Created attachment 260997 [details] update www/angie 1.8.1 -> 1.9.1 The attached diff brings angie to the current version 1.9.1, which includes amongst many bugfixes also this security fix: Angie 1.8.2 - Security: Insufficient validation while handling virtual servers with TLSv1.3 SNI allowed SSL sessions to be reused in a different virtual server, bypassing client SSL certificate verification (CVE-2025-23419); the fix was ported from nginx 1.27.4. [...] I couldn't catch any 'testport' errors for www/angie and www/angie-modules-* ports (on 14.2-RELEASE with quarterly and latest ports tree) and the new angie version has been running for 2 days on a rather busy reverse-proxy without issues. Full list of changes (taken from https://github.com/webserver-llc/angie/releases): (1.8.2) - Security: Insufficient validation while handling virtual servers with TLSv1.3 SNI allowed SSL sessions to be reused in a different virtual server, bypassing client SSL certificate verification (CVE-2025-23419); the fix was ported from nginx 1.27.4. - Bugfix: API requests to retrieve statistic values from an individual zone, which was set via variables, could cause a worker process to enter an infinite loop. - Bugfix: HTTP/3 requests were not counted in zone statistics; the bug had appeared in 1.8.0. - Bugfix: TLS handshakes using QUIC protocol were not counted in SSL statistics. - Bugfix: Certificate renewal via the ACME protocol could fail for server names prefixed with a dot in the server_name directive. (1.8.3) - Bugfix: The server statistics in the HTTP module's server block could be miscalculated if requests within the same connection belonged to different statistics zones, or if an error occurred during early request processing; the bug had appeared in 1.8.2. (1.9.0) - Feature: The ability to specify a file in the proxy_cache_path directive, where the contents of the shared memory zone with the cache index will be saved between server startups; this eliminates the need to reload the cache after a restart and allows the server to come back online almost immediately. - Feature: Support of TLS 1.3 Early Data (0-RTT) in the stream module using the ssl_early_data directive. - Feature: New busy state for upstream peers in the statistics API, indicating that a peer has reached the limit configured by the max_conns option. - Feature: The uri= parameter in the acme_hook directive allows redefining the hook request URI and supports variables. - Feature: The renew_on_load parameter of the acme_client directive allows forcing certificate renewal on config load. - Feature: Build time is now displayed via the build_time field of the /status/angie statistics API object and in the output of the -V command-line option. - Feature: All functionality of nginx 1.27.4, except for the keepalive_min_timeout directive (a similar feature has existed since version 1.8.0). - Change: The enabled=off parameter in the acme_client directive now disables only certificate renewal for the given client while preserving all other functionality; the key and certificate (if available) can be accessed via the $acme_cert_* variables, while the use of $acme_hook_* variables and the acme directives doesn't cause errors. - Change: The no valid domain name defined for ACME client error is now issued only if no valid (i.e., ACME-compliant) domain name is found in the server block that references an ACME client using the acme directive. - Bugfix: If built with NTLS support, inheritance of the proxy_ssl_certificate and proxy_ssl_certificate_key directives with variables did not work properly. (1.9.1) - Feature: Support for IP addresses along with port numbers in the acme_dns_port directive; both IPv4 and IPv6 are allowed. - Bugfix: Using both a wildcard domain and matching third-level domains in server_name directives could cause the ACME server to fail when issuing a certificate for these domains under a single ACME client. - Bugfix: In the stream module, after a successful connection to the proxied server during a passive check, its status in the statistics API was erroneously displayed as unavailable until the session ended. - Bugfix: HTTP/3 requests might stall and time out; the fix was ported from nginx 1.29.0. - Bugfix: An early error while establishing an HTTP/3 connection to a proxied server could cause a worker process to crash. - Bugfix: When proxying via the HTTP/3 protocol, the number of active connections in the statistics could be displayed incorrectly.
Did you tested at least build of all modules? Check this PR for information: bug #282394.
Created attachment 261008 [details] v1 Full list: www/angie: Update 1.8.1 => 1.9.1 https://github.com/webserver-llc/angie/releases/tag/Angie-1.8.2 https://github.com/webserver-llc/angie/releases/tag/Angie-1.8.3 https://github.com/webserver-llc/angie/releases/tag/Angie-1.9.0 https://github.com/webserver-llc/angie/releases/tag/Angie-1.9.1 CVE-2025-23419 www/angie-module-auth-jwt www/angie-module-auth-spnego: Update 1.1.2 => 1.1.3 https://github.com/stnoonan/spnego-http-auth-nginx-module/releases/tag/v1.1.3 www/angie-module-brotli www/angie-module-cache-purge www/angie-module-dav-ext www/angie-module-echo www/angie-module-enhanced-memcached www/angie-module-eval www/angie-module-geoip2 www/angie-module-headers-more: Update 0.37 => 0.38 https://github.com/openresty/headers-more-nginx-module/releases/tag/v0.38 www/angie-module-image-filter www/angie-module-jwt: Update 3.4.2 => 3.4.3 https://github.com/max-lt/nginx-jwt-module/releases/tag/v3.4.3 www/angie-module-keyval www/angie-module-lua www/angie-module-ndk www/angie-module-njs: Update 0.8.9 => 0.9.0 https://github.com/nginx/njs/releases/tag/0.8.10 https://github.com/nginx/njs/releases/tag/0.9.0 www/angie-module-perl www/angie-module-postgres www/angie-module-redis2 www/angie-module-rtmp www/angie-module-set-misc www/angie-module-subs www/angie-module-testcookie www/angie-module-upload www/angie-module-vod www/angie-module-xslt Tested build in poudriere 14.2 amd64. Waiting maintainer.
