-memcached www/angie-module-eval www/angie-module-geoip2 www/angie-module-headers-more: Update 0.37 => 0.38 https://github.com/openresty/headers-more-nginx-module/releases/tag/v0.38 www/angie-module-image-filter www/angie-module-jwt: Update 3.4.2 => 3.4.3 https://github.com/max-lt/nginx-jwt-module/releases/tag/v3.4.3 www/angie-module-keyval www/angie-module-lua www/angie-module-ndk www/angie-module-njs: Update 0.8.9 => 0.9.0 https://github.com/nginx/njs/releases/tag/0.8.10 https://github.com/nginx/njs/releases/tag/0.9.0 www/angie-module-perl www/angie-module-postgres www/angie-module-redis2 www/angie-module-rtmp www/angie-module-set-misc www/angie-module-subs www/angie-module-testcookie www/angie-module-upload www/angie-module-vod www/angie-module-xslt Tested build in poudriere 14.2 amd64. Waiting maintainer.
(In reply to Vladimir Druzenko from comment #1) As stated I did a 'poudriere testport' of all modules and all went through without errors, except www/angie-module-auth-spnego which won't build with anything else but openssl/GSSAPI=base. My buildhosts all use openssl from ports and setting 'DEFAULT_VERSIONS+=ssl=base' and 'DEFAULT_VERSIONS+=GSSAPI=base' in the make.conf poudriere uses doesn't seem to work - at least the build process still complains about openssl being from ports and fails... However, I didn't check if any of those modules also has newer versions available; this patch was only about bringing the angie port to the current version.
(In reply to Vladimir Druzenko from comment #2) LGTMT - 'poudriere testport'-ed www/angie and all modules (excl. spnego) touched by the patch on 14.2-RELEASE buildhost /w latest and quarterly ports tree. Thanks!
(In reply to Sebastian Oswald from comment #3) Build fine for me all modules with my patches. But runtime not tested. Waiting maintainer or 2 weeks timeout.