(In reply to Vladimir Druzenko from comment #1) As stated I did a 'poudriere testport' of all modules and all went through without errors, except www/angie-module-auth-spnego which won't build with anything else but openssl/GSSAPI=base. My buildhosts all use openssl from ports and setting 'DEFAULT_VERSIONS+=ssl=base' and 'DEFAULT_VERSIONS+=GSSAPI=base' in the make.conf poudriere uses doesn't seem to work - at least the build process still complains about openssl being from ports and fails... However, I didn't check if any of those modules also has newer versions available; this patch was only about bringing the angie port to the current version.
(In reply to Vladimir Druzenko from comment #2) LGTMT - 'poudriere testport'-ed www/angie and all modules (excl. spnego) touched by the patch on 14.2-RELEASE buildhost /w latest and quarterly ports tree. Thanks!
(In reply to Sebastian Oswald from comment #3) Build fine for me all modules with my patches. But runtime not tested. Waiting maintainer or 2 weeks timeout.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=015f3fb5086a6fc36520ae51d0d5c643908e3ed6 commit 015f3fb5086a6fc36520ae51d0d5c643908e3ed6 Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2025-06-19 14:31:28 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2025-06-19 14:39:37 +0000 www/angie-module-njs: Update 0.8.9 => 0.9.0 Changelogs: https://github.com/nginx/njs/releases/tag/0.8.10 https://github.com/nginx/njs/releases/tag/0.9.0 PR: 287316 Approved by: oleg@mamontov.net (maintainer, timeout 2 weeks) MFH: 2025Q2 www/angie-module-njs/Makefile | 2 +- www/angie/distinfo | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=118221cbc5a6d1cde6e441692857b4496351b36f commit 118221cbc5a6d1cde6e441692857b4496351b36f Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2025-06-19 14:30:24 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2025-06-19 14:39:36 +0000 www/angie-module-jwt: Update 3.4.2 => 3.4.3 Changelog: https://github.com/max-lt/nginx-jwt-module/releases/tag/v3.4.3 PR: 287316 Approved by: oleg@mamontov.net (maintainer, timeout 2 weeks) MFH: 2025Q2 www/angie-module-jwt/Makefile | 2 +- www/angie/distinfo | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=dddd3616414ad476275e7e8a2893c70e68912f82 commit dddd3616414ad476275e7e8a2893c70e68912f82 Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2025-06-19 14:11:42 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2025-06-19 14:39:35 +0000 www/angie: Update 1.8.1 => 1.9.1 (fixes CVE-2025-23419) Changelogs: https://github.com/webserver-llc/angie/releases/tag/Angie-1.8.2 https://github.com/webserver-llc/angie/releases/tag/Angie-1.8.3 https://github.com/webserver-llc/angie/releases/tag/Angie-1.9.0 https://github.com/webserver-llc/angie/releases/tag/Angie-1.9.1 Improve port: - Create/delete logs directory using hooks (author oleg@mamontov.net) - Fix indentations: replace spaces with tabs, remove unnecessary tabs - Fix warnings from portclippy - sort options - Reduce the number of if statements to determine master/slave PR: 287316 275300 Approved by: oleg@mamontov.net (maintainer, timeout 2 weeks) Security: CVE-2025-23419 MFH: 2025Q2 www/angie/Makefile | 227 ++++++++++++++++++++++++++-------------------------- www/angie/distinfo | 6 +- www/angie/pkg-plist | 8 +- 3 files changed, 122 insertions(+), 119 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=acd5d1155d78ce772150b527e9eeb9ae69053b62 commit acd5d1155d78ce772150b527e9eeb9ae69053b62 Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2025-06-19 14:28:23 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2025-06-19 14:39:36 +0000 www/angie-module-headers-more: Update 0.37 => 0.38 Changelog: https://github.com/openresty/headers-more-nginx-module/releases/tag/v0.38 PR: 287316 Approved by: oleg@mamontov.net (maintainer, timeout 2 weeks) MFH: 2025Q2 www/angie-module-headers-more/Makefile | 2 +- www/angie/distinfo | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=bad5922b13603dc4ebeac6143ed5b30eeb98cf3f commit bad5922b13603dc4ebeac6143ed5b30eeb98cf3f Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2025-06-19 14:25:52 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2025-06-19 14:39:35 +0000 www/angie-module-auth-spnego: Update 1.1.2 => 1.1.3 Changelog: https://github.com/stnoonan/spnego-http-auth-nginx-module/releases/tag/v1.1.3 PR: 287316 Approved by: oleg@mamontov.net (maintainer, timeout 2 weeks) MFH: 2025Q2 www/angie-module-auth-spnego/Makefile | 2 +- www/angie/distinfo | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)
A commit in branch 2025Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=07a8e836473380a6b3d97527fb00bc9280e86cdb commit 07a8e836473380a6b3d97527fb00bc9280e86cdb Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2025-06-19 14:25:52 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2025-06-19 15:12:16 +0000 www/angie-module-auth-spnego: Update 1.1.2 => 1.1.3 Changelog: https://github.com/stnoonan/spnego-http-auth-nginx-module/releases/tag/v1.1.3 PR: 287316 Approved by: oleg@mamontov.net (maintainer, timeout 2 weeks) MFH: 2025Q2 (cherry picked from commit bad5922b13603dc4ebeac6143ed5b30eeb98cf3f) www/angie-module-auth-spnego/Makefile | 2 +- www/angie/distinfo | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)
A commit in branch 2025Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=8edf2da6799e7a4e50ab5b8a033d34613bd234ea commit 8edf2da6799e7a4e50ab5b8a033d34613bd234ea Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2025-06-19 14:11:42 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2025-06-19 15:11:59 +0000 www/angie: Update 1.8.1 => 1.9.1 (fixes CVE-2025-23419) Changelogs: https://github.com/webserver-llc/angie/releases/tag/Angie-1.8.2 https://github.com/webserver-llc/angie/releases/tag/Angie-1.8.3 https://github.com/webserver-llc/angie/releases/tag/Angie-1.9.0 https://github.com/webserver-llc/angie/releases/tag/Angie-1.9.1 Improve port: - Create/delete logs directory using hooks (author oleg@mamontov.net) - Fix indentations: replace spaces with tabs, remove unnecessary tabs - Fix warnings from portclippy - sort options - Reduce the number of if statements to determine master/slave PR: 287316 275300 Approved by: oleg@mamontov.net (maintainer, timeout 2 weeks) Security: CVE-2025-23419 MFH: 2025Q2 (cherry picked from commit dddd3616414ad476275e7e8a2893c70e68912f82) www/angie/Makefile | 227 ++++++++++++++++++++++++++-------------------------- www/angie/distinfo | 6 +- www/angie/pkg-plist | 8 +- 3 files changed, 122 insertions(+), 119 deletions(-)
A commit in branch 2025Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=8d4879e261acb1ee72ede36640a3038a1532360b commit 8d4879e261acb1ee72ede36640a3038a1532360b Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2025-06-19 14:31:28 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2025-06-19 15:12:57 +0000 www/angie-module-njs: Update 0.8.9 => 0.9.0 Changelogs: https://github.com/nginx/njs/releases/tag/0.8.10 https://github.com/nginx/njs/releases/tag/0.9.0 PR: 287316 Approved by: oleg@mamontov.net (maintainer, timeout 2 weeks) MFH: 2025Q2 (cherry picked from commit 015f3fb5086a6fc36520ae51d0d5c643908e3ed6) www/angie-module-njs/Makefile | 2 +- www/angie/distinfo | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)
A commit in branch 2025Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=045990b9f5322e09d1c40114dad6eeae998039c2 commit 045990b9f5322e09d1c40114dad6eeae998039c2 Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2025-06-19 14:28:23 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2025-06-19 15:12:41 +0000 www/angie-module-headers-more: Update 0.37 => 0.38 Changelog: https://github.com/openresty/headers-more-nginx-module/releases/tag/v0.38 PR: 287316 Approved by: oleg@mamontov.net (maintainer, timeout 2 weeks) MFH: 2025Q2 (cherry picked from commit acd5d1155d78ce772150b527e9eeb9ae69053b62) www/angie-module-headers-more/Makefile | 2 +- www/angie/distinfo | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)
A commit in branch 2025Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3ae4f9aaee843f52ba608c89f330acac6e3e39d8 commit 3ae4f9aaee843f52ba608c89f330acac6e3e39d8 Author: Vladimir Druzenko <vvd@FreeBSD.org> AuthorDate: 2025-06-19 14:30:24 +0000 Commit: Vladimir Druzenko <vvd@FreeBSD.org> CommitDate: 2025-06-19 15:12:47 +0000 www/angie-module-jwt: Update 3.4.2 => 3.4.3 Changelog: https://github.com/max-lt/nginx-jwt-module/releases/tag/v3.4.3 PR: 287316 Approved by: oleg@mamontov.net (maintainer, timeout 2 weeks) MFH: 2025Q2 (cherry picked from commit 118221cbc5a6d1cde6e441692857b4496351b36f) www/angie-module-jwt/Makefile | 2 +- www/angie/distinfo | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-)
Thanks.